4274ee16685c535e6c206e9b690411d5bfabe9096e3ea4d944a09cbb4708f8dc

Analysis

max time kernel
148s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 13:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

FX20GM/SETUP.exe
Size

72KB
MD5

74cd5fe7f16daa6ea627f1da5f5ed0b3
SHA1

9c10146e35b2040f081ca88c605c2ecc3e834594
SHA256

a8309b05664a90c9eec6bb0e5e6556a9ed5ade11ef6c67917258738337e7c05c
SHA512

68971be12abeed3a3dcb1131f8836897584b769d0dd8d3c45a77d6c40b4d25311407fdb3efe5f6bb4c723f5ab9cae5ad6c4b5a05f57b5bc4e25c73bab5519a35
SSDEEP

1536:6X/42dX49uSxNy5fuAOKzxiTQCF+oIjVhhPoSeFB:6X/4eI9RNZAOKCQp5hhPo9F

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
944	_INS5576._MP

Loads dropped DLL 5 IoCs

pid	Process
944	_INS5576._MP
944	_INS5576._MP
944	_INS5576._MP
944	_INS5576._MP
944	_INS5576._MP

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\_iserr31.ini	SETUP.exe
File created	C:\Windows\_isenv31.ini	SETUP.exe
File opened for modification	C:\Windows\_delis32.ini	SETUP.exe
File opened for modification	C:\Windows\IsUninst.exe	_INS5576._MP
File created	C:\Windows\_INS33IS._MP	_ISDEL.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SETUP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_INS5576._MP
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_ISDEL.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3848	SETUP.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
944	_INS5576._MP

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 944	3848	SETUP.exe	85
PID 3848 wrote to memory of 944	3848	SETUP.exe	85
PID 3848 wrote to memory of 944	3848	SETUP.exe	85
PID 3848 wrote to memory of 1652	3848	SETUP.exe	87
PID 3848 wrote to memory of 1652	3848	SETUP.exe	87
PID 3848 wrote to memory of 1652	3848	SETUP.exe	87

C:\Users\Admin\AppData\Local\Temp\FX20GM\SETUP.exe
"C:\Users\Admin\AppData\Local\Temp\FX20GM\SETUP.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
  C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:944
- C:\Users\Admin\AppData\Local\Temp\FX20GM\_ISDEL.EXE
  C:\Users\Admin\AppData\Local\Temp\FX20GM\_ISDEL.EXE
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\ZDATAI51.DLL

Filesize
52KB

MD5
2a9a390018a50f1af0df0b7118696f6e

SHA1
f9a4cf357e49cf1f032ca4f8d46def52c6935e33

SHA256
1d9321dd5e1790dff91cbd475a023760f3b6b6b26e849b70b171b841070378f2

SHA512
813be48cf11a14b618fbfa358794b1e6cef727f305470f27c82bbfccc0921ef2141d740a71c47890db1e705f10bc3d0c67e3d9f651710fdd88f19b9e7e30bc38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS0432.INI

Filesize
168B

MD5
9ec3e24d4a2e4fa076b9c83d8a91d3bb

SHA1
6e5c673dfaa91f693bd56f6e230e73d16ea4434f

SHA256
0d7cd4106224f9e1dd51143ac617bdb76b49feb64316c4abd363fcfbfa0ef059

SHA512
f8a71c62e38326c04731f5468c857200fac726b5b2dfe2a5ac0859dc834f32aea8ab610455913e2cfbefaead88aa1cd4ea4efebe26651a543f5b415af5d4fc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP

Filesize
544KB

MD5
d28cb295e2395b3593293470e7784512

SHA1
8a734689b76929beaeb6110c45c41948d4d4c12f

SHA256
a8657371f03e2e66db951c3dcd3aeb42c576894908ca2eb1b3806aa0404cb083

SHA512
c526b986e47a8cb2f9cb6fd0bf1f48d9fbbcbfaa6dcee0bce6670095df586b179eef0fa6fc7ee56995d3f100df5ed359eff6858d646b68268bd9d3c68dd816f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\IsUninst.exe

Filesize
299KB

MD5
515e4684008e955de0c81e6a7aea1c2a

SHA1
ebe026f9c551f372ad82186ff6b9c2ca26dd684c

SHA256
6d631e94acce1f2808a6b1125a6617d1b0ba7e50d93c1d656aa2620bcd0bb965

SHA512
c889a733c61687aa9be0b67cc2e4ecf2a500386054dffa072780a4f46b29373e0dad79c35f375fdeb6572dbc11b24436b88cee3ba431a37965cf0e884ab636b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_ISTMP0.DIR\e57aab7.DLL

Filesize
126KB

MD5
18556ed6ea953c31f1c4953d2f210c78

SHA1
7ec5618bae6bbfb45a02c933de7bce8d0fdeb22c

SHA256
f8fa0c3350ed8675c95a9532a0ee057bd0d1c0e79d90bf5e91f75b3f7f25d969

SHA512
0523df4e8062f8dca1a3096f17eaf359c4cd84a00aaadf734e0431a07ded2fa7fe6549bb5a387d839cffe60a9705c3e4f376679006d3eea4e95dcac21766e79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ISTMP1.DIR\_WUTL951.DLL

Filesize
45KB

MD5
9567a2dac1b8efbd7b0c6dce2a2251c3

SHA1
db72683ff3a3000771394d5eed7e2de922dcadbf

SHA256
67d309a88d68c449c2d0a76c0f2d2c9b2b764a469a6daea67df0279dd49c9296

SHA512
51806383e05cbc67754fc746c16ddf8364610bb22260b8638f586b02dbeb0813cee6acc9962b2b928205d445a82f2cc2022b6d1162f8da644ac902c0f3a327a9

Download Submit
C:\Windows\_delis32.ini

Filesize
268B

MD5
88c6ea9ed6cd04c7cae5d96a623d1973

SHA1
50e875bc6a3ce09b8e2e31a738747bcbb26d78b2

SHA256
290b98b00f660ca6317dc2b64ec399b15373a9b7a0574c45b7b4b5888a0b257d

SHA512
dce8c79b04d4319f9b43cd585877c382b0d5b1778ee1e85614e78a87366526167c658512c245ad1ebf96d465f4cb33f2c959fbc8189ccff53d888cd154e500b8

Download Submit
C:\Windows\_isenv31.ini

Filesize
1KB

MD5
9ca613e9757be047ff58f6153fcc9a53

SHA1
60a7534180aec8139b40e2b04b0a7fbc8e6586d4

SHA256
1a9996753e9c973c8f05c7a4ca0fd34eb90506aa008db8ef4ac6b59b134910b1

SHA512
ed8aeb7b382d31a2865196ae43b5abeca70e9d76ca2d5d8ff54a0949f98256844933c7ac8372bda59d0b295c8a0cee08f8239b50e537ff38359e27c72abaca24

Download Submit
C:\Windows\_iserr31.ini

Filesize
521B

MD5
b99921c1ce27e631044ad7ad03e27faa

SHA1
13fa80578e7a9f5ece1cfd7913eec6e3e5b12250

SHA256
bd6efc8e0f5b775ae357f3b647d74b7ddbc5fb8fc827e659d77ac2ef9888f16f

SHA512
79ff7699ad240f4b62c5b336fb6ebb684e675b2d74cf541997f1d42716c1e05bcc35d92443c0641a6f0e60a26d3add03f6316390aacb22701b718f652e5472ab

Download Submit
memory/944-54-0x0000000000510000-0x0000000000520000-memory.dmp

Filesize
64KB

Download
memory/1652-57-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/1652-58-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download