Resubmissions
09-07-2024 23:06
240709-23vv8stamd 509-07-2024 23:05
240709-223vfs1erp 509-07-2024 22:37
240709-2jv2wszepm 10Analysis
-
max time kernel
36s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-07-2024 23:06
Static task
static1
Behavioral task
behavioral1
Sample
!ŞetUp_64851--#PaSꞨKḙy#$$/Setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
!ŞetUp_64851--#PaSꞨKḙy#$$/Setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
!ŞetUp_64851--#PaSꞨKḙy#$$/tak_deco_lib.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
!ŞetUp_64851--#PaSꞨKḙy#$$/tak_deco_lib.dll
Resource
win10v2004-20240709-en
General
-
Target
!ŞetUp_64851--#PaSꞨKḙy#$$/Setup.exe
-
Size
12.0MB
-
MD5
a7118dffeac3772076f1a39a364d608d
-
SHA1
6b984d9446f23579e154ec47437b9cf820fd6b67
-
SHA256
f1973746ac0a703b23526f68c639436f0b26b0bc71c4f5adf36dc5f6e8a7f4d0
-
SHA512
f547c13b78acda9ca0523f0f8cd966c906f70a23a266ac86156dc7e17e6349e5f506366787e7a7823e2b07b0d614c9bd08e34ca5cc4f48799b0fe36ac836e890
-
SSDEEP
98304:ReAtQzKADvk/9TEaImN9/tiHBIn8c3hCEFRUTaZnPZOtXwH:ReAOWOM/FE1mNHiFc3hr7UTaZnhOtXwH
Malware Config
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2784 set thread context of 2776 2784 Setup.exe 30 -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2784 Setup.exe 2784 Setup.exe 2776 more.com 2776 more.com -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2784 Setup.exe 2776 more.com -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2784 wrote to memory of 2776 2784 Setup.exe 30 PID 2784 wrote to memory of 2776 2784 Setup.exe 30 PID 2784 wrote to memory of 2776 2784 Setup.exe 30 PID 2784 wrote to memory of 2776 2784 Setup.exe 30 PID 2784 wrote to memory of 2776 2784 Setup.exe 30 PID 2776 wrote to memory of 2804 2776 more.com 32 PID 2776 wrote to memory of 2804 2776 more.com 32 PID 2776 wrote to memory of 2804 2776 more.com 32 PID 2776 wrote to memory of 2804 2776 more.com 32 PID 2776 wrote to memory of 2804 2776 more.com 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵PID:2804
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
992KB
MD5946e6bb05a622c159a4b0dc1129938d4
SHA114305f4b8196aa9d3a7a028c69f85e1eb6e40eac
SHA2568980a7de0a12e800a46b248b67e62473b8da1d67a341651eb983f5ad09f97194
SHA51220b9505393cf40aa3cadd1fd46ce58f0b4ff50e614feae144f95a3e92fd51f08f983511c0870c91f4d07d32def056699d9fcfefc831a7083ac08d2f7d5663594