847a40ca8a3e2616ca25561a74f0cd27b4d9d7bb8f3f8399b747a85ca369b611

Analysis

max time kernel
1794s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-09-2024 07:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Stardock CursorFX 4.03 Multilingual [PeskTop.com]/Stardock CursorFX v4.03/Stardock CursorFX v4.03 Setup.exe
Size

19.0MB
MD5

2a56b3151ef00fe5e317bfa5b6511906
SHA1

1d9f2425e1a24e918a36472ae8a097478350f261
SHA256

0198e05d4b4af04f82aef95e0c2d581ee4de15a454214ba200396be8d50581b5
SHA512

c74aa2c4f14b2030031d2b4c16ed7788e5887dd42dba3a6d9bf0c96a946816edac79a5ad6b872e9f613000b219e35a37641332431b864a6d82688a7b99de9175
SSDEEP

393216:QAPF8K4/MLyYMWwwrPq0Vz8RQAI3ZHK/hSbWvpxkpjE++q4ty9eqBAsCJX:vPFdeMLnfq0ORQAi5KkbWpxkD+/A9eqg

Score

7^/10

discovery upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral10/files/0x000800000002360e-5.dat	upx
behavioral10/memory/4744-12-0x0000000000D10000-0x00000000010F8000-memory.dmp	upx
behavioral10/memory/4744-62-0x0000000000D10000-0x00000000010F8000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	irsetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	Stardock CursorFX v4.03 Setup.exe

Executes dropped EXE 2 IoCs

pid	Process
4744	irsetup.exe
4352	GetMachineSID.exe

Loads dropped DLL 2 IoCs

pid	Process
4744	irsetup.exe
4744	irsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Stardock CursorFX v4.03 Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	irsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetMachineSID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4744	irsetup.exe
4744	irsetup.exe
4744	irsetup.exe
4352	GetMachineSID.exe
4744	irsetup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 5368 wrote to memory of 4744	5368	Stardock CursorFX v4.03 Setup.exe	93
PID 5368 wrote to memory of 4744	5368	Stardock CursorFX v4.03 Setup.exe	93
PID 5368 wrote to memory of 4744	5368	Stardock CursorFX v4.03 Setup.exe	93
PID 4744 wrote to memory of 4352	4744	irsetup.exe	95
PID 4744 wrote to memory of 4352	4744	irsetup.exe	95
PID 4744 wrote to memory of 4352	4744	irsetup.exe	95
PID 4744 wrote to memory of 2332	4744	irsetup.exe	97
PID 4744 wrote to memory of 2332	4744	irsetup.exe	97
PID 4744 wrote to memory of 2332	4744	irsetup.exe	97

C:\Users\Admin\AppData\Local\Temp\Stardock CursorFX 4.03 Multilingual [PeskTop.com]\Stardock CursorFX v4.03\Stardock CursorFX v4.03 Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Stardock CursorFX 4.03 Multilingual [PeskTop.com]\Stardock CursorFX v4.03\Stardock CursorFX v4.03 Setup.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5368
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1825314 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\Stardock CursorFX 4.03 Multilingual [PeskTop.com]\Stardock CursorFX v4.03\Stardock CursorFX v4.03 Setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-2170637797-568393320-3232933035-1000"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
    "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
1⤵
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4908,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4972 /prefetch:8
1⤵
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CursorFX Setup Log.txt

Filesize
1KB

MD5
9963be5b8bdaf57075ae390d79a5a295

SHA1
243731d7bdc1f2ced55ce614e2370a9d50bab622

SHA256
32b4d444133731de20c7503851a1b62f2ea89494a5e7a0f36336096690faab59

SHA512
23b80f3717c2c0b0d8cfe7aa59cb21ff208c36dbb0bddc7dfd4ed59f5d03d8cbf4cc8b0204c4a195f40516dbed8d3f6786e32bc01af23a1e756ec37bc579585e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

Filesize
393KB

MD5
6eec47ab86d212fe3ed0f56985c8e817

SHA1
06da90bcc06c73ce2c7e112818af65f66fcae6c3

SHA256
d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed

SHA512
36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

Filesize
58KB

MD5
55bbf335f75f2a2fe0a5daf603964d41

SHA1
f1b9686e8a9f10682722fc5e08c02c016b597804

SHA256
723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

SHA512
af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

Filesize
40B

MD5
a06519815770f71ecc488aec09815d43

SHA1
3d7506c210b7a9ea10863442bee19a7dd450337a

SHA256
baa7221c573753ba1a258147d413f1e4eb588a52b82b27a322b79b10a4216d73

SHA512
ca12a195657836a89b297b8b1fab7179b72d9519739edb2e9e693134d94b6c612a23c19e8c27854bed8ae249584b68cbe5e70656abb19b395869cc7bbeaa518f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.3MB

MD5
68ac216f38a5f7c823712c216ca4b060

SHA1
f6ad96e91103c40eb33fd3f1324d99093e5d014e

SHA256
748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

SHA512
9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
326KB

MD5
80d93d38badecdd2b134fe4699721223

SHA1
e829e58091bae93bc64e0c6f9f0bac999cfda23d

SHA256
c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

SHA512
9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

Download Submit
memory/4744-30-0x0000000005C20000-0x0000000005C23000-memory.dmp

Filesize
12KB

Download
memory/4744-29-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/4744-12-0x0000000000D10000-0x00000000010F8000-memory.dmp

Filesize
3.9MB

Download
memory/4744-62-0x0000000000D10000-0x00000000010F8000-memory.dmp

Filesize
3.9MB

Download
memory/4744-64-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/4744-70-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download
memory/4744-112-0x0000000010000000-0x0000000010144000-memory.dmp

Filesize
1.3MB

Download