dde89429b7848f78895f03595567c9a17816f33d2bd0cab08f157f41da5b116a

Analysis

max time kernel
120s
max time network
124s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
25-07-2024 19:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

!~S͜͡etUp_F͜ile_Here٭✓/Setup.exe
Size

12.4MB
MD5

a1cd1cc2f2155222328051820f31886e
SHA1

3af0c38ae1370a80b748a2abc4bc37d2f42a843c
SHA256

af23c349efcf3595bffd59c6104cd6d1f2026b0a300d85fb2fe0e0248448bf5f
SHA512

50dc81857164ed57350dad239aa66d29f493fba25d324e54b5f69f384676e5e7e962fb95878a3e57c534609ae6065d6de0483a5874a32256e02f55b868fd81e6
SSDEEP

393216:vdtAFtHITkxEcrqN31gn/2CuuegmdBXpEXjGD6ApgMyx708OK:qHekxi8x

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1676	Setup.tmp
1076	Setup.tmp
2620	DuetUpdater.exe
2884	SendBugReportNew.exe

Loads dropped DLL 9 IoCs

pid	Process
2004	Setup.exe
1676	Setup.tmp
2152	Setup.exe
1076	Setup.tmp
1076	Setup.tmp
1076	Setup.tmp
2884	SendBugReportNew.exe
2884	SendBugReportNew.exe
2884	SendBugReportNew.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DuetUpdater.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SendBugReportNew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1076	Setup.tmp
1076	Setup.tmp
2884	SendBugReportNew.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1076	Setup.tmp

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 1676	2004	Setup.exe	29
PID 2004 wrote to memory of 1676	2004	Setup.exe	29
PID 2004 wrote to memory of 1676	2004	Setup.exe	29
PID 2004 wrote to memory of 1676	2004	Setup.exe	29
PID 2004 wrote to memory of 1676	2004	Setup.exe	29
PID 2004 wrote to memory of 1676	2004	Setup.exe	29
PID 2004 wrote to memory of 1676	2004	Setup.exe	29
PID 1676 wrote to memory of 2152	1676	Setup.tmp	31
PID 1676 wrote to memory of 2152	1676	Setup.tmp	31
PID 1676 wrote to memory of 2152	1676	Setup.tmp	31
PID 1676 wrote to memory of 2152	1676	Setup.tmp	31
PID 1676 wrote to memory of 2152	1676	Setup.tmp	31
PID 1676 wrote to memory of 2152	1676	Setup.tmp	31
PID 1676 wrote to memory of 2152	1676	Setup.tmp	31
PID 2152 wrote to memory of 1076	2152	Setup.exe	32
PID 2152 wrote to memory of 1076	2152	Setup.exe	32
PID 2152 wrote to memory of 1076	2152	Setup.exe	32
PID 2152 wrote to memory of 1076	2152	Setup.exe	32
PID 2152 wrote to memory of 1076	2152	Setup.exe	32
PID 2152 wrote to memory of 1076	2152	Setup.exe	32
PID 2152 wrote to memory of 1076	2152	Setup.exe	32
PID 1076 wrote to memory of 2620	1076	Setup.tmp	33
PID 1076 wrote to memory of 2620	1076	Setup.tmp	33
PID 1076 wrote to memory of 2620	1076	Setup.tmp	33
PID 1076 wrote to memory of 2620	1076	Setup.tmp	33
PID 1076 wrote to memory of 2620	1076	Setup.tmp	33
PID 1076 wrote to memory of 2620	1076	Setup.tmp	33
PID 1076 wrote to memory of 2620	1076	Setup.tmp	33
PID 1076 wrote to memory of 2884	1076	Setup.tmp	35
PID 1076 wrote to memory of 2884	1076	Setup.tmp	35
PID 1076 wrote to memory of 2884	1076	Setup.tmp	35
PID 1076 wrote to memory of 2884	1076	Setup.tmp	35
PID 1076 wrote to memory of 2884	1076	Setup.tmp	35
PID 1076 wrote to memory of 2884	1076	Setup.tmp	35
PID 1076 wrote to memory of 2884	1076	Setup.tmp	35

