Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
20-07-2024 01:40
General
-
Target
setup.exe
-
Size
27KB
-
MD5
8bf8d9d1ec6093701cb0694f269d26fd
-
SHA1
e3a7c8ad993c5771792434c48e823f86b6a89640
-
SHA256
fa5c38f264aba0e77e8752feb1ce2dfec1cf80154c136e8b816f251f1ac2ab76
-
SHA512
ee06a25a995c77672f13ca6c9fc5477cb50c964ef4b50b4fa0dab38a72c62f5f2485cb4d54e1edcc8f504d0ed22b420f0d931cccb4b529b0db2761ab68c5a42c
-
SSDEEP
768:ADTNi7eKAKn3zSVy/E7fI34RocT/etFbZcoQiw/ZOuYoE:qBi7e6zSFPX/eioQiwbYH
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 59 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 32 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
-
Suspicious use of FindShellTrayWindow 26 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\WinHex\WinHex.exe"C:\Program Files (x86)\WinHex\WinHex.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\winhlp32.exewinhlp32.exe -x3⤵
-
-
-
C:\Windows\helppane.exeC:\Windows\helppane.exe -Embedding1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=5288812⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9bbc646f8,0x7ff9bbc64708,0x7ff9bbc647183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2168,3741299272678117514,18349705926523386953,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:13⤵
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD50bc48abad1ce6dc97a649e42f31d668f
SHA166b405640d43de81951e6202c2d7c239949ed6a6
SHA2568fb578ca01388b5e2d6749418ee072d1b52a7c03e0aebcf0265f88f74d68e138
SHA512a5f4ddfa5d9123b9705b77b8ca801e72bcadf30a6e8c380284f4ab5357ad02c88a31471e8c09b469d70d2158861cc793fb2c91303f183779727c5bb63bfed19d
-
Filesize
150KB
MD545c6e0a1949c5c4feecfa8c66fdab2a6
SHA150d286260a53b616168c85553e2b27a0b061afca
SHA2562f7eac54a270466b035590faa774e6c6450f81645d5d5688227e75230f8b7b7a
SHA5121dc516a3879bef83f76cd2f88bf0d1cb93685a890e5937b74b8de9d1d0a5abcef7834e69d9759e744183c23fd0dd7cd63b1b96363b39c5a3c36caa993eefc75d
-
Filesize
191KB
MD57861cb55b7d23012130a3b2284d0803d
SHA16a3475a9c29731a1c65205341fa8d18c377df915
SHA2569ae718f4dafcd9da1e55e2a4b657a991653d73c8b5fe4611f7414cef382398d0
SHA512ab54aafa69d7b51c81ab57216fa6d3e67882a23126e7381d973c094e924e469f302384eddc8b1b306174b7a81b9ec7f8982e161c216a6311345f18ce86a5d980
-
Filesize
2KB
MD5843affb88952e79d8c1e8a49d504a985
SHA113155598b4177bb92eae44b49fe40a580b924777
SHA2561cfc1a7a614e4cbf35d335d93c9130c0bb4ed55dca727b277a1537213a360e17
SHA5124e99f9e2f2f18af2dc942dc67a40e1939e85f537e528284b0eb056b6775326128fa7526b5feb40f3c861e5bd0e4f96a9591c119dc16955efdf15e2a04d6e2c3d
-
Filesize
152B
MD560ead4145eb78b972baf6c6270ae6d72
SHA1e71f4507bea5b518d9ee9fb2d523c5a11adea842
SHA256b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7
SHA5128cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde
-
Filesize
152B
MD51f9d180c0bcf71b48e7bc8302f85c28f
SHA1ade94a8e51c446383dc0a45edf5aad5fa20edf3c
SHA256a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc
SHA512282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785
-
Filesize
