Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
05/10/2024, 09:53
General
-
Target
setup.exe
-
Size
2.1MB
-
MD5
8e16f01783eb766a3884df4aa9986bfb
-
SHA1
b11db9a5e3b8c02d631bccf463e161ca1dcf5cb2
-
SHA256
3f91200ad1574b37f4e01b30bed2011be0fff94c2703d4c04617d152046214e1
-
SHA512
96af11fbb78c4d91e8395abb2f672578701e939f350125b805079b45b9d897f22e680c4ebb139702774d877a45a1a9404df0498fb074b974331c0488b59fec31
-
SSDEEP
49152:jE3UUTfHju2B9IdJjit72tk4vjY0t3ZOzknNPWnb7NDtA:Q3tqdJI2Lj1OQnNPC5tA
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 7 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 6 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-P9OM4.tmp\setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-P9OM4.tmp\setup.tmp" /SL5="$80052,1751113,143360,C:\Users\Admin\AppData\Local\Temp\setup.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\The Binding of Isaac Repentance\unins000.exe"C:\Program Files (x86)\The Binding of Isaac Repentance\unins000.exe" /VERYSILENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp"C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files (x86)\The Binding of Isaac Repentance\unins000.exe" /FIRSTPHASEWND=$F01EC /VERYSILENT4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ti-url.com/the-binding-of-isaac3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd686846f8,0x7ffd68684708,0x7ffd686847184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,1901282543958500526,11289136790125439774,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,1901282543958500526,11289136790125439774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,1901282543958500526,11289136790125439774,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,1901282543958500526,11289136790125439774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,1901282543958500526,11289136790125439774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,1901282543958500526,11289136790125439774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:14⤵
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD5516b46d8ba74c15af629e09e05e02cdd
SHA197955bea20b21dcf4d97c5783c569647bfa405f3
SHA256eb495744a32b3d773cdc6aad2c1570c991923cd4eb4c8a21db8f722f37f96156
SHA5121413b762d9a4754ae28654a4e31f51674cdab4708b0290fcbc0860a6d44b6f81083a62ef72676628fa6165eecf8a75c4f92a9f6dd243ff9515a8324c591d6336
-
Filesize
322B
MD5629e551e2783b532abbdbfc0789d51c5
SHA1bac450237ad420c226d1123d80bc24e79932984f
SHA2563761a0b75c68bca3c1d8717a41f01094c5da6999c945b35a852d4a844076e42d
SHA512b3bb151eebd839b52978bf3022d4c12b94800b875990ee00f9346fc01d1c36799da4383e8823ccd5e609816a77036621e928af3e38c7946bc325b1b311e32054
-
Filesize
102KB
MD51a2764efe9e867f78c0713901c9bf174
SHA1cb05818f51ca0a53d3a23cfe42caa2adc048bb72
SHA2566642f64b6875a56c2e8cbd04ebf2b6ad7e863d819364389c274ea4d49269f690
SHA512b49ce2a2f04af85a181cddf90d05fe2935b28f07f5d435ec08f2d2365a874b468706833057e2c13933ebdba4335dcf3778c300d02487963b74e77f7a9c5e57de
-
Filesize
1.4MB
MD5b51924f37356ec6a47746df458872fc9
SHA115e859457f83a2ed2e31b05b3707fcd5097888ec
SHA256c8cad9c3fd94a14a6ee615ebfadbff5c7f487f4716b548906abc9214c03cb828
SHA51268be45e04747acbf22691c4194f76d268818585746953ac55c1224453aa911c2d1424c61a3eed502e28df47cdb1fbfc2f6743a0e3e0aa8c8de51e4882f796e3c
-
Filesize
152B
MD52dc1a9f2f3f8c3cfe51bb29b078166c5
SHA1eaf3c3dad3c8dc6f18dc3e055b415da78b704402
SHA256dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa
SHA512682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25
-
Filesize
152B
MD5e4f80e7950cbd3bb11257d2000cb885e
SHA110ac643904d539042d8f7aa4a312b13ec2106035
SHA2561184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124
