Overview
overview
8Static
static
3setup.exe
windows10-2004-x64
8setup.exe
windows11-21h2-x64
8$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows11-21h2-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3$PLUGINSDI...ss.dll
windows11-21h2-x64
3SystemFile64.exe
windows10-2004-x64
3SystemFile64.exe
windows11-21h2-x64
3Analysis
-
max time kernel
113s -
max time network
107s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
06-09-2024 18:46
Static task
static1
Behavioral task
behavioral1
Sample
setup.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
setup.exe
Resource
win11-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/nsExec.dll
Resource
win11-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
SystemFile64.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral8
Sample
SystemFile64.exe
Resource
win11-20240802-en
General
-
Target
setup.exe
-
Size
2.5MB
-
MD5
e2606134f5ebabcc69ecd0ec2d8df29d
-
SHA1
e7cfc2194d9ed72264a0949734c9167a97fa200d
-
SHA256
775fa9dd265c0f37e11ac0f524516d566e1c7998552ab3a463ae7dabae988ece
-
SHA512
f3d5ba18d5a55b2491ee946a43a07c350a4b14d4a5f236638734d1954679eab97cc2bc82cff626043853abc7fc93164ef3b23fc0d78b5dbd707b47400b4924e7
-
SSDEEP
49152:yEdED2TlnfPnFNzBjCwOkkgKJEvwvKqeJF34ffLCfJZCJieQCQeQ6Nt28ojK:yHEnfPtpOEIvqqLqCyCQer728P
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 1100 SystemFile64.exe -
Loads dropped DLL 13 IoCs
pid Process 2352 setup.exe 2352 setup.exe 2352 setup.exe 2352 setup.exe 2352 setup.exe 2352 setup.exe 2352 setup.exe 2352 setup.exe 2352 setup.exe 2352 setup.exe 2352 setup.exe 2352 setup.exe 2352 setup.exe -
Drops file in Windows directory 5 IoCs
description ioc Process File created C:\Windows\SystemFile64.exe setup.exe File created C:\Windows\7zip.exe SystemFile64.exe File opened for modification C:\Windows\parameters.ini SystemFile64.exe File created C:\Windows\parameters.ini setup.exe File created C:\Windows\relent-list.txt setup.exe -
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 72 sc.exe 4252 sc.exe 620 sc.exe 700 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SystemFile64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2352 setup.exe 2352 setup.exe 2352 setup.exe 2352 setup.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1100 SystemFile64.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1100 SystemFile64.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 2352 wrote to memory of 428 2352 setup.exe 78 PID 2352 wrote to memory of 428 2352 setup.exe 78 PID 2352 wrote to memory of 428 2352 setup.exe 78 PID 428 wrote to memory of 5012 428 cmd.exe 80 PID 428 wrote to memory of 5012 428 cmd.exe 80 PID 428 wrote to memory of 5012 428 cmd.exe 80 PID 5012 wrote to memory of 2792 5012 net.exe 81 PID 5012 wrote to memory of 2792 5012 net.exe 81 PID 5012 wrote to memory of 2792 5012 net.exe 81 PID 2352 wrote to memory of 840 2352 setup.exe 82 PID 2352 wrote to memory of 840 2352 setup.exe 82 PID 2352 wrote to memory of 840 2352 setup.exe 82 PID 840 wrote to memory of 72 840 cmd.exe 84 PID 840 wrote to memory of 72 840 cmd.exe 84 PID 840 wrote to memory of 72 840 cmd.exe 84 PID 2352 wrote to memory of 4168 2352 setup.exe 85 PID 2352 wrote to memory of 4168 2352 setup.exe 85 PID 2352 wrote to memory of 4168 2352 setup.exe 85 PID 4168 wrote to memory of 4252 4168 cmd.exe 87 PID 4168 wrote to memory of 4252 4168 cmd.exe 87 PID 4168 wrote to memory of 4252 4168 cmd.exe 87 PID 2352 wrote to memory of 4436 2352 setup.exe 88 PID 2352 wrote to memory of 4436 2352 setup.exe 88 PID 2352 wrote to memory of 4436 2352 setup.exe 88 PID 4436 wrote to memory of 620 4436 cmd.exe 90 PID 4436 wrote to memory of 620 4436 cmd.exe 90 PID 4436 wrote to memory of 620 4436 cmd.exe 90 PID 2352 wrote to memory of 1160 2352 setup.exe 91 PID 2352 wrote to memory of 1160 2352 setup.exe 91 PID 2352 wrote to memory of 1160 2352 setup.exe 91 PID 1160 wrote to memory of 700 1160 cmd.exe 93 PID 1160 wrote to memory of 700 1160 cmd.exe 93 PID 1160 wrote to memory of 700 1160 cmd.exe 93 PID 2352 wrote to memory of 1584 2352 setup.exe 94 PID 2352 wrote to memory of 1584 2352 setup.exe 94 PID 2352 wrote to memory of 1584 2352 setup.exe 94 PID 1584 wrote to memory of 2980 1584 cmd.exe 96 PID 1584 wrote to memory of 2980 1584 cmd.exe 96 PID 1584 wrote to memory of 2980 1584 cmd.exe 96 PID 2980 wrote to memory of 2020 2980 net.exe 97 PID 2980 wrote to memory of 2020 2980 net.exe 97 PID 2980 wrote to memory of 2020 2980 net.