Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 19:47
Static task
static1
Behavioral task
behavioral1
Sample
##!!SetUp_2244_Pa$sW0rd$$!!/Setup.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
##!!SetUp_2244_Pa$sW0rd$$!!/Setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
##!!SetUp_2244_Pa$sW0rd$$!!/Setup.exe
Resource
win11-20240709-en
General
-
Target
##!!SetUp_2244_Pa$sW0rd$$!!/Setup.exe
-
Size
5.8MB
-
MD5
c43099511811f8671ec857d05031d3bc
-
SHA1
6804ff5dd674c4b923a3130dff991695316d682d
-
SHA256
06d7c8db750907fb33f1c65212750c1a699dfcb78e2ff65c99e3ab40790b58ac
-
SHA512
eee426dd85bfde98553e0d439587b948cf5532479de2c43ef2e6ec98c14e623d03903c60e056627f0c9551f9563567178f249f0c580de26f7591513c5efb8073
-
SSDEEP
98304:bp4ssheeWLUbdF4+qtMSsFISWnNoyF9Vy/Yez+32efVjPCANwlwV34jJuKYVLH7F:bpDshe2b/hqtMSsFILj9ACpfVjPbN2wp
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
iTopDataRecovery.exeiTopDataRecovery.exepid Process 1872 iTopDataRecovery.exe 2564 iTopDataRecovery.exe -
Loads dropped DLL 20 IoCs
Processes:
Setup.exeiTopDataRecovery.exeiTopDataRecovery.exepid Process 2156 Setup.exe 1872 iTopDataRecovery.exe 1872 iTopDataRecovery.exe 1872 iTopDataRecovery.exe 1872 iTopDataRecovery.exe 1872 iTopDataRecovery.exe 1872 iTopDataRecovery.exe 1872 iTopDataRecovery.exe 1872 iTopDataRecovery.exe 1872 iTopDataRecovery.exe 1872 iTopDataRecovery.exe 2564 iTopDataRecovery.exe 2564 iTopDataRecovery.exe 2564 iTopDataRecovery.exe 2564 iTopDataRecovery.exe 2564 iTopDataRecovery.exe 2564 iTopDataRecovery.exe 2564 iTopDataRecovery.exe 2564 iTopDataRecovery.exe 2564 iTopDataRecovery.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
iTopDataRecovery.exedescription pid Process procid_target PID 2564 set thread context of 2484 2564 iTopDataRecovery.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
iTopDataRecovery.exeiTopDataRecovery.exemore.compid Process 1872 iTopDataRecovery.exe 2564 iTopDataRecovery.exe 2564 iTopDataRecovery.exe 2484 more.com 2484 more.com -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
iTopDataRecovery.exemore.compid Process 2564 iTopDataRecovery.exe 2484 more.com -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
Setup.exeiTopDataRecovery.exeiTopDataRecovery.exemore.comdescription pid Process procid_target PID 2156 wrote to memory of 1872 2156 Setup.exe 28 PID 2156 wrote to memory of 1872 2156 Setup.exe 28 PID 2156 wrote to memory of 1872 2156 Setup.exe 28 PID 2156 wrote to memory of 1872 2156 Setup.exe 28 PID 1872 wrote to memory of 2564 1872 iTopDataRecovery.exe 29 PID 1872 wrote to memory of 2564 1872 iTopDataRecovery.exe 29 PID 1872 wrote to memory of 2564 1872 iTopDataRecovery.exe 29 PID 1872 wrote to memory of 2564 1872 iTopDataRecovery.exe 29 PID 2564 wrote to memory of 2484 2564 iTopDataRecovery.exe 30 PID 2564 wrote to memory of 2484 2564 iTopDataRecovery.exe 30 PID 2564 wrote to memory of 2484 2564 iTopDataRecovery.exe 30 PID 2564 wrote to memory of 2484 2564 iTopDataRecovery.exe 30 PID 2564 wrote to memory of 2484 2564 iTopDataRecovery.exe 30 PID 2484 wrote to memory of 1752 2484 more.com 34 PID 2484 wrote to memory of 1752 2484 more.com 34 PID 2484 wrote to memory of 1752 2484 more.com 34 PID 2484 wrote to memory of 1752 2484 more.com 34 PID 2484 wrote to memory of 1752 2484 more.com 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe"C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exeC:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe5⤵PID:1752
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD545aa5e81fd75c7a776fbe51deb2ac9e5
SHA1d031c134a8ef66e97828c6b09b5325346e386af9
SHA2563da6d99b5081b38e745700b8df7ce77570483c248e6199eb4e3c65bdd5323507
