30b357cf5008053e6200434633069fd81ee35b0798e00745541210890a8ce6fe

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trsetup.exe
Size

4.5MB
MD5

6116215b9fbf9c9822696913c17f27f2
SHA1

5712c5ffaa6905d893dbc00512ec70e47c8d6fdd
SHA256

40dadd322216188014b84471a19679a81e2fd61bd8bba7232d3301a806f3c184
SHA512

aceddc5577fc18855d12560f70f2cc611fd2f86ac65bf76292ab30ede66d7428d6325ab086ec9beb549d587f969754315e0384d2c8cbc19af277056d3bd00022
SSDEEP

98304:UHbFwsXp/YZAQ64LsunH/FD5k7eTkm8rLa9DCn+wWTwdAQWZWvUWH5n5:Zs5Aed4LsuH/FDIeTv84Y+wWgVcWH5n5

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1236	is-BKQ8D.tmp

Loads dropped DLL 3 IoCs

pid	Process
2292	trsetup.exe
1236	is-BKQ8D.tmp
1236	is-BKQ8D.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	trsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-BKQ8D.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1236	is-BKQ8D.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 1236	2292	trsetup.exe	28
PID 2292 wrote to memory of 1236	2292	trsetup.exe	28
PID 2292 wrote to memory of 1236	2292	trsetup.exe	28
PID 2292 wrote to memory of 1236	2292	trsetup.exe	28
PID 2292 wrote to memory of 1236	2292	trsetup.exe	28
PID 2292 wrote to memory of 1236	2292	trsetup.exe	28
PID 2292 wrote to memory of 1236	2292	trsetup.exe	28

C:\Users\Admin\AppData\Local\Temp\trsetup.exe
"C:\Users\Admin\AppData\Local\Temp\trsetup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Users\Admin\AppData\Local\Temp\is-B0EJT.tmp\is-BKQ8D.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-B0EJT.tmp\is-BKQ8D.tmp" /SL4 $5014E "C:\Users\Admin\AppData\Local\Temp\trsetup.exe" 4464060 52224
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-B0EJT.tmp\is-BKQ8D.tmp

Filesize
656KB

MD5
95e74ccfcd1a7803b1df11b71948d204

SHA1
948c116ec9775a02fe7c53dda228ef1687380daf

SHA256
d30e5d6bdfdf2da478cadbef5df57c8265a8ead77a6efcf123fa42cb4f561c4e

SHA512
4af261241ddb906fe494c3bfea271871ca6c1cba4ddf97345889e366f04478e75d1d919fa51258765008b74e812d448917e6309ed240e8c64f7a4708710170fe

Download Submit
\Users\Admin\AppData\Local\Temp\is-FDOD1.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1236-9-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/1236-18-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2292-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2292-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2292-17-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download