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C net stop SystemFile642⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:428 -
C:\Windows\SysWOW64\net.exenet stop SystemFile643⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SystemFile644⤵
- System Location Discovery: System Language Discovery
PID:2792
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C Sc delete SystemFile642⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\sc.exeSc delete SystemFile643⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:72
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C Sc create SystemFile64 binpath= C:\Windows\SystemFile64.exe start= auto DisplayName= SystemFile642⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4168 -
C:\Windows\SysWOW64\sc.exeSc create SystemFile64 binpath= C:\Windows\SystemFile64.exe start= auto DisplayName= SystemFile643⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:4252
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C sc description SystemFile64 SystemFileService2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\sc.exesc description SystemFile64 SystemFileService3⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:620
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C sc failure SystemFile64 reset= 3600 actions= restart/60000/restart/60000/restart/600002⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\sc.exesc failure SystemFile64 reset= 3600 actions= restart/60000/restart/60000/restart/600003⤵
- Launches sc.exe
- System Location Discovery: System Language Discovery
PID:700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C net start SystemFile642⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\net.exenet start SystemFile643⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 start SystemFile644⤵
- System Location Discovery: System Language Discovery
PID:2020
-
-
-
-
C:\Windows\SystemFile64.exeC:\Windows\SystemFile64.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1100
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
6KB
MD5b5a1f9dc73e2944a388a61411bdd8c70
SHA1dc9b20df3f3810c2e81a0c54dea385704ba8bef7
SHA256288100583f65a2b7acfc0c7e231c0e268c58d3067675543f627c01e82f6fd884
SHA512b9c8d71b5da00f2aff7847b9ec3bd8a588afeb525f47a0df235b52f7b2233edb3928a2c8e0b493f287c923cc52a340ad6fee99822595d6591df0e97870de92a8
-
Filesize
4KB
MD505450face243b3a7472407b999b03a72
SHA1ffd88af2e338ae606c444390f7eaaf5f4aef2cd9
SHA25695fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89
SHA512f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b
-
Filesize
5.9MB
MD51d7c380a28a428b67b72bcb7d1c28d6c
SHA13f00a6e1e95f09690456ee8e1ae05d3964432fa4
SHA25676db8fea5dc386cfbac67340744ad57e6f50589918b3762eb6c92dfb39cf8588
SHA512587c9282718672526eb6401ec9f5b899a6538ca9748cac5c044b41d4e786ce18a84d81b092cf522c89103566176c13be0a3c76aa75f9801fbc3fa78eb3856f61
-
Filesize
259B
MD52cb047d1f9a6eb25ef1b26b2a599342e
SHA11a9985a8d2c229c6944e523843cdd97b4f4e4e7e
SHA2567a901f8fb6dd310b2b701d4a30d58d11896786ebcac23c5d374b1ff15cf3de7d
SHA5128a21587cc6598dbc39989e41fedc2f56b9db0adebc517768b17e0093828b765a373256c013aaf73fa3221e760c9058577134571994167c45371dd52c1a5e89a1
-
Filesize
133B
MD5fed33cdc3c6c7f509572124039c4ec82
SHA13b816927442927a4b1cefbc11fdb9e0b81bec0d7
SHA25638e85452b03215d40752f48d61067fc469297ea531f4b56ce156d09977b804b3
SHA512abcb0f677c35e498cec79ed74a4f25a22decd2d193e6f680bed384fbded3ee811c920e59e0172a9ecc411bb7adc1b5beba563c253f7f6002b034d59ad85d9daf