4bff5e7539e9e15abff17dde6e4bc82ed70407673c2e68abd83761b9e6dd68ca

Analysis

max time kernel
148s
max time network
18s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16/08/2024, 23:45

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SETUP.exe
Size

58KB
MD5

2e7bc5b75df9c7bc2a53a32964c2d899
SHA1

24d08d262007a254e0797a128e0399aa47b13e6c
SHA256

83441525fb5aebe10892cfbc931395e2bb1f68c8720e49bb58749cb95981f06d
SHA512

41bd7911b436fd907394ad3094a8162cbc9d9f3102daf58ef9dd628571956a49929638e0b4141c00f06d90c48711877ea2fc10736b789299b7a85e918db1db03
SSDEEP

768:d8s/igVfqfbqg6tNrpaE7bP+Fbsk4WoPygjhZB/qf0F4r:CgViDqgMdpa47+zv4hZB/qsFq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2828	_INS5176._MP

Loads dropped DLL 7 IoCs

pid	Process
2296	setup.exe
2296	setup.exe
2828	_INS5176._MP
2828	_INS5176._MP
2828	_INS5176._MP
2828	_INS5176._MP
2828	_INS5176._MP

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_delis32.ini	setup.exe
File opened for modification	C:\Windows\IsUninst.exe	_INS5176._MP
File created	C:\Windows\_INS33IS._MP	_ISDEL.EXE
File opened for modification	C:\Windows\_iserr31.ini	setup.exe
File created	C:\Windows\_isenv31.ini	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_ISDEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_INS5176._MP

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2296	setup.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2828	2296	setup.exe	30
PID 2296 wrote to memory of 2828	2296	setup.exe	30
PID 2296 wrote to memory of 2828	2296	setup.exe	30
PID 2296 wrote to memory of 2828	2296	setup.exe	30
PID 2296 wrote to memory of 2828	2296	setup.exe	30
PID 2296 wrote to memory of 2828	2296	setup.exe	30
PID 2296 wrote to memory of 2828	2296	setup.exe	30
PID 2296 wrote to memory of 2844	2296	setup.exe	31
PID 2296 wrote to memory of 2844	2296	setup.exe	31
PID 2296 wrote to memory of 2844	2296	setup.exe	31
PID 2296 wrote to memory of 2844	2296	setup.exe	31
PID 2296 wrote to memory of 2844	2296	setup.exe	31
PID 2296 wrote to memory of 2844	2296	setup.exe	31
PID 2296 wrote to memory of 2844	2296	setup.exe	31

C:\Windows\SysWOW64\InstallShield\setup.exe
"C:\Users\Admin\AppData\Local\Temp\SETUP.exe" -isw64"C:\Users\Admin\AppData\Local\Temp\SETUP.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5176._MP
  C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5176._MP
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2828
- C:\Windows\SysWOW64\InstallShield\_ISDEL.EXE
  C:\Windows\SysWOW64\InstallShield\_ISDEL.EXE
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS0432.INI

Filesize
155B

MD5
fde401eb24841c923397d2bdc6c53d31

SHA1
05a4ed733bf085353c2a0c9a8fe1840649d3b0f1

SHA256
eb807edfdc0b5e8ea563affb1e33c4a13970b43dc7e134ab4dae9905624ded63

SHA512
110c8b1b180aeef763d03f3ac0330243296f2182170ee3fc0da41566f39abd50dafef238f1344076617ac556d770639584260a634c8538b3582335e68151fa94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\f77a6da.DLL

Filesize
126KB

MD5
4dbf53786ecdd42cde6a88115b36e0f6

SHA1
dc2fda1c89d2b90f9e528e36f7e6965d946e2b1c

SHA256
b6a5e5d3e991d5e5f6ede9eca927fde2e582b88d973e1974171f132abbdec6b5

SHA512
591cd570912b1a6d1f779ba495807b50adc9c1432e39554bcebab78d71a418d15d8e12c0203b1f84e02de51ad63a2d3e9cdb7c85ba9d124c6642d5e338d992b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_WUTL951.DLL

Filesize
45KB

MD5
847d78a673e9b8313c651d037180f3b4

SHA1
e500d6bdd57e08295aa7594139db467dbd6045a3

SHA256
3ad102d309953433faef7357cab408c8e64995f8111f57a59b9f6e5b7e8d4a92

SHA512
11c42cfe422bbc8c9b1cb89d12f047404253125fdc30d726b2f8c3988865deb284fa31c821bab99b3a423180922ad0feb6126df4928e426a7d2271f0cea01b45

Download Submit
C:\Windows\_delis32.ini

Filesize
268B

MD5
431536b7b894cbeaab41384492bf3b45

SHA1
c265c4a3f434eb1ccabc8d08eaad5ab8ecfeab9e

SHA256
c0b4fc8cff3a8e29b03c28eb7f81eec5442514d7dd4e8bafe9840c6cea985aa9

SHA512
714185664b08401aa1388f29d469480b3b19d8ac8b72e96bbc641016a0e464f70cea03b495750a7b1d53284905e19c73e15197587804041476be7c49e4c6ec01

Download Submit
C:\Windows\_isenv31.ini

Filesize
1KB

MD5
45021e657b6946db050c14e7be03ed10

SHA1
3c3a26d0031ee9b4f30266dc7337fe3fe85eebe4

SHA256
c3254b1f479f0384ac80203a43f98ef71e7bc41d1412ab77981550fa42e1ee7c

SHA512
d5cf3e1fc86650a53e9f500ac0c1df4bc0801bc139a80cca264f75666fc19baa267f2522419088232f9d4d3c0a6fdb2b10bc40a13462492b012ad373e719a4d4

Download Submit
C:\Windows\_iserr31.ini

Filesize
521B

MD5
b99921c1ce27e631044ad7ad03e27faa

SHA1
13fa80578e7a9f5ece1cfd7913eec6e3e5b12250

SHA256
bd6efc8e0f5b775ae357f3b647d74b7ddbc5fb8fc827e659d77ac2ef9888f16f

SHA512
79ff7699ad240f4b62c5b336fb6ebb684e675b2d74cf541997f1d42716c1e05bcc35d92443c0641a6f0e60a26d3add03f6316390aacb22701b718f652e5472ab

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\ZDataI51.dll

Filesize
52KB

MD5
805006328d0da72df964909bba8166ac

SHA1
79814934c81d044b1bbfdc44f689fc68038aaa26

SHA256
12ff2d1288a0684fe8162ba8a76662288b7e3be9e77725de93d05525a43a1986

SHA512
8fdb2a45442ef0a2f1cca6b50485391d744b061f58faf43391aaec60811abfd45922b5368ec68ec1dce125e3ac2f71f0bc0077def13622479c92983183dc6765

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5176._MP

Filesize
581KB

MD5
fc70a99b13f272737b003d0b6846a189

SHA1
513d2471b9960828b8890b637bc333e9b1d7187d

SHA256
82ca5fd2d52ddbef610dccb4641fab4e84f8e55d81f1d92ec34a41b54beb0664

SHA512
d0366dd73a0056a4f53b35ce6784cb4735b51794a4acba9999c2c9cba83dd6c8aba3a19e39cb690f5e41045f139ac1f73c910addd1f539d0b62f9129ac30a9d0

Download Submit
\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.Exe

Filesize
296KB

MD5
c0dffad445b264da258f9794633d6455

SHA1
58b480dce3283c115eea4756c3864da968ff06a8

SHA256
9ad358395fe14631c451e67b9f03a213458b84c7a411ed8dcc0bd58d2fb9c58b

SHA512
8821a2e18559d1f6e4dd2de6288f48a456747ecc4ed71e5c49795a3da58cc021316c0b07d5a3a508e341c1921de7a1bb90fdb879bc4d55f16ffb0786540d700d

Download Submit
memory/2828-58-0x00000000002A0000-0x00000000002B1000-memory.dmp

Filesize
68KB

Download