Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10-07-2024 19:47

General

  • Target

    ##!!SetUp_2244_Pa$sW0rd$$!!/Setup.exe

  • Size

    5.8MB

  • MD5

    c43099511811f8671ec857d05031d3bc

  • SHA1

    6804ff5dd674c4b923a3130dff991695316d682d

  • SHA256

    06d7c8db750907fb33f1c65212750c1a699dfcb78e2ff65c99e3ab40790b58ac

  • SHA512

    eee426dd85bfde98553e0d439587b948cf5532479de2c43ef2e6ec98c14e623d03903c60e056627f0c9551f9563567178f249f0c580de26f7591513c5efb8073

  • SSDEEP

    98304:bp4ssheeWLUbdF4+qtMSsFISWnNoyF9Vy/Yez+32efVjPCANwlwV34jJuKYVLH7F:bpDshe2b/hqtMSsFILj9ACpfVjPbN2wp

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 20 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2156
    • C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe
      "C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
        C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2564
        • C:\Windows\SysWOW64\more.com
          C:\Windows\SysWOW64\more.com
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of WriteProcessMemory
          PID:2484
          • C:\Windows\SysWOW64\SearchIndexer.exe
            C:\Windows\SysWOW64\SearchIndexer.exe
            5⤵
              PID:1752

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ac1af14c

      Filesize

      1.1MB

      MD5

      45aa5e81fd75c7a776fbe51deb2ac9e5

      SHA1

      d031c134a8ef66e97828c6b09b5325346e386af9

      SHA256

      3da6d99b5081b38e745700b8df7ce77570483c248e6199eb4e3c65bdd5323507

      SHA512

      a84a867aeca86c216f00d364362f2c926625d754eb7bfbfb28c21b98dde97e51b2e611a87ac8b27e4346de7ec8f9e7f1d7235bca081e0bcc70c9860ca7f7fe28

    • C:\Users\Admin\AppData\Local\Temp\charr.dbf

      Filesize

      62KB

      MD5

      9424382dbaeb4890c9c1a52fc90f712a

      SHA1

      6f4d7fe82fbd617b7bea45e9f18a195ebfbd3042

      SHA256

      7ae3088de2f2b20ef4644b42d2ba4f55e29861bfeb19960a5ada00e621a77168

      SHA512

      138b16a0ae8b5af42dd805a01b60737bdefe9445a699a7dbd7967a25d0e6284e66866695575f670167d324d9f60960c9b8c99588bcb41a77c9e699048c2bf949

    • C:\Users\Admin\AppData\Local\Temp\datastate.dll

      Filesize

      75KB

      MD5

      626dd52ec6cf2e1e00948586b649cb2a

      SHA1

      b8aaee43554ec9eb6d0d05a81cf186b330390745

      SHA256

      4696b31b9efef6eb60464d0a18abc398338f3616d7189dbd8555937cb85645fd

      SHA512

      e1e3537d9782cb344bc9925fcea42ffc8125a753caaf713c1fdd521cda36a0513ac89634b3de93ed732557a5649ef3eac2fc9f365bdefdc615d466275788883b

    • C:\Users\Admin\AppData\Local\Temp\madBasic_.bpl

      Filesize

      209KB

      MD5

      dc6655a38ffdc3c349f13828fc8ec36e

      SHA1

      95db71ef7bff8c16ce955c760292bad9f09bb06d

      SHA256

      16126ff5daa3787a159cf4a39aa040b8050ebb66ab90dbb97c503110ef72824a

      SHA512

      84b85f2aaad773cbe039022db3d0c35263343243f0d021d7aa3086904b80dd309e6d2a93613cc774b5db27335f4d2850151e2bc8f4648b0065f66bd3722c3d69

    • C:\Users\Admin\AppData\Local\Temp\madDisAsm_.bpl

      Filesize

      61KB

      MD5

      84bc072f8ea30746f0982afbda3c638f

      SHA1

      f39343933ff3fc7934814d6d3b7b098bc92540a0

      SHA256

      52019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006

      SHA512

      6e7648194738e8e49e48c2450eef1d482473cd4e5c0e83f292ac9174488f3f22a3b6ba96f07e024c2ab96613d9db1a97084ca0b3973ed5d88502e0d28e120ef5

    • C:\Users\Admin\AppData\Local\Temp\madExcept_.bpl

      Filesize

      435KB

      MD5

      21068dfd733435c866312d35b9432733

      SHA1

      3d5336c676d3dd94500d0d2fe853b9de457f10fd

      SHA256

      835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299

      SHA512

      54664a9e60e5a0b148fc4684125b7eac9cfc57d0bc5838204ed587d62e44c3347c0bae3192d5c375b6a74335b4fed4fc53248ba542c59022e9761872e09e3ee7

    • C:\Users\Admin\AppData\Local\Temp\pdfium.dll

      Filesize

      4.3MB

      MD5

      65a63bd3e6c4ce54299bf494582304f3

      SHA1

      e6f63f69388dd5a3cda90403711b78fe5c667981

      SHA256

      5b8d7269ed5ca414208ff017f52ee65f14d4d8a707a39a7dc3f9879c0c0ce335

      SHA512

      f8ff930aa55222478967b7865465c3f75138b9ff172fdcc1aab47a0172641c5a790e73b5d98bf47fc772002437ad2153846dec626e020408c8d6daee0c630b59

