1cb136958cdf2400414303001f4ef8d164556596ec9c6cc9ebe06ee5d4438b75

General

Target

setup_christv_online_premium_5_60.exe
Size

5.6MB
MD5

199b3fcf3e54d8bb33881b532b64c69a
SHA1

f7297aadf0b996bfdd62a8ef4f9f39ebc04dac12
SHA256

0202dd73b2bec6d9e788431271f8db1bdf8cfff645422dc4d82047d955bcc19c
SHA512

f16a97876112956c3321858797feb0cf0dc4eb1f01b3926e018d7117dc13552634cf087a0ca80c37ae0c69135f4bdb5180195a994f8a7235a6c7960419b8af27
SSDEEP

98304:77p22Th38RZLh3hIoyPvqlHzLkIh1BzSHVisYbzwNeiEy2Ql/uXCo4U8o0+sFYbg:Xp22N+l33yYHzdUVisYbUN3GCFU82sFm

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1380	ppi.exe
4720	ppi.exe
444	SETUP_~1.EXE
2144	SETUP_~1.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	setup_christv_online_premium_5_60.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1380 set thread context of 4720	1380	ppi.exe	86

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SETUP_~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SETUP_~1.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup_christv_online_premium_5_60.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ppi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1380	ppi.exe
4720	ppi.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 1380	4636	setup_christv_online_premium_5_60.exe	84
PID 4636 wrote to memory of 1380	4636	setup_christv_online_premium_5_60.exe	84
PID 4636 wrote to memory of 1380	4636	setup_christv_online_premium_5_60.exe	84
PID 1380 wrote to memory of 4720	1380	ppi.exe	86
PID 1380 wrote to memory of 4720	1380	ppi.exe	86
PID 1380 wrote to memory of 4720	1380	ppi.exe	86
PID 1380 wrote to memory of 4720	1380	ppi.exe	86
PID 1380 wrote to memory of 4720	1380	ppi.exe	86
PID 1380 wrote to memory of 4720	1380	ppi.exe	86
PID 1380 wrote to memory of 4720	1380	ppi.exe	86
PID 1380 wrote to memory of 4720	1380	ppi.exe	86
PID 4636 wrote to memory of 444	4636	setup_christv_online_premium_5_60.exe	87
PID 4636 wrote to memory of 444	4636	setup_christv_online_premium_5_60.exe	87
PID 4636 wrote to memory of 444	4636	setup_christv_online_premium_5_60.exe	87
PID 444 wrote to memory of 2144	444	SETUP_~1.EXE	89
PID 444 wrote to memory of 2144	444	SETUP_~1.EXE	89
PID 444 wrote to memory of 2144	444	SETUP_~1.EXE	89

C:\Users\Admin\AppData\Local\Temp\setup_christv_online_premium_5_60.exe
"C:\Users\Admin\AppData\Local\Temp\setup_christv_online_premium_5_60.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4720
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:444
- - C:\Users\Admin\AppData\Local\Temp\is-IS3FM.tmp\SETUP_~1.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-IS3FM.tmp\SETUP_~1.tmp" /SL5="$701E6,5395862,54272,C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\SETUP_~1.EXE

Filesize
5.4MB

MD5
c0a51d58ae636dd08d8ccee14d5746dc

SHA1
886974842922e2e8fabe020bad43f5672f61d193

SHA256
bb6b80c02254a2d9ebca5b34ba33e2a82f75381125830d9afaf20b78f3268589

SHA512
ef1695cfc151ed7fbcd28f67fe7ea841c18dad391f9fcbac38751901f1adbd65ce3996aede7b182e4867329be473a6574deb643eb9373f5598725b26ef80be34

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ppi.exe

Filesize
158KB

MD5
69c343fbf34df0d280ce2514b3197904

SHA1
08f3666b88c63292e4bb7147348c30b993d99556

SHA256
9dce84cb358e678e298c95b899d67491114af6cdd21e55279162a5c87a6fa7bb

SHA512
921028d32cdfcd4d932306f38d4bac88e40585992ff9696692fea68784f08647f3211648695c8e8a3cb1c067c5368dc2d51270d4718aa9272d5637cde4ffcda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IS3FM.tmp\SETUP_~1.tmp

Filesize
695KB

MD5
620f32e56b46e90e8aee43febc59f6e3

SHA1
d5edd63dd1390a1420b85f746e12a66625ae9354

SHA256
bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

SHA512
8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

Download Submit
memory/444-38-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/444-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/444-20-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1380-6-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1380-16-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2144-27-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2144-41-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4720-13-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4720-37-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4720-10-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads