15590ee67d1977b1695ce3f8078edee4b8640d7c3dbe2c4bca4ab25139502204

Analysis

max time kernel
148s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 01:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

90.9MB
MD5

a0a9189ea3fad0d0f80f737709f3a323
SHA1

b3db5edf638510811ddc4f7df2376af0811325b2
SHA256

15590ee67d1977b1695ce3f8078edee4b8640d7c3dbe2c4bca4ab25139502204
SHA512

16a3db8e4e29831b486506921ab3546ede2bfc53e9d6674ec10fd9f4fb4b909114212c3322c105e211a9c1a009ee25c077b1a177004e13587ace8bb7fb7a1068
SSDEEP

1572864:0sdkkGFinQ6dkkGFinQ6dkkG5hnFHxDE8aJQwmRmF+9+S+V9LyN0C1qh6maqR:0jFiQ9FiQ9/V51f+p3uN0CaH

Score

7^/10

discovery execution persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	launch3.exe

Executes dropped EXE 3 IoCs

pid	Process
3360	launch3.exe
1548	LetsCorp.exe
396	rqVnH8C.exe

Loads dropped DLL 8 IoCs

pid	Process
604	Setup.exe
604	Setup.exe
604	Setup.exe
1548	LetsCorp.exe
1548	LetsCorp.exe
1548	LetsCorp.exe
396	rqVnH8C.exe
396	rqVnH8C.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WINDOWS = "C:\\Program Files (x86)\\qVnH8C\\rqVnH8C.exe"	launch3.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LetsCorpSetup\h.bmp	Setup.exe
File opened for modification	C:\Program Files (x86)\qVnH8C\rqVnH8C.log	rqVnH8C.exe
File created	C:\Program Files (x86)\qVnH8C\rqVnH8C.exe	launch3.exe
File opened for modification	C:\Program Files (x86)\qVnH8C\libcef.dll	launch3.exe
File created	C:\Program Files (x86)\LetsCorpSetup\mfxplugin32_219tg	Setup.exe
File created	C:\Program Files (x86)\LetsCorpSetup\LetsCorp.exe	Setup.exe
File created	C:\Program Files (x86)\qVnH8C\t3d.tmp	launch3.exe
File created	C:\Program Files (x86)\qVnH8C\MSVCP140.dll	launch3.exe
File created	C:\Program Files (x86)\qVnH8C\templateWatch.dat	launch3.exe
File created	C:\Program Files (x86)\LetsCorpSetup\d.bmp	Setup.exe
File created	C:\Program Files (x86)\LetsCorpSetup\tank.bmp	Setup.exe
File created	C:\Program Files (x86)\LetsCorpSetup\tex1.bmp	Setup.exe
File created	C:\Program Files (x86)\qVnH8C\t4d.tmp	launch3.exe
File created	C:\Program Files (x86)\LetsCorpSetup\t3.bmp	Setup.exe
File created	C:\Program Files (x86)\LetsCorpSetup\launch3.exe	Setup.exe
File opened for modification	C:\Program Files (x86)\qVnH8C\t3d.tmp	launch3.exe
File created	C:\Program Files (x86)\qVnH8C\VCRUNTIME140.dll	launch3.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3476	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launch3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LetsCorp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rqVnH8C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rqVnH8C.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rqVnH8C.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3476	powershell.exe
3476	powershell.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe
396	rqVnH8C.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3476	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 3360	604	Setup.exe	94
PID 604 wrote to memory of 3360	604	Setup.exe	94
PID 604 wrote to memory of 3360	604	Setup.exe	94
PID 604 wrote to memory of 1548	604	Setup.exe	95
PID 604 wrote to memory of 1548	604	Setup.exe	95
PID 604 wrote to memory of 1548	604	Setup.exe	95
PID 1548 wrote to memory of 3476	1548	LetsCorp.exe	96
PID 1548 wrote to memory of 3476	1548	LetsCorp.exe	96
PID 1548 wrote to memory of 3476	1548	LetsCorp.exe	96
PID 3360 wrote to memory of 396	3360	launch3.exe	100
PID 3360 wrote to memory of 396	3360	launch3.exe	100
PID 3360 wrote to memory of 396	3360	launch3.exe	100

