f8063856346ff4d2d26be63e12d5074e43a4b4ff9c6d99a8f2899dd31ab6024a

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-07-2024 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BossComingSetup_V4.0.exe
Size

2.9MB
MD5

f971758012d09cf5d489351aff11faa4
SHA1

ecfa785e178b6b7fc4e2343ec749dbf3faa3fc92
SHA256

b91456a479ab509bac394c335435ef853c96bcd1b0429ed821e1a4ec02649860
SHA512

53fe8a2a36d09ca24fb6471260266b1117a7d4f94fd55618f94a785eb55491a41faf761531e7aa8b29787d1f113b7d554831153d15417b96640a18f1f6f9c72e
SSDEEP

49152:+ZdyNjxr4faUKJW23q7ix0faofUwQRiaydRSZEoUWWflwrQz7K1E2:Gdyvk5K4cq7IyfUfqHSZENWp0K19

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2468	is-GTL7H.tmp

Loads dropped DLL 3 IoCs

pid	Process
1512	BossComingSetup_V4.0.exe
2468	is-GTL7H.tmp
2468	is-GTL7H.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2468	is-GTL7H.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1512 wrote to memory of 2468	1512	BossComingSetup_V4.0.exe	30
PID 1512 wrote to memory of 2468	1512	BossComingSetup_V4.0.exe	30
PID 1512 wrote to memory of 2468	1512	BossComingSetup_V4.0.exe	30
PID 1512 wrote to memory of 2468	1512	BossComingSetup_V4.0.exe	30
PID 1512 wrote to memory of 2468	1512	BossComingSetup_V4.0.exe	30
PID 1512 wrote to memory of 2468	1512	BossComingSetup_V4.0.exe	30
PID 1512 wrote to memory of 2468	1512	BossComingSetup_V4.0.exe	30

C:\Users\Admin\AppData\Local\Temp\BossComingSetup_V4.0.exe
"C:\Users\Admin\AppData\Local\Temp\BossComingSetup_V4.0.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Users\Admin\AppData\Local\Temp\is-C385V.tmp\is-GTL7H.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-C385V.tmp\is-GTL7H.tmp" /SL4 $4014E "C:\Users\Admin\AppData\Local\Temp\BossComingSetup_V4.0.exe" 2814512 51200
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-1N2JD.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
b05cd5cd1c0968db5766fba7c9b13a69

SHA1
29fa5f9e394704b4ee0bace2b8c17aea2d5769c5

SHA256
6489865bf98963bbdc269d0744492d418882db47962b50264cf9b168ae7a2cc3

SHA512
e7b0d9a1009f3f57106eb2205d53d1580639f29fbf96991754e4d979bb61faf74bd62bac636164cf73381e30a48527792dc9e8c86747491d8b946aa9a0c464dd

Download Submit
\Users\Admin\AppData\Local\Temp\is-C385V.tmp\is-GTL7H.tmp

Filesize
640KB

MD5
2f8aef768ccccd1cca5ded7e43fe700c

SHA1
1b3c7fb760365bb734c40c71960adcacfb27a151

SHA256
df73f5b8784ddaa7c7e0360a0e3006ed113f000ea91995ffff7095d80c61640a

SHA512
778bb88061aa681ed1fa88a0a545b6c5fa001b2b0f8326af926a76bb3a8597c2f3957227833c5cb45b0d72f11f3340eddf3b46e8ae3850b2c3613b920fed39bb

Download Submit
memory/1512-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/1512-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1512-16-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2468-17-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download