Overview

overview

7

Static

static

3

setup.exe

windows10-2004-x64

7

Resubmissions

11/07/2024, 00:27

240711-aryn7s1cnh 7

11/07/2024, 00:23

240711-aphj7s1bmh 7

Analysis

  • max time kernel
    141s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/07/2024, 00:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    1.3MB

  • MD5

    8981ff37b14e235e3d656121f62b3334

  • SHA1

    76457e6766ee63dfd39c1520b181d740ef49237c

  • SHA256

    ea104e95cc926ccf4e4ca24f234c11290a26923d0eb6652a11594089e3287d48

  • SHA512

    a4b500c42302b6154a58f627e0990115ba9baff08e53fa9c71e6d4180fdbefd3fbbc7d4d160bae5cf45fe67a76f618162b296ab0fd777ccaf35dbd461af3e5d2

  • SSDEEP

    24576:sMjh/1qnS8XSjLHwZUdRLQdJdQDc9hfQsFwhpZY7Qp1y/PnqTyI:PinjXgQZys0ohfvFw+7Q/qqGI

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 7 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2944
    • C:\Users\Admin\AppData\Local\Temp\is-24DO9.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-24DO9.tmp\setup.tmp" /SL5="$F004A,861281,152064,C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      PID:3956
  • C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\diskmgmt.msc"
    1⤵
    • Drops file in System32 directory
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3952
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    1⤵
      PID:2096
    • C:\Windows\System32\vds.exe
      C:\Windows\System32\vds.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:3096
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2320

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\is-24DO9.tmp\setup.tmp
        Filesize

        1.4MB

        MD5

        7300211c571951be86be6c6f8cdfc09d

        SHA1

        5464e16689003406513c7677b3d970f673551d18

        SHA256

        e77c3184d90f6e7a1276bb8389aba06296be97deb2e8a3433ca9a537538696da

        SHA512

        9c340edcd63c87565a9de26892d2e83647798583cc942bf608b54e86b8fd36bc2ad64421241b88f0a0682e7c006a5af712e62d3231ca5a81264d8b1a1905ebb4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-5F6EC.tmp\1.png
        Filesize

        614B

        MD5

        91e24a003e2af74f1c26f2a6820754ec

        SHA1

        364987d9e6214e67dfe3799b6db27e54900a2978

        SHA256

        992805589f702a50048820994a6a01d4e049c87f2795907b8e056cda90e907d1

        SHA512

        c2a3a4427eb513aa8a7e6c680661f0d5738369e552297c378df49788d7263baf2fdbd5dec7e871e7261f3e0c432c2af5c439ee076606706aa83932c238610939

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-5F6EC.tmp\2.png
        Filesize

        313B

        MD5

        72796608b699bb61d9d05be027fd3f61

        SHA1

        6fc59523abde95dd2a590798d8fa8591e645059a

        SHA256

        0d11d0868d705e8d2999333dd48f2da3ed630ea66ece7708e35c5f5ee08ecad5

        SHA512

        d8a7c8e98d015f5cff50426760eb36fb38f9a09982a7ca824bf93853b0adad8143d7211e7414ac6f2971888ebcfb0d8ac62d583329694511e733d5e18eeace08

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-5F6EC.tmp\3.png
        Filesize

        359B

        MD5

        0efab0ff0a9c54f6e679ba8533952e40

        SHA1

        12eb7215bd6ccb6656ca95bb7c1ffbcc3f2024c0

        SHA256

        42c6ee43b162e26dc79fee77e92159cce6b035230e193ce4c25a967ff644c90b

        SHA512

        b38a03202e52e46af298f72058bdf22f1307fcb03b3b4ed68a3507ebe0f8b880b3e4ebd5b5eb4ba275d4c1c718fea2db0a2c5ef24632b99d2d4694b293960a43

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-5F6EC.tmp\CallbackCtrl.dll
        Filesize

        4KB

        MD5

        f07e819ba2e46a897cfabf816d7557b2

        SHA1

        8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

        SHA256

        68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

        SHA512

        7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-5F6EC.tmp\ISDone.dll
        Filesize

        452KB

        MD5

        4feafa8b5e8cdb349125c8af0ac43974

        SHA1

        7f17e5e1b088fc73690888b215962fbcd395c9bd

        SHA256

        bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71

        SHA512

        d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-5F6EC.tmp\botva2.dll
        Filesize

        35KB

        MD5

        0177746573eed407f8dca8a9e441aa49

        SHA1

        6b462adf78059d26cbc56b3311e3b97fcb8d05f7

        SHA256

        a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

        SHA512

        d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-5F6EC.tmp\w.png
        Filesize

        338KB

        MD5

        49e8135aa0465d4d2c2195a9ae4ebf10

        SHA1

        9aa6a397d2505dc01d196a0f0e9dd0bc51d92ffa

        SHA256

        2af89332117632e572a515e767151e7069a582155b639ba087ef8acbf2e0cd65

        SHA512

        b40804894a7c3ce8a88bf3d937bfce389c125f9c2da811598ef00c772a871a225d0cce5382aa3b82db65d7c06fda0248d3318f83b4e57021d2cb7e766d302986

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\is-5F6EC.tmp\wintb.dll
        Filesize

        3KB

        MD5

        348f5c9651b979191373eba950d0edc3

        SHA1

        7c2af0023c6d07bfcee4fe9bb0d82c58c3259b49

        SHA256

        6922915886745d1b59320dee9a87311aadd57f924ffb73cac1d27573e75bcecc

        SHA512

        57712ca55e65f66974492ba4e209b8e97bc559978a510e48bac521441d3123aef812cbb71990c5baa0446818a6cda7902d5b9b601af7ffc2c8c9ecae98b15082

        Download Submit

      • memory/2944-2-0x0000000000401000-0x0000000000417000-memory.dmp

        Filesize

        88KB

        Download

      • memory/2944-0-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/2944-70-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/3956-73-0x0000000003F20000-0x0000000003F2E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3956-74-0x0000000000400000-0x000000000057B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3956-69-0x0000000000400000-0x000000000057B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3956-15-0x00000000034B0000-0x0000000003527000-memory.dmp

        Filesize

        476KB

        Download

      • memory/3956-72-0x00000000034B0000-0x0000000003527000-memory.dmp

        Filesize

        476KB

        Download

      • memory/3956-36-0x0000000003F20000-0x0000000003F2E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3956-71-0x0000000000400000-0x000000000057B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3956-6-0x0000000000400000-0x000000000057B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3956-78-0x0000000003F20000-0x0000000003F2E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/3956-79-0x0000000000400000-0x000000000057B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3956-81-0x0000000000400000-0x000000000057B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3956-84-0x0000000000400000-0x000000000057B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3956-86-0x0000000000400000-0x000000000057B000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/3956-98-0x0000000000400000-0x000000000057B000-memory.dmp

        Filesize

        1.5MB

        Download