SHA512a84a867aeca86c216f00d364362f2c926625d754eb7bfbfb28c21b98dde97e51b2e611a87ac8b27e4346de7ec8f9e7f1d7235bca081e0bcc70c9860ca7f7fe28
-
Filesize
62KB
MD59424382dbaeb4890c9c1a52fc90f712a
SHA16f4d7fe82fbd617b7bea45e9f18a195ebfbd3042
SHA2567ae3088de2f2b20ef4644b42d2ba4f55e29861bfeb19960a5ada00e621a77168
SHA512138b16a0ae8b5af42dd805a01b60737bdefe9445a699a7dbd7967a25d0e6284e66866695575f670167d324d9f60960c9b8c99588bcb41a77c9e699048c2bf949
-
Filesize
75KB
MD5626dd52ec6cf2e1e00948586b649cb2a
SHA1b8aaee43554ec9eb6d0d05a81cf186b330390745
SHA2564696b31b9efef6eb60464d0a18abc398338f3616d7189dbd8555937cb85645fd
SHA512e1e3537d9782cb344bc9925fcea42ffc8125a753caaf713c1fdd521cda36a0513ac89634b3de93ed732557a5649ef3eac2fc9f365bdefdc615d466275788883b
-
Filesize
209KB
MD5dc6655a38ffdc3c349f13828fc8ec36e
SHA195db71ef7bff8c16ce955c760292bad9f09bb06d
SHA25616126ff5daa3787a159cf4a39aa040b8050ebb66ab90dbb97c503110ef72824a
SHA51284b85f2aaad773cbe039022db3d0c35263343243f0d021d7aa3086904b80dd309e6d2a93613cc774b5db27335f4d2850151e2bc8f4648b0065f66bd3722c3d69
-
Filesize
61KB
MD584bc072f8ea30746f0982afbda3c638f
SHA1f39343933ff3fc7934814d6d3b7b098bc92540a0
SHA25652019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006
SHA5126e7648194738e8e49e48c2450eef1d482473cd4e5c0e83f292ac9174488f3f22a3b6ba96f07e024c2ab96613d9db1a97084ca0b3973ed5d88502e0d28e120ef5
-
Filesize
435KB
MD521068dfd733435c866312d35b9432733
SHA13d5336c676d3dd94500d0d2fe853b9de457f10fd
SHA256835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299
SHA51254664a9e60e5a0b148fc4684125b7eac9cfc57d0bc5838204ed587d62e44c3347c0bae3192d5c375b6a74335b4fed4fc53248ba542c59022e9761872e09e3ee7
-
Filesize
4.3MB
MD565a63bd3e6c4ce54299bf494582304f3
SHA1e6f63f69388dd5a3cda90403711b78fe5c667981
SHA2565b8d7269ed5ca414208ff017f52ee65f14d4d8a707a39a7dc3f9879c0c0ce335
SHA512f8ff930aa55222478967b7865465c3f75138b9ff172fdcc1aab47a0172641c5a790e73b5d98bf47fc772002437ad2153846dec626e020408c8d6daee0c630b59
-
Filesize
851KB
MD53456f0fe789f38cf5d58b359ac1e8727
SHA15b39e9e71a07102036386bdd0651dcc267400723
SHA256c6e43d099efea12aabe41fdfe7c6201c94b44fe79fa3d802944e30c019e29e65
SHA512bc2c941019d27f0b2bee5be1ecf5e497c546f9862cc615e18b7ea8fff799bfdaeec2bc05cb17035f44fb1dde16899f21ea9a129a0c3a22a83200d6697c4b4aed
-
Filesize
1.9MB
MD5849070ebd34cbaedc525599d6c3f8914
SHA1b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa
SHA256b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628
SHA512f2ca685b01be9d1b77d8d924e0097ddacee7628cc1aad8a87d8b18a699558d38a7851e6cff8bb2b8ae1980824588af5c3ac75b7b4198b620144dff61611f3aeb
-
Filesize
4.0MB
MD595387cc85dacad60b3e10665b43602e6
SHA1d9aafd45fe3ad10d28716d6289fe76b4fdce1869
SHA2563c317dbab70d3ab4fce944c92532d111f69fd71dca5c7f7c7b8d57e657f26a1a
SHA51282cb0983739a76d15beacbc50f1bf7fa5cca1650b18444c204a3e6a6656aaba5ac94341fa394aaad78b3ff2d51f17c6623f0a882692881d6506af5dae544a02b
-
Filesize
278KB
MD5f65c3b116281fd23e5748ad73e9501cf
SHA1ebda8a741833c4fcbfcb72591a7c173d69a01ebd
SHA256eb48e0e36be7b0a89a0b8cc129a3b004a8525e5f60445e5ca48a7810d9d93725
SHA51278ec4ade61c6abf87283d5858ffe119e10d119bcaa2c678d20cb7d45bb1d244a9aaf70b50ab365509b615e7323081292bae156d665a471990863c83a8b233cbc
-
Filesize
1.1MB
MD5630991830afe0b969bd0995e697ab16e
SHA1feda243d83fba15b23d654513dc1f0d70787ba18
SHA256b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3
SHA5122f2bf30be615f44e56ecca972a9fcbe27187045e13c468d039645e5cc6d01f990cde32b322965f245bc8fccfd0920f09a0afa1d4de0748ed01dd9ffc1bd24692
-
Filesize
220KB
MD57daa2b7fe529b45101a399b5ebf0a416
SHA1fd73f3561d0cebe341a6c380681fb08841fa5ce6
SHA2562bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed
SHA5128e9ec71943c412fe95563e488d91e6ef0041c16a08654ff14b11953f134007657d1e6ec95952f6b9c8b8567a35368840618db06e5cd99abc43ae495a3fbc6b96