456B
MD55c55e888a913c85ff26a0e10823836e9
SHA1573bebb97bdc00e7e68e15b0c5310760474c8b2d
SHA25641a59e2ffa9cd56fdd6d96b75ea3cc22e24a480af803156f5b7170d6b20b1ef9
SHA5122f782eff056a1a63090be79ef94c5ae6cf3885482af81cd3e2d039107ac57bdd2df7ef913ed73f874c68ae0b2176b15b4cdc311c17e0a7b70830535b2ea7e39c
-
Filesize
189B
MD51c71d79b135a68f3ecbc4ae68c2dc88d
SHA1aafa539f26effcddc6a2ccb828433445e37fc2eb
SHA2561e463ad8d85bf63ddfae93296b5de4b8c69041f3f95eb1b39c1126cf2eba3591
SHA512a81bb105277742ebde0b1f93a7dfdd49de3c33f673cac33fae3ec51e6ca595c960fc7ee5dfc0c189f56ed5fb559bd1a19432e89ae3a5adf53a5bf6d4b2268d1d
-
Filesize
5KB
MD52d280a46a8b36c0e47472d242c0e0a11
SHA1b6d99b9e5af06b9827dd7921db88bf83e5969b7b
SHA256d23622202327071bf94c7a7754f572d4d1f632a8a4d810ac279dbd10b845fc4d
SHA512dbaa5f8fb654af5bad49db0553ef2c37172a5f4969a792ce0e7dfdc1c1ffb9a03189310b7c5ec51a90bf231a073ca4a9daffcd8c851b26815b8805f9193560c6
-
Filesize
6KB
MD536e8cde01c5c76ed4d40f07e9b287ed7
SHA1c797aca6c2e0eb4e703126fcc0135a6a86b9a27e
SHA256318730c4b7be98e4ecff18c946630b590c36345b8472d92d857c8ac0c577c505
SHA512e7049c2b2547c84587b74a21584a871a19b4317c943d0e1ffdcc7eb6cc43b462bd637d405202bc2bd6612f881a58d5da3714cbd17e907eb03965772bec59e915
-
Filesize
6KB
MD5dc76fa272ffeb238eb2aca6efd54cc4d
SHA184a3d2c71a040590da0458b306d600b1eb95e0f2
SHA256ba3dbcb743f9dfae6dd1f02900c761ec167543e07141db18ead4c60f075d7354
SHA512f3cb06a557e30fe107443910d9ee770a2af9cb57e0a6e062b81751b902b638916dcda48aae3efb252eafca63207a9bbf619fd89c56c344e58a97aec04dd3a4dd
-
Filesize
1KB
MD519c2133c25d396f220e0afc58c34340c
SHA12cef1f45509a8297a4815d1b99c9604a5fcb40a1
SHA256197d4be01b430082c20e0af41d143d89006ffa14ece148eb3e53bb75e67b29f5
SHA512f7cc8348a91556077cce6f442587abe1c941833a138bd22b0e1d6878665d27a118a994f0534e4703b32061d6b93efa16dae58115c6fd61a089867aee66c14943
-
Filesize
1KB
MD54282452ed64def1a58ae6a4a4d8c8114
SHA1aeb84ce183f9b439bf37dcabb3acc1f16a7c80f2
SHA256f1ba3e1cbdfdc2c1020a38ea4df8fe6491ba6eb01d590338e652c2f96bde1a72
SHA512296a941ae78bbce79b6ae0041d2f5990a3aa13bdcc29e6c53132488525b7800a19200e6f1a545b04239f92ab81bbaca9cf0dc3e8f34b6a110da5b16e079c7f6d
-
Filesize
366B
MD5085a613bc8a222a785756cf396334b0c
SHA1fd9136f2ecf9dc0234f105817e756fff05efb711
SHA2563a6df911149f342c6bd9798a1e6bce83a14c7d0f884c0b25e3ceae17914bcb5c
SHA512a00348b9acdeafcefb2c78755449e99c44c13f9943b1b627014287b042efac796ff12c361a3d96380bfdcccd19110af360f6e1209db03a15faa162ecaa2c9cb6
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5ed39cb93660cc84fc43e3cebef41a206
SHA1d7a0e230e190a20758137a286cd9110c4d7ea40d
SHA2569728624b070c20f0ec8876ad4b1fd08ec8912b61fadb1f05584827ff509369a0
SHA5121e4ad8abdc57fb7123ced7f248e01c5a2aadbd4679ca86013bfc58f9110a57aff0f7587299d0364f73e72efae6cad771eff5c6118c12ff03e7ba4f3e0bced1b4
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
172KB
-
Filesize
1.6MB
-
Filesize
172KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
172KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
32KB
-
Filesize
32KB