Analysis
-
max time kernel
149s -
max time network
68s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-09-2024 00:01
Static task
static1
Behavioral task
behavioral1
Sample
Set-up.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Set-up.exe
Resource
win10v2004-20240802-en
General
-
Target
Set-up.exe
-
Size
6.3MB
-
MD5
3406055d6c38b0219192413e4cd18a2b
-
SHA1
80be1c096353caae8b01182b39df81191ae7924f
-
SHA256
008363271c52663213d521af1a6c9cf1b9e2d4be17a629ff6079a69e796236c8
-
SHA512
077c2fe82e5093b5bd3912ffb307495c3a58e03b2eb4c5003c30e07b0bf41012d695c1525b4ff138c9a0e4427b70a6732873b17aa5c06cf830ab56e0fa7d6311
-
SSDEEP
98304:ui+pBnmP/EW4Cz1NEG7NWOxUFXjn+xjYQEaTZFBHSbKu0:uRTW4Cy4NwneLEaTZFBHfu0
Malware Config
Extracted
cryptbot
fiftv15pn.top
analforeverlovyu.top
-
url_path
/v1/upload.php
Signatures
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Executes dropped EXE 3 IoCs
Processes:
service123.exeservice123.exeservice123.exepid process 2852 service123.exe 2124 service123.exe 2272 service123.exe -
Loads dropped DLL 5 IoCs
Processes:
Set-up.exeservice123.exeservice123.exeservice123.exepid process 1592 Set-up.exe 1592 Set-up.exe 2852 service123.exe 2124 service123.exe 2272 service123.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Set-up.exeschtasks.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Set-up.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Set-up.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Set-up.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Set-up.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Set-up.exetaskeng.exedescription pid process target process PID 1592 wrote to memory of 2852 1592 Set-up.exe service123.exe PID 1592 wrote to memory of 2852 1592 Set-up.exe service123.exe PID 1592 wrote to memory of 2852 1592 Set-up.exe service123.exe PID 1592 wrote to memory of 2852 1592 Set-up.exe service123.exe PID 1592 wrote to memory of 2708 1592 Set-up.exe schtasks.exe PID 1592 wrote to memory of 2708 1592 Set-up.exe schtasks.exe PID 1592 wrote to memory of 2708 1592 Set-up.exe schtasks.exe PID 1592 wrote to memory of 2708 1592 Set-up.exe schtasks.exe PID 2756 wrote to memory of 2124 2756 taskeng.exe service123.exe PID 2756 wrote to memory of 2124 2756 taskeng.exe service123.exe PID 2756 wrote to memory of 2124 2756 taskeng.exe service123.exe PID 2756 wrote to memory of 2124 2756 taskeng.exe service123.exe PID 2756 wrote to memory of 2272 2756 taskeng.exe service123.exe PID 2756 wrote to memory of 2272 2756 taskeng.exe service123.exe PID 2756 wrote to memory of 2272 2756 taskeng.exe service123.exe PID 2756 wrote to memory of 2272 2756 taskeng.exe service123.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Set-up.exe"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Users\Admin\AppData\Local\Temp\service123.exe"C:\Users\Admin\AppData\Local\Temp\service123.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\Admin\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2708
-
C:\Windows\system32\taskeng.exetaskeng.exe {4C8E780B-6494-4C21-819A-D6967B8411BC} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Users\Admin\AppData\Local\Temp\service123.exeC:\Users\Admin\AppData\Local\Temp\/service123.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272