Analysis

  • max time kernel
    148s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-08-2024 23:45

General

  • Target

    SETUP.exe

  • Size

    58KB

  • MD5

    2e7bc5b75df9c7bc2a53a32964c2d899

  • SHA1

    24d08d262007a254e0797a128e0399aa47b13e6c

  • SHA256

    83441525fb5aebe10892cfbc931395e2bb1f68c8720e49bb58749cb95981f06d

  • SHA512

    41bd7911b436fd907394ad3094a8162cbc9d9f3102daf58ef9dd628571956a49929638e0b4141c00f06d90c48711877ea2fc10736b789299b7a85e918db1db03

  • SSDEEP

    768:d8s/igVfqfbqg6tNrpaE7bP+Fbsk4WoPygjhZB/qf0F4r:CgViDqgMdpa47+zv4hZB/qsFq

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\SysWOW64\InstallShield\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\SETUP.exe" -isw64"C:\Users\Admin\AppData\Local\Temp\SETUP.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2064
    • C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5176._MP
      C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5176._MP
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2244
    • C:\Windows\SysWOW64\InstallShield\_ISDEL.EXE
      C:\Windows\SysWOW64\InstallShield\_ISDEL.EXE
      2⤵
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1792

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\ZDATAI51.DLL

    Filesize

    52KB

    MD5

    805006328d0da72df964909bba8166ac

    SHA1

    79814934c81d044b1bbfdc44f689fc68038aaa26

    SHA256

    12ff2d1288a0684fe8162ba8a76662288b7e3be9e77725de93d05525a43a1986

    SHA512

    8fdb2a45442ef0a2f1cca6b50485391d744b061f58faf43391aaec60811abfd45922b5368ec68ec1dce125e3ac2f71f0bc0077def13622479c92983183dc6765

  • C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS0432.INI

    Filesize

    155B

    MD5

    fde401eb24841c923397d2bdc6c53d31

    SHA1

    05a4ed733bf085353c2a0c9a8fe1840649d3b0f1

    SHA256

    eb807edfdc0b5e8ea563affb1e33c4a13970b43dc7e134ab4dae9905624ded63

    SHA512

    110c8b1b180aeef763d03f3ac0330243296f2182170ee3fc0da41566f39abd50dafef238f1344076617ac556d770639584260a634c8538b3582335e68151fa94

  • C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5176._MP

    Filesize

    581KB

    MD5

    fc70a99b13f272737b003d0b6846a189

    SHA1

    513d2471b9960828b8890b637bc333e9b1d7187d

    SHA256

    82ca5fd2d52ddbef610dccb4641fab4e84f8e55d81f1d92ec34a41b54beb0664

    SHA512

    d0366dd73a0056a4f53b35ce6784cb4735b51794a4acba9999c2c9cba83dd6c8aba3a19e39cb690f5e41045f139ac1f73c910addd1f539d0b62f9129ac30a9d0

  • C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.Exe

    Filesize

    296KB

    MD5

    c0dffad445b264da258f9794633d6455

    SHA1

    58b480dce3283c115eea4756c3864da968ff06a8

    SHA256

    9ad358395fe14631c451e67b9f03a213458b84c7a411ed8dcc0bd58d2fb9c58b

    SHA512

    8821a2e18559d1f6e4dd2de6288f48a456747ecc4ed71e5c49795a3da58cc021316c0b07d5a3a508e341c1921de7a1bb90fdb879bc4d55f16ffb0786540d700d

  • C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\e57cc78.DLL

    Filesize

    126KB

    MD5

    4dbf53786ecdd42cde6a88115b36e0f6

    SHA1

    dc2fda1c89d2b90f9e528e36f7e6965d946e2b1c

    SHA256

    b6a5e5d3e991d5e5f6ede9eca927fde2e582b88d973e1974171f132abbdec6b5

    SHA512

    591cd570912b1a6d1f779ba495807b50adc9c1432e39554bcebab78d71a418d15d8e12c0203b1f84e02de51ad63a2d3e9cdb7c85ba9d124c6642d5e338d992b6

  • C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_WUTL951.DLL

    Filesize

    45KB

    MD5

    847d78a673e9b8313c651d037180f3b4

    SHA1

    e500d6bdd57e08295aa7594139db467dbd6045a3

    SHA256

    3ad102d309953433faef7357cab408c8e64995f8111f57a59b9f6e5b7e8d4a92

    SHA512

    11c42cfe422bbc8c9b1cb89d12f047404253125fdc30d726b2f8c3988865deb284fa31c821bab99b3a423180922ad0feb6126df4928e426a7d2271f0cea01b45

  • C:\Windows\_delis32.ini

    Filesize

    268B

    MD5

    431536b7b894cbeaab41384492bf3b45

    SHA1

    c265c4a3f434eb1ccabc8d08eaad5ab8ecfeab9e

    SHA256

    c0b4fc8cff3a8e29b03c28eb7f81eec5442514d7dd4e8bafe9840c6cea985aa9

    SHA512

    714185664b08401aa1388f29d469480b3b19d8ac8b72e96bbc641016a0e464f70cea03b495750a7b1d53284905e19c73e15197587804041476be7c49e4c6ec01

  • C:\Windows\_isenv31.ini

    Filesize

    1KB

    MD5

    b70e7f2859550fb44abe937754e53c0b

    SHA1

    1669f1866b704e0130628e9efcc5a27b56cc1908

    SHA256

    5b20924185800244968c7f39d5c7f8fcab576bde866648d00a90b05dab819083

    SHA512

    b5df85a423f5ccfe454c88eee547ca34bb59b50c0e2940fedb6c50c9a68e1962862213916ba207ec076df1b5bc5ef8fad896c1d770e8cd3e2bb3d6317b15dc31

  • C:\Windows\_iserr31.ini

    Filesize

    521B

    MD5

    b99921c1ce27e631044ad7ad03e27faa

    SHA1

    13fa80578e7a9f5ece1cfd7913eec6e3e5b12250

    SHA256

    bd6efc8e0f5b775ae357f3b647d74b7ddbc5fb8fc827e659d77ac2ef9888f16f

    SHA512

    79ff7699ad240f4b62c5b336fb6ebb684e675b2d74cf541997f1d42716c1e05bcc35d92443c0641a6f0e60a26d3add03f6316390aacb22701b718f652e5472ab

  • memory/2244-54-0x00000000021A0000-0x00000000021B1000-memory.dmp

    Filesize

    68KB