Analysis
-
max time kernel
148s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-08-2024 23:45
Static task
static1
Behavioral task
behavioral1
Sample
SETUP.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
SETUP.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
_ISDEL.exe
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
_ISDEL.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
_setup.dll
Resource
win7-20240729-en
Behavioral task
behavioral6
Sample
_setup.dll
Resource
win10v2004-20240802-en
General
-
Target
SETUP.exe
-
Size
58KB
-
MD5
2e7bc5b75df9c7bc2a53a32964c2d899
-
SHA1
24d08d262007a254e0797a128e0399aa47b13e6c
-
SHA256
83441525fb5aebe10892cfbc931395e2bb1f68c8720e49bb58749cb95981f06d
-
SHA512
41bd7911b436fd907394ad3094a8162cbc9d9f3102daf58ef9dd628571956a49929638e0b4141c00f06d90c48711877ea2fc10736b789299b7a85e918db1db03
-
SSDEEP
768:d8s/igVfqfbqg6tNrpaE7bP+Fbsk4WoPygjhZB/qf0F4r:CgViDqgMdpa47+zv4hZB/qsFq
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2244 _INS5176._MP -
Loads dropped DLL 5 IoCs
pid Process 2244 _INS5176._MP 2244 _INS5176._MP 2244 _INS5176._MP 2244 _INS5176._MP 2244 _INS5176._MP -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\_iserr31.ini setup.exe File created C:\Windows\_isenv31.ini setup.exe File opened for modification C:\Windows\_delis32.ini setup.exe File opened for modification C:\Windows\IsUninst.exe _INS5176._MP File created C:\Windows\_INS33IS._MP _ISDEL.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _INS5176._MP Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _ISDEL.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2064 setup.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2244 _INS5176._MP -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2064 wrote to memory of 2244 2064 setup.exe 87 PID 2064 wrote to memory of 2244 2064 setup.exe 87 PID 2064 wrote to memory of 2244 2064 setup.exe 87 PID 2064 wrote to memory of 1792 2064 setup.exe 89 PID 2064 wrote to memory of 1792 2064 setup.exe 89 PID 2064 wrote to memory of 1792 2064 setup.exe 89
Processes
-
C:\Windows\SysWOW64\InstallShield\setup.exe"C:\Users\Admin\AppData\Local\Temp\SETUP.exe" -isw64"C:\Users\Admin\AppData\Local\Temp\SETUP.exe"1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2064 -
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5176._MPC:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5176._MP2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2244
-
-
C:\Windows\SysWOW64\InstallShield\_ISDEL.EXEC:\Windows\SysWOW64\InstallShield\_ISDEL.EXE2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
52KB
MD5805006328d0da72df964909bba8166ac
SHA179814934c81d044b1bbfdc44f689fc68038aaa26
SHA25612ff2d1288a0684fe8162ba8a76662288b7e3be9e77725de93d05525a43a1986
SHA5128fdb2a45442ef0a2f1cca6b50485391d744b061f58faf43391aaec60811abfd45922b5368ec68ec1dce125e3ac2f71f0bc0077def13622479c92983183dc6765
-
Filesize
155B
MD5fde401eb24841c923397d2bdc6c53d31
SHA105a4ed733bf085353c2a0c9a8fe1840649d3b0f1
SHA256eb807edfdc0b5e8ea563affb1e33c4a13970b43dc7e134ab4dae9905624ded63
SHA512110c8b1b180aeef763d03f3ac0330243296f2182170ee3fc0da41566f39abd50dafef238f1344076617ac556d770639584260a634c8538b3582335e68151fa94
-
Filesize
581KB
MD5fc70a99b13f272737b003d0b6846a189
SHA1513d2471b9960828b8890b637bc333e9b1d7187d
SHA25682ca5fd2d52ddbef610dccb4641fab4e84f8e55d81f1d92ec34a41b54beb0664
SHA512d0366dd73a0056a4f53b35ce6784cb4735b51794a4acba9999c2c9cba83dd6c8aba3a19e39cb690f5e41045f139ac1f73c910addd1f539d0b62f9129ac30a9d0
-
Filesize
296KB
MD5c0dffad445b264da258f9794633d6455
SHA158b480dce3283c115eea4756c3864da968ff06a8
SHA2569ad358395fe14631c451e67b9f03a213458b84c7a411ed8dcc0bd58d2fb9c58b
SHA5128821a2e18559d1f6e4dd2de6288f48a456747ecc4ed71e5c49795a3da58cc021316c0b07d5a3a508e341c1921de7a1bb90fdb879bc4d55f16ffb0786540d700d
-
Filesize
126KB
MD54dbf53786ecdd42cde6a88115b36e0f6
SHA1dc2fda1c89d2b90f9e528e36f7e6965d946e2b1c
SHA256b6a5e5d3e991d5e5f6ede9eca927fde2e582b88d973e1974171f132abbdec6b5
SHA512591cd570912b1a6d1f779ba495807b50adc9c1432e39554bcebab78d71a418d15d8e12c0203b1f84e02de51ad63a2d3e9cdb7c85ba9d124c6642d5e338d992b6
-
Filesize
45KB
MD5847d78a673e9b8313c651d037180f3b4
SHA1e500d6bdd57e08295aa7594139db467dbd6045a3
SHA2563ad102d309953433faef7357cab408c8e64995f8111f57a59b9f6e5b7e8d4a92
SHA51211c42cfe422bbc8c9b1cb89d12f047404253125fdc30d726b2f8c3988865deb284fa31c821bab99b3a423180922ad0feb6126df4928e426a7d2271f0cea01b45
-
Filesize
268B
MD5431536b7b894cbeaab41384492bf3b45
SHA1c265c4a3f434eb1ccabc8d08eaad5ab8ecfeab9e
SHA256c0b4fc8cff3a8e29b03c28eb7f81eec5442514d7dd4e8bafe9840c6cea985aa9
SHA512714185664b08401aa1388f29d469480b3b19d8ac8b72e96bbc641016a0e464f70cea03b495750a7b1d53284905e19c73e15197587804041476be7c49e4c6ec01
-
Filesize
1KB
MD5b70e7f2859550fb44abe937754e53c0b
SHA11669f1866b704e0130628e9efcc5a27b56cc1908
SHA2565b20924185800244968c7f39d5c7f8fcab576bde866648d00a90b05dab819083
SHA512b5df85a423f5ccfe454c88eee547ca34bb59b50c0e2940fedb6c50c9a68e1962862213916ba207ec076df1b5bc5ef8fad896c1d770e8cd3e2bb3d6317b15dc31
-
Filesize
521B
MD5b99921c1ce27e631044ad7ad03e27faa
SHA113fa80578e7a9f5ece1cfd7913eec6e3e5b12250
SHA256bd6efc8e0f5b775ae357f3b647d74b7ddbc5fb8fc827e659d77ac2ef9888f16f
SHA51279ff7699ad240f4b62c5b336fb6ebb684e675b2d74cf541997f1d42716c1e05bcc35d92443c0641a6f0e60a26d3add03f6316390aacb22701b718f652e5472ab