C:\Users\Admin\AppData\Local\Temp\!~S͜͡etUp_F͜ile_Here٭✓\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!~S͜͡etUp_F͜ile_Here٭✓\Setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Users\Admin\AppData\Local\Temp\is-U55H8.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-U55H8.tmp\Setup.tmp" /SL5="$C0150,3659742,742912,C:\Users\Admin\AppData\Local\Temp\!~S͜͡etUp_F͜ile_Here٭✓\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Users\Admin\AppData\Local\Temp\!~S͜͡etUp_F͜ile_Here٭✓\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\!~S͜͡etUp_F͜ile_Here٭✓\Setup.exe" /VERYSILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Users\Admin\AppData\Local\Temp\is-LQE2P.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-LQE2P.tmp\Setup.tmp" /SL5="$8014E,3659742,742912,C:\Users\Admin\AppData\Local\Temp\!~S͜͡etUp_F͜ile_Here٭✓\Setup.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1076
    - - C:\Users\Admin\AppData\Local\Temp\is-KEIDF.tmp\DuetUpdater.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KEIDF.tmp\DuetUpdater.exe" x -y -pAJGCrB&6s!FMASMm#Ud4 -o "C:\Users\Admin\AppData\Local\perigynous\\rtl120.rar" "C:\Users\Admin\AppData\Local\perigynous\"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2620
    - - C:\Users\Admin\AppData\Local\perigynous\SendBugReportNew.exe
        
        "C:\Users\Admin\AppData\Local\perigynous\SendBugReportNew.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\perigynous\SendBugReportNew.exe

Filesize
1.3MB

MD5
58717509c1521eacfcc7cda39e6bd45c

SHA1
5102dc3a82e8a2710ac67521f85f43f5296b5045

SHA256
d76d0650b630fdb70756a446e0a43672b5da1c2a74014118b02133923305da9a

SHA512
c637c2960b8a0bc111b408af05a0879d9a10f05d802ee7b8b9f115cb54606f76f4475375cecfa9fdb0518be0340b2c5bd23f8fe100dc21db88287a9227c0e69f

Download Submit
C:\Users\Admin\AppData\Local\perigynous\polyglot.dbf

Filesize
883KB

MD5
6551ff3b278dac45e90fcbc76883226e

SHA1
393eb15e20d6b09a7f0f1b0908927efe32becfd3

SHA256
0615784d64e6f2f08987525498cb38584219f5b435f5a18c15d780b160ab0faf

SHA512
b016839682a77df5048352e4c6d622031e11d7131aecf0e93ad89ca195308950280293095e13e989d3b660e831044e242df76d626c80e6485133c7931b945ec3

Download Submit
C:\Users\Admin\AppData\Local\perigynous\pow.yml

Filesize
29KB

MD5
675c1da8a1540bd45d27e6d0e3bdf21b

SHA1
cb15550d4dd8af4aa98f776a2849e0e3efc315be

SHA256
e84b0148f310c21530558a8fe9bb474fef8672363389ce0cb9aae0bec5a11e44

SHA512
73fc97cbb8e4cb2ac271dd391ddf37ab3aab9acc2580cde421c7aa2289beafc90cd2ea2810de52c87927bd2682e3ae089a15d9a8fb98616c85a44c96845b7f13

Download Submit
C:\Users\Admin\AppData\Local\perigynous\rtl120.rar

Filesize
2.3MB

MD5
5cd8f94e49e91221e5f49dafc5d24074

SHA1
099b6303c54e39575c9b289cb282a38639d7b060

SHA256
d97d6d3645e552342cce513cdfea1569866a4399c6f80c3f4c50e2f0eda782bf

SHA512
f53ea33dd866ed3ec58bf0597a86fc9442455ff845049ec65679d92eefb569e8a7263c3e2f27c3c274458cecf4ca871b2ec2cbf7bb1377cdcb7f455a0ba6c519

Download Submit
\Users\Admin\AppData\Local\Temp\is-FAQA0.tmp\_isetup\_iscrypt.dll

Filesize
12KB

MD5
47cfd05fde4babe79530c7ea730f6dc0

SHA1
2c055fa81f19d6f024f1f3d5b2dd0d5fde51d87e

SHA256
4bb34fe74f86ab389763863ee395a93d73e2d9548c224819ec9055d7c8c4b480

SHA512
ece4b4268e0d346e438f6f59fe333f7b6f95e3287791c517ef477935704ad2788e544a877b39abf542cd90a23966302d44cf03fb71e95c4f84ea11e634b3cbd0

