6ecd3088a0cb058bfd99749123965b8cd474bea00aa07e2f0adadb568e931311

Analysis

max time kernel
141s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 08:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dianzicheng/setup.exe
Size

2.4MB
MD5

ad3b9004296be84eb4f187a8a43f286b
SHA1

378d8b8309dee67c7411d07506dd5f83a5fb4387
SHA256

8fc95f5bbb2cb9c7d9c09e2e64308baff4609954d6e4a8c2051941ac12e0e362
SHA512

83da23009756c3e8ee9df6c44f49de67086a7c3f1d2945a4019bbb22e08660b5528f33a39200ad88e9a2d86a6da107a9d1a0caca4497bdba86cb18b5310b3a39
SSDEEP

49152:HDA/zEHobBm/fyrhY7K52SFHw3fEEm6j2k3p72hu0kULdv8vYe:HAFqyrK7KXe3fLmM0kGdv8vYe

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2188	setup.tmp

Loads dropped DLL 3 IoCs

pid	Process
1972	setup.exe
2188	setup.tmp
2188	setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2188	setup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2188	1972	setup.exe	30
PID 1972 wrote to memory of 2188	1972	setup.exe	30
PID 1972 wrote to memory of 2188	1972	setup.exe	30
PID 1972 wrote to memory of 2188	1972	setup.exe	30
PID 1972 wrote to memory of 2188	1972	setup.exe	30
PID 1972 wrote to memory of 2188	1972	setup.exe	30
PID 1972 wrote to memory of 2188	1972	setup.exe	30

C:\Users\Admin\AppData\Local\Temp\Dianzicheng\setup.exe
"C:\Users\Admin\AppData\Local\Temp\Dianzicheng\setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\is-V7B6I.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-V7B6I.tmp\setup.tmp" /SL5="$400F4,2281347,51712,C:\Users\Admin\AppData\Local\Temp\Dianzicheng\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-0K86T.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-V7B6I.tmp\setup.tmp

Filesize
693KB

MD5
a9b9a90e26608c885f35801813bbcfd8

SHA1
52f489829434a998e22e4fc35cf2dc9e7cd00d21

SHA256
8c78f7161870053cef0ac4f73650a3d23cba84ba25625e65c43bf4617ce5416b

SHA512
462424797c11afb1e043de6452340c027dd418a8e7c27c9db63ac6475e99b3b5f7228ee2b118740acac5acdee502a09da0d8074b51b9bd6ab8fc1ee5d1e95dd1

Download Submit
memory/1972-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1972-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1972-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2188-9-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download
memory/2188-19-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download