62bd169a33d75b7f682c786a8639cc867d4be43628def65757c31c1efd5c4905

Analysis

max time kernel
147s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
20/08/2024, 11:38

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

13.8MB
MD5

c2e7bc36cece182777218c4ecf80221b
SHA1

efa9720f1f9958df679b20a855a0c1d462204fcc
SHA256

62bd169a33d75b7f682c786a8639cc867d4be43628def65757c31c1efd5c4905
SHA512

e83a89f7f9eba92deccbc772b43d99021d0715c7d29a8ad5f212ff289ca1d787bd3a1ba383b429ef49459363393d88b132bf722ec4514087059106fbe6db029f
SSDEEP

393216:+1ECk1gOQf/BvJ5+zrGPdBgNNmH+SS8XRzS9JJ4EybE03:zCk1GBhIzsnS5SS8XRzsJ1yA03

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
4076	Setup.tmp
3164	Setup.tmp
4836	file.exe
1112	StrCmp.exe

Loads dropped DLL 2 IoCs

pid	Process
4076	Setup.tmp
3164	Setup.tmp

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
3004	tasklist.exe
4908	tasklist.exe
2088	tasklist.exe
3036	tasklist.exe
1984	tasklist.exe
3184	tasklist.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4836 set thread context of 1964	4836	file.exe	115

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AddInProcess32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StrCmp.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	file.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	file.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ = "BtDaemon.cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\temp"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\temp\\StrCmp.exe"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\ = "BtDaemon"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}"	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable	StrCmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}"	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION	StrCmp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid	StrCmp.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3164	Setup.tmp
3164	Setup.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	tasklist.exe
Token: SeDebugPrivilege	3036	tasklist.exe
Token: SeDebugPrivilege	1984	tasklist.exe
Token: SeDebugPrivilege	3184	tasklist.exe
Token: SeDebugPrivilege	3004	tasklist.exe
Token: SeDebugPrivilege	4908	tasklist.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3164	Setup.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1112	StrCmp.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 4076	4052	Setup.exe	82
PID 4052 wrote to memory of 4076	4052	Setup.exe	82
PID 4052 wrote to memory of 4076	4052	Setup.exe	82
PID 4076 wrote to memory of 2608	4076	Setup.tmp	84
PID 4076 wrote to memory of 2608	4076	Setup.tmp	84
PID 4076 wrote to memory of 2608	4076	Setup.tmp	84
PID 2608 wrote to memory of 3164	2608	Setup.exe	85
PID 2608 wrote to memory of 3164	2608	Setup.exe	85
PID 2608 wrote to memory of 3164	2608	Setup.exe	85
PID 3164 wrote to memory of 3760	3164	Setup.tmp	86
PID 3164 wrote to memory of 3760	3164	Setup.tmp	86
PID 3760 wrote to memory of 2088	3760	cmd.exe	88
PID 3760 wrote to memory of 2088	3760	cmd.exe	88
PID 3760 wrote to memory of 4864	3760	cmd.exe	89
PID 3760 wrote to memory of 4864	3760	cmd.exe	89
PID 3164 wrote to memory of 2132	3164	Setup.tmp	91
PID 3164 wrote to memory of 2132	3164	Setup.tmp	91
PID 2132 wrote to memory of 3036	2132	cmd.exe	93
PID 2132 wrote to memory of 3036	2132	cmd.exe	93
PID 2132 wrote to memory of 356	2132	cmd.exe	94
PID 2132 wrote to memory of 356	2132	cmd.exe	94
PID 3164 wrote to memory of 3768	3164	Setup.tmp	95
PID 3164 wrote to memory of 3768	3164	Setup.tmp	95
PID 3768 wrote to memory of 1984	3768	cmd.exe	97
PID 3768 wrote to memory of 1984	3768	cmd.exe	97
PID 3768 wrote to memory of 5032	3768	cmd.exe	98
PID 3768 wrote to memory of 5032	3768	cmd.exe	98
PID 3164 wrote to memory of 3584	3164	Setup.tmp	99
PID 3164 wrote to memory of 3584	3164	Setup.tmp	99
PID 3584 wrote to memory of 3184	3584	cmd.exe	101
PID 3584 wrote to memory of 3184	3584	cmd.exe	101
PID 3584 wrote to memory of 2320	3584	cmd.exe	102
PID 3584 wrote to memory of 2320	3584	cmd.exe	102
PID 3164 wrote to memory of 1576	3164	Setup.tmp	103
PID 3164 wrote to memory of 1576	3164	Setup.tmp	103
PID 1576 wrote to memory of 3004	1576	cmd.exe	105
PID 1576 wrote to memory of 3004	1576	cmd.exe	105
PID 1576 wrote to memory of 2984	1576	cmd.exe	106
PID 1576 wrote to memory of 2984	1576	cmd.exe	106
PID 3164 wrote to memory of 4704	3164	Setup.tmp	107
PID 3164 wrote to memory of 4704	3164	Setup.tmp	107
PID 4704 wrote to memory of 4908	4704	cmd.exe	109
PID 4704 wrote to memory of 4908	4704	cmd.exe	109
PID 4704 wrote to memory of 4568	4704	cmd.exe	110
PID 4704 wrote to memory of 4568	4704	cmd.exe	110
PID 3164 wrote to memory of 4836	3164	Setup.tmp	111
PID 3164 wrote to memory of 4836	3164	Setup.tmp	111
PID 3164 wrote to memory of 4836	3164	Setup.tmp	111
PID 4836 wrote to memory of 1112	4836	file.exe	112
PID 4836 wrote to memory of 1112	4836	file.exe	112
PID 4836 wrote to memory of 1112	4836	file.exe	112
PID 4836 wrote to memory of 3788	4836	file.exe	113
PID 4836 wrote to memory of 3788	4836	file.exe	113
PID 4836 wrote to memory of 3788	4836	file.exe	113
PID 4836 wrote to memory of 704	4836	file.exe	114
PID 4836 wrote to memory of 704	4836	file.exe	114
PID 4836 wrote to memory of 704	4836	file.exe	114
PID 4836 wrote to memory of 1964	4836	file.exe	115
PID 4836 wrote to memory of 1964	4836	file.exe	115
PID 4836 wrote to memory of 1964	4836	file.exe	115
PID 4836 wrote to memory of 1964	4836	file.exe	115
PID 4836 wrote to memory of 1964	4836	file.exe	115

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Users\Admin\AppData\Local\Temp\is-9H2D8.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9H2D8.tmp\Setup.tmp" /SL5="$501E6,10143287,735744,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT /NORESTART
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Users\Admin\AppData\Local\Temp\is-F728Q.tmp\Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-F728Q.tmp\Setup.tmp" /SL5="$601E6,10143287,735744,C:\Users\Admin\AppData\Local\Temp\Setup.exe" /VERYSILENT /NORESTART
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3164
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3760
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
      - C:\Windows\system32\find.exe
        
        find /I "wrsa.exe"
        6⤵
        
        PID:4864
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
      - C:\Windows\system32\find.exe
        
        find /I "opssvc.exe"
        6⤵
        
        PID:356
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3768
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
      - C:\Windows\system32\find.exe
        
        find /I "avastui.exe"
        6⤵
        
        PID:5032
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3584
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3184
      - C:\Windows\system32\find.exe
        
        find /I "avgui.exe"
        6⤵
        
        PID:2320
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
      - C:\Windows\system32\find.exe
        
        find /I "nswscsvc.exe"
        6⤵
        
        PID:2984
    - - C:\Windows\system32\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4704
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4908
      - C:\Windows\system32\find.exe
        
        find /I "sophoshealth.exe"
        6⤵
        
        PID:4568
    - - C:\Users\Admin\AppData\Local\infusoriform\file.exe
        
        "C:\Users\Admin\AppData\Local\infusoriform\\file.exe" "C:\Users\Admin\AppData\Local\infusoriform\\OinkCrust.a3x"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Suspicious use of WriteProcessMemory
        
        PID:4836
      - C:\temp\StrCmp.exe
        
        "C:\temp\StrCmp.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1112
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        6⤵
        
        PID:3788
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        6⤵
        
        PID:704
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-9H2D8.tmp\Setup.tmp

Filesize
2.9MB

MD5
6503a172502e252a5f5f96bd2e8e6cd7

SHA1
10f85c242ffd8997c1e46e9b1afef3f04e5f73bb

SHA256
da584a9a7ff4100f97b3a07f323c49fad89512c251d5e505ba501fc1e131b3b0

SHA512
2e62f589f453c2bf252c00c6ba4b2c3e82a96c84d62db703bffe9e768da69ec67e2785cbaef6b577c7d22d7ec90d1dae36347a8d2eb3a3b1ac4bb83c001cc679

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IBTAH.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\infusoriform\OinkCrust.a3x

Filesize
494KB

MD5
089ba3f8c49e5c5656baa22951dadaa7

SHA1
15d24c50c7c41700b57673a85d82cf337a872648

SHA256
d1c39c1a5bb19f5ba4ef36cedbd3ad1c8cafc83e658230c0efd77b105510bbae

SHA512
0d4c8e374a44248fda567d7449fc8b76282e0c9341f7dc47c8887e6ea7cc085e54429079829b8cfb745aef53c1036772255774614ddeeec3baafa7600474e174

Download Submit
C:\Users\Admin\AppData\Local\infusoriform\file.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\temp\StrCmp.exe

Filesize
47KB

MD5
916d7425a559aaa77f640710a65f9182

SHA1
23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13

SHA256
118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35

SHA512
d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

Download Submit
memory/1964-183-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1964-184-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2608-13-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2608-17-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2608-177-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3164-173-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/4052-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4052-19-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4052-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/4076-16-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/4076-10-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download