71d5519808acc096442cfe563f176726faed6ec7ffef19694c09597dc3f33e7c

Analysis

max time kernel
138s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 02:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

783.9MB
MD5

19eea7f3029f18151248d8b9da4a7dc8
SHA1

27ef2f1d259d6e0dc46b7d9d5c6b536aa375ee66
SHA256

5480c04777da228035aa559b44ada97522ad74fec8ccce7ceb68aecb5037c713
SHA512

1f82f9d66b7d82658da3c013087b6a556276f11ae9e9e4de086f8b6abfbc483b4f23bbfae0ee1b7fb107a5db425e912219cae8943e6de0992a52e2e86f1665e9
SSDEEP

98304:H0GY5U8qanZoRgrR7OzJEKMxoi1JuwendJHlc24euTPCTGrQl:HrY5DqS4gEzJEKMDjLadjLGrQl

Score

10^/10

evasion

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules\C:\ = "1"	setup.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	api.myip.com
27	api.myip.com
28	ipinfo.io
29	ipinfo.io

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy	setup.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	setup.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	setup.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3428	setup.exe
3428	setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Modifies firewall policy service
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3896,i,11049150160560877369,2866371920339304689,262144 --variations-seed-version --mojo-platform-channel-handle=3376 /prefetch:8
1⤵
PID:2764

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:3972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
memory/3428-0-0x00007FF6CD696000-0x00007FF6CD8A8000-memory.dmp

Filesize
2.1MB

Download
memory/3428-1-0x00007FFC97770000-0x00007FFC97772000-memory.dmp

Filesize
8KB

Download
memory/3428-6-0x00007FF6CD530000-0x00007FF6CDCD3000-memory.dmp

Filesize
7.6MB

Download
memory/3428-14-0x00007FF6CD696000-0x00007FF6CD8A8000-memory.dmp

Filesize
2.1MB

Download
memory/3428-15-0x00007FF6CD530000-0x00007FF6CDCD3000-memory.dmp

Filesize
7.6MB

Download