e3880c7db78e09748fe9caf02f330b1c61cd3aaaa31ffe93fb5ba1fb1035f761

General

Target

Setup.exe
Size

1.9MB
MD5

9b785d95bf9b3bc03a49c01a93072dc3
SHA1

79b38c4be5ac888e38ec5f21ac3710f3d0936a72
SHA256

e3880c7db78e09748fe9caf02f330b1c61cd3aaaa31ffe93fb5ba1fb1035f761
SHA512

1a2ab5256845232867d2bb36936983683cd05b1e0d4012c2117dc19e1e7115557fe62ae09f3b8f10e3d99520d0eaeb1bcf941614ee5df4fe5f5c2288b963d80a
SSDEEP

49152:XwREDDMTRXaarbQdHeMxWrP+beY7UY71n:XwREQq6bQdMwZg0

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3568	Setup.tmp
4292	GlobalProtect.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000\Software\Microsoft\Windows\CurrentVersion\Run\GlobalProtect = "C:\\Users\\Admin\\AppData\\Local\\Programs\\PaloAlto\\GlobalProtect.exe"	Setup.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3568	Setup.tmp
3568	Setup.tmp
4292	GlobalProtect.exe
4292	GlobalProtect.exe
4292	GlobalProtect.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4292	GlobalProtect.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3568	Setup.tmp
4292	GlobalProtect.exe
4292	GlobalProtect.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4292	GlobalProtect.exe
4292	GlobalProtect.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 3568	992	Setup.exe	82
PID 992 wrote to memory of 3568	992	Setup.exe	82
PID 992 wrote to memory of 3568	992	Setup.exe	82
PID 3568 wrote to memory of 4292	3568	Setup.tmp	88
PID 3568 wrote to memory of 4292	3568	Setup.tmp	88

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Local\Temp\is-F653F.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-F653F.tmp\Setup.tmp" /SL5="$60102,1063232,845824,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Users\Admin\AppData\Local\Programs\PaloAlto\GlobalProtect.exe
    "C:\Users\Admin\AppData\Local\Programs\PaloAlto\GlobalProtect.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Programs\PaloAlto\GlobalProtect.exe

Filesize
387KB

MD5
68c16b6f178c88c12c9555169887c321

SHA1
72cdd3856a3ffd530db50e0f48e71f089858e44f

SHA256
a23adcce96b743d1ecc5a0410fdb6326ae7fff2e78917f51cc70497320dbe750

SHA512
1bc49ec6711bf893f9602ed820b3bd4c46ad281108e5c2002d07de3d862e0d8b23e8f804da8bc99880b8af1ff3cc110708107a96bfb3aa97ba9545c2e2b6608c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-F653F.tmp\Setup.tmp

Filesize
3.2MB

MD5
1a46e087f8381972af531763f9b8d5c2

SHA1
c0915f8967ef1c98efd5f1702e681ead72f7d3b8

SHA256
4e05ba8ebd5e69e23dea600d279e898d343a25041f27b3cbc22458f497be0d03

SHA512
9cc8286882324e141ca4f56ca80ad4c7020a861772130fd25be0a9645e926a01bbd802d10a6917ddeeb4191d46d8ffa2b12fb5e3143a8f58600f75f24c4980ce

Download Submit
memory/992-2-0x00000000001B1000-0x0000000000259000-memory.dmp

Filesize
672KB

Download
memory/992-0-0x00000000001B0000-0x000000000028C000-memory.dmp

Filesize
880KB

Download
memory/992-8-0x00000000001B0000-0x000000000028C000-memory.dmp

Filesize
880KB

Download
memory/992-24-0x00000000001B0000-0x000000000028C000-memory.dmp

Filesize
880KB

Download
memory/3568-22-0x00000000005F0000-0x0000000000933000-memory.dmp

Filesize
3.3MB

Download
memory/3568-9-0x00000000005F0000-0x0000000000933000-memory.dmp

Filesize
3.3MB

Download
memory/3568-10-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/3568-6-0x0000000000F30000-0x0000000000F31000-memory.dmp

Filesize
4KB

Download
memory/4292-18-0x00007FFFB73B3000-0x00007FFFB73B5000-memory.dmp

Filesize
8KB

Download
memory/4292-19-0x0000017216E60000-0x0000017216EC6000-memory.dmp

Filesize
408KB

Download
memory/4292-20-0x00007FFFB73B0000-0x00007FFFB7E72000-memory.dmp

Filesize
10.8MB

Download
memory/4292-25-0x00007FFFB73B3000-0x00007FFFB73B5000-memory.dmp

Filesize
8KB

Download
memory/4292-26-0x00007FFFB73B0000-0x00007FFFB7E72000-memory.dmp

Filesize
10.8MB

Download
memory/4292-31-0x0000017236D20000-0x0000017237248000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads