Analysis
-
max time kernel
592s -
max time network
360s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20240508-en
General
-
Target
Setup.exe
-
Size
9.8MB
-
MD5
2cf71e22becf0ef89a881838c6421d21
-
SHA1
ff0a5c9c614ac65730bea453b2a8f5d1295c909f
-
SHA256
05b5395c452dc7f18e98d029111b2e93b53b342af75e701f0bd301cc7dac2d9f
-
SHA512
fec7aa9d3091a9531a37ee3ae504635088eb5225068f9e8dc9765fe71da35ec3627cb3eb27bb0ce76f7dec593f73a46e7a347420729a0283a4036191bcef1ef1
-
SSDEEP
196608:bhHh86KKAqxihfpkLwngFdk6yjFPMHeDuEiwSKjTrNCFc:dHb1AthfpUqlF2eL5S0Nyc
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2368 Setup.tmp 1264 Setup.tmp -
Loads dropped DLL 2 IoCs
pid Process 2172 Setup.exe 2548 Setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1264 Setup.tmp 1264 Setup.tmp -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1264 Setup.tmp -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2172 wrote to memory of 2368 2172 Setup.exe 28 PID 2172 wrote to memory of 2368 2172 Setup.exe 28 PID 2172 wrote to memory of 2368 2172 Setup.exe 28 PID 2172 wrote to memory of 2368 2172 Setup.exe 28 PID 2172 wrote to memory of 2368 2172 Setup.exe 28 PID 2172 wrote to memory of 2368 2172 Setup.exe 28 PID 2172 wrote to memory of 2368 2172 Setup.exe 28 PID 2368 wrote to memory of 2548 2368 Setup.tmp 29 PID 2368 wrote to memory of 2548 2368 Setup.tmp 29 PID 2368 wrote to memory of 2548 2368 Setup.tmp 29 PID 2368 wrote to memory of 2548 2368 Setup.tmp 29 PID 2368 wrote to memory of 2548 2368 Setup.tmp 29 PID 2368 wrote to memory of 2548 2368 Setup.tmp 29 PID 2368 wrote to memory of 2548 2368 Setup.tmp 29 PID 2548 wrote to memory of 1264 2548 Setup.exe 30 PID 2548 wrote to memory of 1264 2548 Setup.exe 30 PID 2548 wrote to memory of 1264 2548 Setup.exe 30 PID 2548 wrote to memory of 1264 2548 Setup.exe 30 PID 2548 wrote to memory of 1264 2548 Setup.exe 30 PID 2548 wrote to memory of 1264 2548 Setup.exe 30 PID 2548 wrote to memory of 1264 2548 Setup.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\AppData\Local\Temp\is-OE19M.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-OE19M.tmp\Setup.tmp" /SL5="$50126,791552,0,C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\AppData\Local\Temp\is-54LQO.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-54LQO.tmp\Setup.tmp" /SL5="$80120,791552,0,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
PID:1264
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD531c0e65dc89f93a59b404edec82218ad
SHA13ed86b50d2ec5c276f5f4e0f8d6ddd51f97c1e24
SHA2560a64b5242f45bb147c607301b49f4c71380d5d9e56e3cf30ae9742681f0988c3
SHA51274e9e7c7eec1dcdb282601e8d4c21bdb7d2ea212f8aa51dcec5d60aa16b713e6ba10ec8f292258b0e742c0c3dcd8aaf05fcb5a6b6eea649740247a86df1725fa