Analysis
-
max time kernel
91s -
max time network
203s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-07-2024 19:47
Static task
static1
Behavioral task
behavioral1
Sample
##!!SetUp_2244_Pa$sW0rd$$!!/Setup.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
##!!SetUp_2244_Pa$sW0rd$$!!/Setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
##!!SetUp_2244_Pa$sW0rd$$!!/Setup.exe
Resource
win11-20240709-en
General
-
Target
##!!SetUp_2244_Pa$sW0rd$$!!/Setup.exe
-
Size
5.8MB
-
MD5
c43099511811f8671ec857d05031d3bc
-
SHA1
6804ff5dd674c4b923a3130dff991695316d682d
-
SHA256
06d7c8db750907fb33f1c65212750c1a699dfcb78e2ff65c99e3ab40790b58ac
-
SHA512
eee426dd85bfde98553e0d439587b948cf5532479de2c43ef2e6ec98c14e623d03903c60e056627f0c9551f9563567178f249f0c580de26f7591513c5efb8073
-
SSDEEP
98304:bp4ssheeWLUbdF4+qtMSsFISWnNoyF9Vy/Yez+32efVjPCANwlwV34jJuKYVLH7F:bpDshe2b/hqtMSsFILj9ACpfVjPbN2wp
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
iTopDataRecovery.exeiTopDataRecovery.exepid Process 2460 iTopDataRecovery.exe 2176 iTopDataRecovery.exe -
Loads dropped DLL 22 IoCs
Processes:
iTopDataRecovery.exeiTopDataRecovery.exepid Process 2460 iTopDataRecovery.exe 2460 iTopDataRecovery.exe 2460 iTopDataRecovery.exe 2460 iTopDataRecovery.exe 2460 iTopDataRecovery.exe 2460 iTopDataRecovery.exe 2460 iTopDataRecovery.exe 2460 iTopDataRecovery.exe 2460 iTopDataRecovery.exe 2460 iTopDataRecovery.exe 2460 iTopDataRecovery.exe 2460 iTopDataRecovery.exe 2460 iTopDataRecovery.exe 2176 iTopDataRecovery.exe 2176 iTopDataRecovery.exe 2176 iTopDataRecovery.exe 2176 iTopDataRecovery.exe 2176 iTopDataRecovery.exe 2176 iTopDataRecovery.exe 2176 iTopDataRecovery.exe 2176 iTopDataRecovery.exe 2176 iTopDataRecovery.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
iTopDataRecovery.exedescription pid Process procid_target PID 2176 set thread context of 1448 2176 iTopDataRecovery.exe 80 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
iTopDataRecovery.exeiTopDataRecovery.exemore.compid Process 2460 iTopDataRecovery.exe 2176 iTopDataRecovery.exe 2176 iTopDataRecovery.exe 1448 more.com 1448 more.com -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
iTopDataRecovery.exemore.compid Process 2176 iTopDataRecovery.exe 1448 more.com -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Setup.exeiTopDataRecovery.exeiTopDataRecovery.exemore.comdescription pid Process procid_target PID 492 wrote to memory of 2460 492 Setup.exe 78 PID 492 wrote to memory of 2460 492 Setup.exe 78 PID 492 wrote to memory of 2460 492 Setup.exe 78 PID 2460 wrote to memory of 2176 2460 iTopDataRecovery.exe 79 PID 2460 wrote to memory of 2176 2460 iTopDataRecovery.exe 79 PID 2460 wrote to memory of 2176 2460 iTopDataRecovery.exe 79 PID 2176 wrote to memory of 1448 2176 iTopDataRecovery.exe 80 PID 2176 wrote to memory of 1448 2176 iTopDataRecovery.exe 80 PID 2176 wrote to memory of 1448 2176 iTopDataRecovery.exe 80 PID 2176 wrote to memory of 1448 2176 iTopDataRecovery.exe 80 PID 1448 wrote to memory of 4976 1448 more.com 82 PID 1448 wrote to memory of 4976 1448 more.com 82 PID 1448 wrote to memory of 4976 1448 more.com 82 PID 1448 wrote to memory of 4976 1448 more.com 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"C:\Users\Admin\AppData\Local\Temp\##!!SetUp_2244_Pa$sW0rd$$!!\Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe"C:\Users\Admin\AppData\Local\Temp\iTopDataRecovery.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exeC:\Users\Admin\AppData\Roaming\SGP\iTopDataRecovery.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe5⤵PID:4976
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD58e09ecc2c3197e4e97e1aba0de94f438
SHA106ebb8ea17d070d0947ab667bac21d83010cde3f
SHA256e9ce8f5d88dcbdd0856db902a6796fad499a5b2b74190592747fe55959321898