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:604
- C:\Program Files (x86)\LetsCorpSetup\launch3.exe
  "C:\Program Files (x86)\LetsCorpSetup\launch3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Program Files (x86)\qVnH8C\rqVnH8C.exe
    "C:\Program Files (x86)\qVnH8C\rqVnH8C.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:396
- C:\Program Files (x86)\LetsCorpSetup\LetsCorp.exe
  "C:\Program Files (x86)\LetsCorpSetup\LetsCorp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\LetsCorpSetup\LetsCorp.exe

Filesize
14.5MB

MD5
94f6bd702b7a2e17c45d16eaf7da0d64

SHA1
45f8c05851bcf16416e087253ce962b320e9db8a

SHA256
07f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776

SHA512
7ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d

Download Submit
C:\Program Files (x86)\LetsCorpSetup\d.bmp

Filesize
11.4MB

MD5
64e5c8ab7f52f6d93406334465645d99

SHA1
3e0883b77c04103e66cc86dab78e1728f30ed42e

SHA256
5a0659bc66ac45de2ab7caa6c3a644a95f3e6b8732e5718054b116207c4d82a4

SHA512
42857b1d9774a26ad13d22664653b18c49a0810f30d9dd9099d9333c68b49ddef4a0b54a44fcd6ed5971afb306f4b86fbd2251b8c7af4291747dd0f0c5104085

Download Submit
C:\Program Files (x86)\LetsCorpSetup\launch3.exe

Filesize
29.1MB

MD5
597cd30fd43bbd1b7860e249061c555f

SHA1
676f2f92da2985d62103995d821a1f9012f190f9

SHA256
a4bede8f47d510ae66d4a0b63566fbc21a80d3913a99a52030d0b432e343280a

SHA512
dcca1170cb026a92ae2f5e159b66f9d30e501e63281a81636d51fd44927fc6da2d8bb6645c993364d3a5915269ef3218842baff042859c5b389a5ef399c2505c

Download Submit
C:\Program Files (x86)\LetsCorpSetup\t3.bmp

Filesize
865KB

MD5
cec9a5a7567f5f7d6a3c0bee87a2a91c

SHA1
60a38be4d919aa81ea87d15ed7aa1d3b379699dd

SHA256
831c6c4730370a9359fdd78eeff54be02bc9c7a31367a7ac448ba70d717e7239

SHA512
f26a0c63c8152fccc554ab11ffe3bd0b76b0fba9cf41349bfc924620b1502c97c38a8fdf41b6a8d21f320920f2e3a64ffc05791419700c5591821e81d24cef02

Download Submit
C:\Program Files (x86)\LetsCorpSetup\tank.bmp

Filesize
138KB

MD5
9ba816bfd9c6214c4974b4fab76bb0a6

SHA1
059fb24dcf8f10d443150102d937cd67b88106e8

SHA256
789f8a260c6a514bafff4925a5f2b2d1459093eb6a0981c5950b22568ebfd18b

SHA512
7baca2ed36d645e227bc2651a3ec81b7a18dad16ec9781e0d41c4c3ad0b17e8f956b20076d2e2d7c7289491f51ddf6191ab76b89d6e3a84ea87767e394e0bed7

Download Submit
C:\Program Files (x86)\LetsCorpSetup\tex1.bmp

Filesize
1.4MB

MD5
4679933c6f1204ea6cd0d2e0e8ace335

SHA1
74b41b468d9e5bad11a3a68bc759d8b10b95096d

SHA256
51b5b1c476f3c313793853ab833ee3c926131b38807b18a3913dde5e9c3f31e2

SHA512
b455411f3db329494fa7bd894209db7725784d7bcd073baaef910b0624b209e691c1242da0838a378f3a6b9b295a142b74f8c47da9ce9d8e15bd32dcf941c2d0

Download Submit
C:\Program Files (x86)\qVnH8C\VCRUNTIME140.dll

Filesize
77KB

MD5
9d5a742f221c4929a178baf2b93fc7fb

SHA1
928c9e0e1c18ec474c2f450ca00a154e44ac547a

SHA256
f10727074bcb4375f276e48da64029d370299768536157321fb4bd9b1997b898

SHA512
f4614962c67bb41b8a2fb17e3112745f4ba012bbf382c1cc7deacd6c8525a53d75890a2eb46f0da61bfa054dc52505b09a29291d5fa1c25c6201a66b9dc4b547

