Analysis
-
max time kernel
592s -
max time network
544s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 18:33
Static task
static1
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20240508-en
General
-
Target
Setup.exe
-
Size
9.8MB
-
MD5
2cf71e22becf0ef89a881838c6421d21
-
SHA1
ff0a5c9c614ac65730bea453b2a8f5d1295c909f
-
SHA256
05b5395c452dc7f18e98d029111b2e93b53b342af75e701f0bd301cc7dac2d9f
-
SHA512
fec7aa9d3091a9531a37ee3ae504635088eb5225068f9e8dc9765fe71da35ec3627cb3eb27bb0ce76f7dec593f73a46e7a347420729a0283a4036191bcef1ef1
-
SSDEEP
196608:bhHh86KKAqxihfpkLwngFdk6yjFPMHeDuEiwSKjTrNCFc:dHb1AthfpUqlF2eL5S0Nyc
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation Setup.tmp -
Executes dropped EXE 2 IoCs
pid Process 4516 Setup.tmp 912 Setup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 912 Setup.tmp 912 Setup.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 5104 wrote to memory of 4516 5104 Setup.exe 81 PID 5104 wrote to memory of 4516 5104 Setup.exe 81 PID 5104 wrote to memory of 4516 5104 Setup.exe 81 PID 4516 wrote to memory of 1536 4516 Setup.tmp 82 PID 4516 wrote to memory of 1536 4516 Setup.tmp 82 PID 4516 wrote to memory of 1536 4516 Setup.tmp 82 PID 1536 wrote to memory of 912 1536 Setup.exe 83 PID 1536 wrote to memory of 912 1536 Setup.exe 83 PID 1536 wrote to memory of 912 1536 Setup.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Users\Admin\AppData\Local\Temp\is-2Q5MG.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-2Q5MG.tmp\Setup.tmp" /SL5="$6017A,791552,0,C:\Users\Admin\AppData\Local\Temp\Setup.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4516 -
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT3⤵
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\is-7GRM2.tmp\Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-7GRM2.tmp\Setup.tmp" /SL5="$7017A,791552,0,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:912
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.0MB
MD531c0e65dc89f93a59b404edec82218ad
SHA13ed86b50d2ec5c276f5f4e0f8d6ddd51f97c1e24
SHA2560a64b5242f45bb147c607301b49f4c71380d5d9e56e3cf30ae9742681f0988c3
SHA51274e9e7c7eec1dcdb282601e8d4c21bdb7d2ea212f8aa51dcec5d60aa16b713e6ba10ec8f292258b0e742c0c3dcd8aaf05fcb5a6b6eea649740247a86df1725fa