SHA5122b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0
-
Filesize
256B
MD52a8ba9e6ccc0f45dafd065cb982f26c8
SHA1f65a6f647ebc9bb8d5651795e3c4be6231aefbf1
SHA256fd0891c1e914c6344fd42d9306e7bc62b01b582f77e5fba3dc917405275673bf
SHA512f49afd0c25ee2eeb8eaea5e39d387d48e72dafcd11a4600833228019864f5e7f75252e4911b0d04df490f2c69ada443fcfaf1bd9243c676dc366b4f15d1363dd
-
Filesize
5KB
MD542f6e3e81e08bd6374bab3f67ee0fd37
SHA14057a26df817cdcb42c1eb677bc54b67a892f337
SHA2569e25e63bb7061819b406391c8cb2c8b9af18b5b01ec2a43d1570b8d353d1f668
SHA512fe2396a2bc895e47e984d281a829151d8318f5ccae48e6191a59de491c9f467fe477f2151840ef332d2c45d590b5d724e671994293c97d5e4d13a51072b04d79
-
Filesize
6KB
MD575ed2c5828038f02e24998dc59e64b7e
SHA10df33f7a7bcb911201d2e25b2880a5693926f91e
SHA256b97deac517cc7cf81694d68bca93c8ddfd529698817202442de147303d7b6d53
SHA5126431e5958b082d4b4533d9938a5856f6f414dc7de24f75f23026cd852bac8b377859ea623b5c81db32e210b1acdbdf4aacd17d112a55fbe87317a561237a7b3c
-
Filesize
10KB
MD590a310bafb761c80a8e0a49648d95732
SHA173560190cda1eaea5af8d8be0f8be54c71a25b35
SHA2562b497c60748267766cfd89e8216477953312cdb92e8c318330c82f4dbf2d3b64
SHA512e7ae2a007aab934420a397e09733a87f3882cdfaebff8e76fb21c5be8cedbd59664a6c3f34f5a81b53d6d23225c72bcfcdef4b5a2793a384187b060cfd0ee8e2
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
1.4MB
MD54daafb718e7b1b52728559dc46c20057
SHA1ea8d32ebed9831b0c4ababc773e259d21447891f
SHA256f59f47b6212b7f1200a19fa7cd9d75e1464673ef5681b5ef708663ad3c4fb3ea
SHA51281a656532f0849a0d10b8c726e5fb9d70468e32ae79866da0ccb3bbda6412a9f95ff75b9558a86eda6115c1eaa2e34f511b439e064db65c1427236903ec6035c
-
Filesize
4KB
MD5f07e819ba2e46a897cfabf816d7557b2
SHA18d5fd0a741dd3fd84650e40dd3928ae1f15323cc
SHA25668f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d
SHA5127ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af
-
Filesize
452KB
MD54feafa8b5e8cdb349125c8af0ac43974
SHA17f17e5e1b088fc73690888b215962fbcd395c9bd
SHA256bb8a0245dcc5c10a1c7181bad509b65959855009a8105863ef14f2bb5b38ac71
SHA512d63984ee385b4f1eba8e590d6de4f082fb0121689295ec6e496539209459152465f6db09e6d8f92eec996a89fc40432077cbfa807beb2de7f375154fef6554bc
-
Filesize
75KB
MD5a2eee508e6a51c6335650532e05ac550
SHA18703fb138bb8443f17c0c24da7edd69b1f2660b1
SHA25675fb2984e1b06f4278fb7b3c77e9fec84e02a3b4bf82d35120f8cbe7bdbc76bf
SHA51214e1abea3109c17f1fbe6ec455593bf91ba1b811ea302806a83a97a96bf582f1c46e8fe635e1d8739c5c007298eabd41311e07e50961ec2084cf97bde0595370
-
Filesize
22KB
MD5ab35386487b343e3e82dbd2671ff9dab
SHA103591d07aea3309b631a7d3a6e20a92653e199b8
SHA256c3729545522fcff70db61046c0efd962df047d40e3b5ccd2272866540fc872b2
SHA512b67d7384c769b2b1fdd3363fc3b47d300c2ea4d37334acfd774cf29169c0a504ba813dc3ecbda5b71a3f924110a77a363906b16a87b4b1432748557567d1cf09
-
Filesize
37KB
MD567965a5957a61867d661f05ae1f4773e
SHA1f14c0a4f154dc685bb7c65b2d804a02a0fb2360d
SHA256450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105
SHA512c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
2KB
MD5c7101d719f34a43af1dfb017c5afa36b
SHA1fba2333495c363a5648f9af9c39af052e51141ae
SHA256840dc671adda3ba3287ba39e36b6387ab20031e92ce89900cce1fb53cc44ba5e
SHA512d34958e6af1039cecb7baea85373185b6d6842e5f4f11eb6665105f9b5e278c93376b2fe5871a8a629eb01f3d36bea50418df775d326777b19d1486042f24a92
-
Filesize
180KB
-
Filesize
180KB
-
Filesize
88KB
-
Filesize
1.5MB
-
Filesize
476KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
60KB
-
Filesize
1.5MB
-
Filesize
1.5MB
-
Filesize
476KB
-
Filesize
60KB
-
Filesize
68KB
-
Filesize
1.5MB
-
Filesize
60KB
-
Filesize
68KB
-
Filesize
1.5MB
-
Filesize
1.5MB