Download Submit
C:\Program Files (x86)\qVnH8C\rqVnH8C.exe

Filesize
3.0MB

MD5
a3e9a318d0bb16091b862f4bf70c73b6

SHA1
f3abd6519c705c46ba0e5d6a6bc2f3b48e945d03

SHA256
7a5f94516f2dcadf478c6936c234cd9b9d28d3fadc55b346485dc1ef6194f003

SHA512
9e1dd2116fc0c3afe4807a717ac08d730f4fd2d9a28628516ea0def7a9b8b7432ecfeda8ad7901ce6137f34b406ed16f72234b8f05228688e356f5fcf64289ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtzes5r4.mhh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3DC1.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3DC1.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc3DC1.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD1D8.tmp\InstallOptions.dll

Filesize
15KB

MD5
d1eefb07abc2577dfb92eb2e95a975e4

SHA1
0584c2b1807bc3bd10d4b60d2d23eeb0e6832ca2

SHA256
89dd7d646278d8bfc41d5446bdc348b9a9afaa832abf02c1396272bb7ac7262a

SHA512
eaffd9940b1df59e95e2adb79b3b6415fff5bf196ebea5fe625a6c52e552a00b44d985a36a8dd9eb33eba2425ffea4244ed07a75d87284ff51ec9f9a5e1ac65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD1D8.tmp\System.dll

Filesize
12KB

MD5
192639861e3dc2dc5c08bb8f8c7260d5

SHA1
58d30e460609e22fa0098bc27d928b689ef9af78

SHA256
23d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6

SHA512
6e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD1D8.tmp\ioSpecial.ini

Filesize
1KB

MD5
03cbac1f7efcf8744c711e45fd81524a

SHA1
1a9a6855d99eda18152fb6a2dc439b2c6f377d15

SHA256
a9cfd60106c0960c3562ee675cec0f6bf86954a4779dcfe5fbacb89f487185cf

SHA512
99acbf133365f0f75acebd3ae6539bdfc0842e135c0f88549c09e7deffdf2dccbda45c63d8226b0ded59e99008d943683d17b21347df9019e0c62b75c0f99c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsfD1D8.tmp\ioSpecial.ini

Filesize
1KB

MD5
bb0bead0dad61f4a760b24a02bde7c50

SHA1
e96e6179a4036971b289eacd26972d5e309bfb29

SHA256
d7c14b1a12a131a23f4f0edde91c92a99e655ca7745dc1168cb753471b779a0b

SHA512
1d95a2e615c8070f3d7e3dbf2b082c687e9f01430d5f3f220203505e7178817601ed6441709ed94ad5c8027d5cbb87632c902be62fd67547cd7ca96452616018

Download Submit
memory/396-275-0x0000000010000000-0x00000000100E3000-memory.dmp

Filesize
908KB

Download
memory/396-280-0x0000000010000000-0x00000000100E3000-memory.dmp

Filesize
908KB

Download
memory/396-272-0x0000000002610000-0x00000000026E9000-memory.dmp

Filesize
868KB

Download
memory/3360-242-0x0000000003C40000-0x0000000003C63000-memory.dmp

Filesize
140KB

Download
memory/3360-243-0x0000000010000000-0x0000000010027000-memory.dmp

Filesize
156KB

Download
memory/3476-226-0x0000000006060000-0x00000000063B4000-memory.dmp

Filesize
3.3MB

Download
memory/3476-212-0x0000000003070000-0x00000000030A6000-memory.dmp

Filesize
216KB

Download
memory/3476-228-0x0000000006660000-0x00000000066AC000-memory.dmp

Filesize
304KB

Download
memory/3476-227-0x0000000006640000-0x000000000665E000-memory.dmp

Filesize
120KB

Download
memory/3476-214-0x0000000005690000-0x00000000056B2000-memory.dmp

Filesize
136KB

Download
memory/3476-213-0x00000000057E0000-0x0000000005E08000-memory.dmp

Filesize
6.2MB

Download
memory/3476-216-0x0000000005FF0000-0x0000000006056000-memory.dmp

Filesize
408KB

Download
memory/3476-215-0x0000000005F80000-0x0000000005FE6000-memory.dmp

Filesize
408KB

Download