    • C:\Users\Admin\AppData\Local\Temp\rebbe.pkg

      Filesize

      851KB

      MD5

      3456f0fe789f38cf5d58b359ac1e8727

      SHA1

      5b39e9e71a07102036386bdd0651dcc267400723

      SHA256

      c6e43d099efea12aabe41fdfe7c6201c94b44fe79fa3d802944e30c019e29e65

      SHA512

      bc2c941019d27f0b2bee5be1ecf5e497c546f9862cc615e18b7ea8fff799bfdaeec2bc05cb17035f44fb1dde16899f21ea9a129a0c3a22a83200d6697c4b4aed

    • C:\Users\Admin\AppData\Local\Temp\vcl120.bpl

      Filesize

      1.9MB

      MD5

      849070ebd34cbaedc525599d6c3f8914

      SHA1

      b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa

      SHA256

      b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628

      SHA512

      f2ca685b01be9d1b77d8d924e0097ddacee7628cc1aad8a87d8b18a699558d38a7851e6cff8bb2b8ae1980824588af5c3ac75b7b4198b620144dff61611f3aeb

    • \Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe

      Filesize

      4.0MB

      MD5

      95387cc85dacad60b3e10665b43602e6

      SHA1

      d9aafd45fe3ad10d28716d6289fe76b4fdce1869

      SHA256

      3c317dbab70d3ab4fce944c92532d111f69fd71dca5c7f7c7b8d57e657f26a1a

      SHA512

      82cb0983739a76d15beacbc50f1bf7fa5cca1650b18444c204a3e6a6656aaba5ac94341fa394aaad78b3ff2d51f17c6623f0a882692881d6506af5dae544a02b

    • \Users\Admin\AppData\Local\Temp\pdf2bmp.dll

      Filesize

      278KB

      MD5

      f65c3b116281fd23e5748ad73e9501cf

      SHA1

      ebda8a741833c4fcbfcb72591a7c173d69a01ebd

      SHA256

      eb48e0e36be7b0a89a0b8cc129a3b004a8525e5f60445e5ca48a7810d9d93725

      SHA512

      78ec4ade61c6abf87283d5858ffe119e10d119bcaa2c678d20cb7d45bb1d244a9aaf70b50ab365509b615e7323081292bae156d665a471990863c83a8b233cbc

    • \Users\Admin\AppData\Local\Temp\rtl120.bpl

      Filesize

      1.1MB

      MD5

      630991830afe0b969bd0995e697ab16e

      SHA1

      feda243d83fba15b23d654513dc1f0d70787ba18

      SHA256

      b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3

      SHA512

      2f2bf30be615f44e56ecca972a9fcbe27187045e13c468d039645e5cc6d01f990cde32b322965f245bc8fccfd0920f09a0afa1d4de0748ed01dd9ffc1bd24692

    • \Users\Admin\AppData\Local\Temp\vclx120.bpl

      Filesize

      220KB

      MD5

      7daa2b7fe529b45101a399b5ebf0a416

      SHA1

      fd73f3561d0cebe341a6c380681fb08841fa5ce6

      SHA256

      2bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed

      SHA512

      8e9ec71943c412fe95563e488d91e6ef0041c16a08654ff14b11953f134007657d1e6ec95952f6b9c8b8567a35368840618db06e5cd99abc43ae495a3fbc6b96

    • memory/1752-114-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

    • memory/1752-113-0x0000000000400000-0x0000000000469000-memory.dmp

      Filesize

      420KB

    • memory/1752-112-0x0000000077410000-0x00000000775B9000-memory.dmp

      Filesize

      1.7MB

    • memory/1872-77-0x0000000059800000-0x000000005986E000-memory.dmp

      Filesize

      440KB

    • memory/1872-76-0x0000000050120000-0x000000005030D000-memory.dmp

      Filesize

      1.9MB

    • memory/1872-49-0x0000000073FE0000-0x0000000074077000-memory.dmp

      Filesize

      604KB

    • memory/1872-75-0x0000000057000000-0x000000005703F000-memory.dmp

      Filesize

      252KB

    • memory/1872-71-0x0000000050000000-0x0000000050116000-memory.dmp

      Filesize

      1.1MB

    • memory/1872-69-0x0000000000400000-0x0000000000845000-memory.dmp

      Filesize

      4.3MB

    • memory/1872-50-0x0000000077410000-0x00000000775B9000-memory.dmp

      Filesize

      1.7MB

    • memory/1872-79-0x0000000050310000-0x0000000050349000-memory.dmp

      Filesize

      228KB

    • memory/1872-78-0x0000000057800000-0x0000000057812000-memory.dmp

      Filesize

      72KB

    • memory/2484-110-0x0000000073FE0000-0x0000000074077000-memory.dmp

      Filesize

      604KB

    • memory/2484-109-0x0000000077410000-0x00000000775B9000-memory.dmp

      Filesize

      1.7MB

    • memory/2564-101-0x0000000050000000-0x0000000050116000-memory.dmp

      Filesize

      1.1MB

    • memory/2564-100-0x0000000000400000-0x0000000000845000-memory.dmp

      Filesize

      4.3MB

    • memory/2564-103-0x0000000050120000-0x000000005030D000-memory.dmp

      Filesize

      1.9MB

    • memory/2564-98-0x0000000073FE0000-0x0000000074077000-memory.dmp

      Filesize

      604KB

    • memory/2564-104-0x0000000059800000-0x000000005986E000-memory.dmp

      Filesize

      440KB

    • memory/2564-97-0x0000000077410000-0x00000000775B9000-memory.dmp

      Filesize

      1.7MB