Overview
overview
10Static
static
10Setup.exe
windows7-x64
7Setup.exe
windows10-2004-x64
7$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3IMHttpComm.dll
windows7-x64
3IMHttpComm.dll
windows10-2004-x64
3ImLc.exe
windows7-x64
7ImLc.exe
windows10-2004-x64
10ImLookExU.dll
windows7-x64
1ImLookExU.dll
windows10-2004-x64
1ImLookU.dll
windows7-x64
1ImLookU.dll
windows10-2004-x64
1ImNtUtilU.dll
windows7-x64
3ImNtUtilU.dll
windows10-2004-x64
3ImUtilsU.dll
windows7-x64
1ImUtilsU.dll
windows10-2004-x64
1ImWrappU.dll
windows7-x64
1ImWrappU.dll
windows10-2004-x64
1SftTree_IX86_U_60.dll
windows7-x64
1SftTree_IX86_U_60.dll
windows10-2004-x64
1cateran.docx
windows7-x64
4cateran.docx
windows10-2004-x64
1mfc80u.dll
windows7-x64
1mfc80u.dll
windows10-2004-x64
1msvcp80.dll
windows7-x64
1msvcp80.dll
windows10-2004-x64
1msvcr80.dll
windows7-x64
1msvcr80.dll
windows10-2004-x64
1wlessfp1.dll
windows7-x64
3wlessfp1.dll
windows10-2004-x64
3Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
20-07-2024 21:56
Behavioral task
behavioral1
Sample
Setup.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
Setup.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
IMHttpComm.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
IMHttpComm.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
ImLc.exe
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
ImLc.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
ImLookExU.dll
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
ImLookExU.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
ImLookU.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
ImLookU.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
ImNtUtilU.dll
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
ImNtUtilU.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
ImUtilsU.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
ImUtilsU.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
ImWrappU.dll
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
ImWrappU.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
SftTree_IX86_U_60.dll
Resource
win7-20240705-en
Behavioral task
behavioral20
Sample
SftTree_IX86_U_60.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
cateran.docx
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
cateran.docx
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
mfc80u.dll
Resource
win7-20240708-en
Behavioral task
behavioral24
Sample
mfc80u.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
msvcp80.dll
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
msvcp80.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
msvcr80.dll
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
msvcr80.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
wlessfp1.dll
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
wlessfp1.dll
Resource
win10v2004-20240709-en
General
-
Target
Setup.exe
-
Size
6.6MB
-
MD5
e4301e8ae04291826a336629c424fa74
-
SHA1
c8de33288703388238ae6dfe03c3add4824b987a
-
SHA256
1a060d1dabd86e25cb6aab039a0fdccd176cb033e5c7823164b97b9284e34191
-
SHA512
4d4e79002ec144844db9e85f1b043e4d6a34ded9043c94424834ba010dc369a23ba421cffeea407772ad44f723805ec2e7ae26192b8253b98e0eb01fd48c8918
-
SSDEEP
98304:CaMrs0l5KHUN5EVo4UNPQKD+68kPiz8F+LsxAd8ZFhXGMXRdyf/S1crxA:f+rVWKD3tt+Ls+dmhXGGbmS6rxA
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
ImLc.exepid process 3020 ImLc.exe -
Loads dropped DLL 9 IoCs
Processes:
Setup.exeImLc.exepid process 2616 Setup.exe 3020 ImLc.exe 3020 ImLc.exe 3020 ImLc.exe 3020 ImLc.exe 3020 ImLc.exe 3020 ImLc.exe 3020 ImLc.exe 3020 ImLc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Setup.execmd.exedescription pid process target process PID 2616 wrote to memory of 2632 2616 Setup.exe cmd.exe PID 2616 wrote to memory of 2632 2616 Setup.exe cmd.exe PID 2616 wrote to memory of 2632 2616 Setup.exe cmd.exe PID 2632 wrote to memory of 3020 2632 cmd.exe ImLc.exe PID 2632 wrote to memory of 3020 2632 cmd.exe ImLc.exe PID 2632 wrote to memory of 3020 2632 cmd.exe ImLc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C start /B "" "C:\Users\Admin\AppData\Local\Temp\nswC93C.tmp\ImLc.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nswC93C.tmp\ImLc.exe"C:\Users\Admin\AppData\Local\Temp\nswC93C.tmp\ImLc.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\nswC93C.tmp\ImLc.exeFilesize
302KB
MD562f06ce16a02ebab81871add6066666b
SHA147c52f3b5dc542d2509bcf1f723598b9b4e88d46
SHA25688c6341f8779755aa42bf23b70f28a3835cb9e910cb3f47a1e79b8e959061184
SHA51282a27a06f1aa5bbf83c697423ae433cbcd1738642c576398b32830b42223811d4cb7623aee24a7e5e77cdf3bbf3a2727120a4d16dcd5ffc6d19c6bd34134ff6c
-
C:\Users\Admin\AppData\Local\Temp\nswC93C.tmp\ImLookExU.dllFilesize
262KB
MD56527be4d6a3333dc5a49218c4f80530d
SHA197c8965b01d2644fb17a0f818af59bc0471e38a7
SHA256908ab22cb8fa1b9125cf5746e5591fd84e4853326a812b9431ca1c0b9e997e1f
SHA51269a57cc28583861b97a02968106f007d56c2b5826fc5aa843978f0bf3a3f155ad9f2b7dfbe8260e38c2a7b1ed759f6f6fadbeef32cec9d7c4ab8f541f645dc5b
-
C:\Users\Admin\AppData\Local\Temp\nswC93C.tmp\ImLookU.dllFilesize
606KB
MD53ea6d805a18715f7368363dea3cd3f4c
SHA130ffafc1dd447172fa91404f07038d759c412464
SHA256a6766c524497144d585efa4fe384b516b563203427003508f7c8f6bffa7c928d
SHA512a102f23741de4ca2184485d9aa4ddd1a36b9ea52cb0859cfd264d69a9996293b7e29b325625f1f6f9330d6c80ff415e09e85e1ae838c58acef585ae8dffe3070
-
C:\Users\Admin\AppData\Local\Temp\nswC93C.tmp\ImUtilsU.dllFilesize
1.4MB
MD511d04f26d2fddde31baea41874db2dc9
SHA1934492f00d56ea6a3aa2a41661529704e847c539
SHA25601d00bbe1bb408c06417092f3e35c90d29fe4ee6a697e4e99c98c9891d852274
SHA5124819cc1b1e924aaac97642bc0b566012547cfbac02721ab63ebdc039d88f81957d1de4089a47c645bd0f9f09de3c52f7ccdbcaa78005b2b335adc5dadc52b212
-
C:\Users\Admin\AppData\Local\Temp\nswC93C.tmp\ImWrappU.dllFilesize
158KB
MD5cbf4827a5920a5f02c50f78ed46d0319
SHA1b035770e9d9283c61f8f8bbc041e3add0197de7b
SHA2567187903a9e4078f4d31f4b709a59d24eb6b417ea289f4f28eabce1ea2e713dce
SHA512d1a285fb630f55df700a74e5222546656de7d2da7e1419e2936078340767d0bab343b603ba0d07140c790eb5d79a8a34b7818b90316ea06cb9f53cad86b6d3f5
-
C:\Users\Admin\AppData\Local\Temp\nswC93C.tmp\SftTree_IX86_U_60.dllFilesize
570KB
MD557bf106e5ec51b703b83b69a402dc39f
SHA1bd4cfab7c50318607326504cc877c0bc84ef56ef
SHA25624f2399fc83198ab8d63ee6a1ad6ffbd1eda4d38048d3e809fecd2a3e0709671
SHA5128bf60649ece6bbb66c7b94ed0d9214fbeab030d5813e1e7b5d6d2349ee1de9075b7dfbbbbeae5af0dc21b071a00eafce0771ca1804e6752e9a71e71e6b1447df
-
C:\Users\Admin\AppData\Local\Temp\nswC93C.tmp\mfc80u.dllFilesize
1.0MB
MD5ccc2e312486ae6b80970211da472268b
SHA1025b52ff11627760f7006510e9a521b554230fee
SHA25618be5d3c656236b7e3cd6d619d62496fe3e7f66bf2859e460f8ac3d1a6bdaa9a
SHA512d6892abb1a85b9cf0fc6abe1c3aca6c46fc47541dffc2b75f311e8d2c9c1d367f265599456bd77be0e2b6d20c6c22ff5f0c46e7d9ba22c847ad1cbedc8ca3eff
-
C:\Users\Admin\AppData\Local\Temp\nswC93C.tmp\nsExec.dllFilesize
11KB
MD5d65973e31f6324acfb9669a98fb1d375
SHA1bde1e7963b46366d186190ba69eb8530ad64572b
SHA2569e1b4a31bedcbfecbafb4f0b3248bff00f1cc590b03dd41797d5dd39979e27b7
SHA51229edd129f47174c16ffe964bbd50551c9b7edea038563cda0bdea90229827b23fbe01c765b7c9d2719df4edd58b30755b5d79e9cedc26b43c8833082bfc5c601
-
C:\Users\Admin\AppData\Local\Temp\nswC93C.tmp\wlessfp1.dllFilesize
70KB
MD55120c44f241a12a3d5a3e87856477c13
SHA1cd8a6ef728c48e17d570c8dc582ec49e17104f6d
SHA256fbd4b6011d3d1c2af22827ca548ba19669eef31173d496e75f064ef7a884431c
SHA51267c0e718368e950d42f007d6a21c6f903b084d6514f777b86aab3111ffe3be995949674276081c0281139a0b39119b84630a0ac341d4ae78677ac8346f371ae1
-
memory/2616-57-0x0000000000400000-0x00000000004A2000-memory.dmpFilesize
648KB