SHA512aa8c79b8664ecc0f5093031bda9fa46725cb3b6796edb5803f74b0e9dbf79f97dd33d74c6668f7f699eab937ad998937f0894963bce823060ebd3dca90ebae6a
-
Filesize
62KB
MD59424382dbaeb4890c9c1a52fc90f712a
SHA16f4d7fe82fbd617b7bea45e9f18a195ebfbd3042
SHA2567ae3088de2f2b20ef4644b42d2ba4f55e29861bfeb19960a5ada00e621a77168
SHA512138b16a0ae8b5af42dd805a01b60737bdefe9445a699a7dbd7967a25d0e6284e66866695575f670167d324d9f60960c9b8c99588bcb41a77c9e699048c2bf949
-
Filesize
75KB
MD5626dd52ec6cf2e1e00948586b649cb2a
SHA1b8aaee43554ec9eb6d0d05a81cf186b330390745
SHA2564696b31b9efef6eb60464d0a18abc398338f3616d7189dbd8555937cb85645fd
SHA512e1e3537d9782cb344bc9925fcea42ffc8125a753caaf713c1fdd521cda36a0513ac89634b3de93ed732557a5649ef3eac2fc9f365bdefdc615d466275788883b
-
Filesize
4.0MB
MD595387cc85dacad60b3e10665b43602e6
SHA1d9aafd45fe3ad10d28716d6289fe76b4fdce1869
SHA2563c317dbab70d3ab4fce944c92532d111f69fd71dca5c7f7c7b8d57e657f26a1a
SHA51282cb0983739a76d15beacbc50f1bf7fa5cca1650b18444c204a3e6a6656aaba5ac94341fa394aaad78b3ff2d51f17c6623f0a882692881d6506af5dae544a02b
-
Filesize
435KB
MD521068dfd733435c866312d35b9432733
SHA13d5336c676d3dd94500d0d2fe853b9de457f10fd
SHA256835f1141ece59c36b18e76927572d229136aeb12eff44cb4ba98d7808257c299
SHA51254664a9e60e5a0b148fc4684125b7eac9cfc57d0bc5838204ed587d62e44c3347c0bae3192d5c375b6a74335b4fed4fc53248ba542c59022e9761872e09e3ee7
-
Filesize
209KB
MD5dc6655a38ffdc3c349f13828fc8ec36e
SHA195db71ef7bff8c16ce955c760292bad9f09bb06d
SHA25616126ff5daa3787a159cf4a39aa040b8050ebb66ab90dbb97c503110ef72824a
SHA51284b85f2aaad773cbe039022db3d0c35263343243f0d021d7aa3086904b80dd309e6d2a93613cc774b5db27335f4d2850151e2bc8f4648b0065f66bd3722c3d69
-
Filesize
61KB
MD584bc072f8ea30746f0982afbda3c638f
SHA1f39343933ff3fc7934814d6d3b7b098bc92540a0
SHA25652019f47f96ca868fa4e747c3b99cba1b7aa57317bf8ebf9fcbf09aa576fe006
SHA5126e7648194738e8e49e48c2450eef1d482473cd4e5c0e83f292ac9174488f3f22a3b6ba96f07e024c2ab96613d9db1a97084ca0b3973ed5d88502e0d28e120ef5
-
Filesize
278KB
MD5f65c3b116281fd23e5748ad73e9501cf
SHA1ebda8a741833c4fcbfcb72591a7c173d69a01ebd
SHA256eb48e0e36be7b0a89a0b8cc129a3b004a8525e5f60445e5ca48a7810d9d93725
SHA51278ec4ade61c6abf87283d5858ffe119e10d119bcaa2c678d20cb7d45bb1d244a9aaf70b50ab365509b615e7323081292bae156d665a471990863c83a8b233cbc
-
Filesize
4.3MB
MD565a63bd3e6c4ce54299bf494582304f3
SHA1e6f63f69388dd5a3cda90403711b78fe5c667981
SHA2565b8d7269ed5ca414208ff017f52ee65f14d4d8a707a39a7dc3f9879c0c0ce335
SHA512f8ff930aa55222478967b7865465c3f75138b9ff172fdcc1aab47a0172641c5a790e73b5d98bf47fc772002437ad2153846dec626e020408c8d6daee0c630b59
-
Filesize
851KB
MD53456f0fe789f38cf5d58b359ac1e8727
SHA15b39e9e71a07102036386bdd0651dcc267400723
SHA256c6e43d099efea12aabe41fdfe7c6201c94b44fe79fa3d802944e30c019e29e65
SHA512bc2c941019d27f0b2bee5be1ecf5e497c546f9862cc615e18b7ea8fff799bfdaeec2bc05cb17035f44fb1dde16899f21ea9a129a0c3a22a83200d6697c4b4aed
-
Filesize
1.1MB
MD5630991830afe0b969bd0995e697ab16e
SHA1feda243d83fba15b23d654513dc1f0d70787ba18
SHA256b1fcb0339b9ef4860bb1ed1e5ba0e148321be64696af64f3b1643d1311028cb3
SHA5122f2bf30be615f44e56ecca972a9fcbe27187045e13c468d039645e5cc6d01f990cde32b322965f245bc8fccfd0920f09a0afa1d4de0748ed01dd9ffc1bd24692
-
Filesize
1.9MB
MD5849070ebd34cbaedc525599d6c3f8914
SHA1b0543d13f4d0cb787abdaaf1d3c9a5af17c87afa
SHA256b6f321a48812dc922b26953020c9a60949ec429a921033cfaf1e9f7d088ee628
SHA512f2ca685b01be9d1b77d8d924e0097ddacee7628cc1aad8a87d8b18a699558d38a7851e6cff8bb2b8ae1980824588af5c3ac75b7b4198b620144dff61611f3aeb
-
Filesize
220KB
MD57daa2b7fe529b45101a399b5ebf0a416
SHA1fd73f3561d0cebe341a6c380681fb08841fa5ce6
SHA2562bdf023c439010ce0a786ec75d943a80a8f01363712bbf69afc29d3e2b5306ed
SHA5128e9ec71943c412fe95563e488d91e6ef0041c16a08654ff14b11953f134007657d1e6ec95952f6b9c8b8567a35368840618db06e5cd99abc43ae495a3fbc6b96