Download Submit
\Users\Admin\AppData\Local\Temp\is-KEIDF.tmp\DuetUpdater.exe

Filesize
476KB

MD5
e84b92f608db288afcc12c5fe341b6c7

SHA1
0c2e73f24b90ff2e2bfef547defbe9ab75199e18

SHA256
f6c80d7c6ab6ba91cc24e12aa71c5290ca095e0842ae59a460ad71522039deb3

SHA512
f76b987138cdf83759a4cc792bfb49f302c950326afcaf104836b800e0a36082dc8639fc1cbc6472b952b538cdb6650f22b3839015db835b8e268e8a98b109db

Download Submit
\Users\Admin\AppData\Local\Temp\is-U55H8.tmp\Setup.tmp

Filesize
2.9MB

MD5
7c7c650efbdf3a68eb6ce55024e9154f

SHA1
c96b2b5b2b6527a90b321875baadf6865649bbb5

SHA256
ea85560fa2faab0caacd28cd5e190d245893e8e554f7328435fb97b45c96f9f3

SHA512
9e3db5f09a81be75e780abd0b4c61fd68d0358845e46153dcb0b3bc1bf18f121a604ddb28f3738cbd0cdc36ab966da37156cede767341f8834fb3ab29437140c

Download Submit
\Users\Admin\AppData\Local\perigynous\rtl120.bpl

Filesize
1.1MB

MD5
e71e48e31ac728a6de7c020645f0c32f

SHA1
7f86eadd1b7a0ab87b7ce7c2029bdef3d6fe1d8d

SHA256
40a1d1a2f276738f568700ddccac99cdcd35b973fc8be86ab826c0d1abc9d6ff

SHA512
5e41dbe7efac8a042a14c2f976d1afcd45e3f7531fb60daab61ac17ffd339d34e1c6746fce9e4b591b026598a89e38f36c6d24e33e2de0b39d81806259f9be2a

Download Submit
\Users\Admin\AppData\Local\perigynous\vcl120.bpl

Filesize
1.9MB

MD5
886d4c59a3ac3f77c874a355472311f0

SHA1
a12dc2f24eb3ce3a98e0cf87464a3c7a36cad28c

SHA256
dd889a799de2118b936dd5d21fc54d385ab947a53938fa588c22e0c6a659cf07

SHA512
dc8d125da9cd63d2818c63f1138f64f6201d9656ac75a5e7a3644314f4cb268d93bde6ab99bce37020bd46b1b1afd9d3727f5cb0fa2170cd83217dcf85a13ba0

Download Submit
\Users\Admin\AppData\Local\perigynous\vclx120.bpl

Filesize
223KB

MD5
8aaa3926885b3fa7ae0448f5e700cb79

SHA1
47bd7d281ddde5ebef8599482212743bf2f7e67b

SHA256
47396c301fbe78bfaf9e344936a0f7a4e6d174c096f847e160d822e48012162d

SHA512
86d395ca89ec2a988f035ecb32640ddac99247e2568673246388fe310e8c3a44807049e8f3482fae86c453d5e3529a8f2daf8614a1086b6d979e64fd917bbe3a

Download Submit
memory/1076-58-0x0000000000400000-0x00000000006F7000-memory.dmp

Filesize
3.0MB

Download
memory/1676-16-0x0000000000400000-0x00000000006F7000-memory.dmp

Filesize
3.0MB

Download
memory/1676-12-0x0000000000400000-0x00000000006F7000-memory.dmp

Filesize
3.0MB

Download
memory/2004-33-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2004-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2004-0-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2152-17-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2152-60-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/2884-68-0x00000000755D0000-0x000000007621A000-memory.dmp

Filesize
12.3MB

Download
memory/2884-69-0x00000000778D0000-0x0000000077A79000-memory.dmp

Filesize
1.7MB

Download
memory/2884-73-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/2884-72-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2884-71-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2884-70-0x0000000000400000-0x0000000000585000-memory.dmp

Filesize
1.5MB

Download