Malware Analysis Report

2024-11-16 13:22

Sample ID 241013-lzxbwsvgjk
Target setup.exe
SHA256 32667ec585e2352db8837755fc2205d81078501391dfb28bc79b7572f6c23c44
Tags
renamer discovery worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32667ec585e2352db8837755fc2205d81078501391dfb28bc79b7572f6c23c44

Threat Level: Known bad

The file setup.exe was found to be: Known bad.

Malicious Activity Summary

renamer discovery worm

Detects Renamer worm.

Renamer, Grenam

Renamer family

Drops startup file

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-13 09:58

Signatures

Detects Renamer worm.

Description Indicator Process Target
N/A N/A N/A N/A

Renamer family

renamer

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-13 09:58

Reported

2024-10-13 09:59

Platform

win11-20241007-en

Max time kernel

40s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Detects Renamer worm.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Renamer, Grenam

worm renamer

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Paint.lnk C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vIntegratedOffice.ico C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\RCXA3A0.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vOfficeC2RClient.ico C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\InputPersonalization.exe.mui C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\RCXA490.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\ja-JP\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\vIntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Windows Defender\de-DE\OfflineScannerShell.exe.mui C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\vOSE.EXE C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\vappletviewer.ico C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\vjavap.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\vjjs.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Integration\vIntegrator.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\vmisc.ico C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vuninstall.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\OfflineScannerShell.exe.mui C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vappvcleaner.ico C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\7-Zip\RCXA21D.tmp C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\vFLTLDR.ico C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Common Files\microsoft shared\ClickToRun\vMavInject32.ico C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\vsetup.ico C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Internet Explorer\uk-UA\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\vSmartTagInstall.ico C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ja-JP\iexplore.exe.mui C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\vAppVDllSurrogate32.ico C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\vjava-rmi.ico C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\vInspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\de-DE\msinfo32.exe.mui C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome.exe.sig C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\vAppVDllSurrogate32.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\vIntegrator.ico C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\vMavInject32.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TabTip.exe.mui C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\bfsvc.exe C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Network

N/A

Files

memory/1692-0-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/1692-1-0x00000000008C0000-0x00000000008C1000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 37b3c81fe4d8452787cb9b7fd63bff99
SHA1 6ca920962866bd5d80a2798875b9c39a7d0e9282
SHA256 32667ec585e2352db8837755fc2205d81078501391dfb28bc79b7572f6c23c44
SHA512 2982a6ce28b01169d8b505d808fc14f63163442312746502d146dfdd15bcb0edffb91a5e9aa7ec1890da53b194505da0a694e40b6fd0c4b3d7039d1ba2367d99

C:\Program Files\Java\jdk-1.8\bin\vjavaws.ico

MD5 38b41d03e9dfcbbd08210c5f0b50ba71
SHA1 2fbfde75ce9fe8423d8e7720bf7408cedcb57a70
SHA256 611f2cb2e03bd8dbcb584cd0a1c48accfba072dd3fc4e6d3144e2062553637f5
SHA512 ec97556b6ff6023d9e6302ba586ef27b1b54fbf7e8ac04ff318aa4694f13ad343049210ef17b7b603963984c1340589665d67d9c65fec0f91053ff43b1401ba9

C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\vmisc.ico

MD5 fc27f73816c9f640d800cdc1c9294751
SHA1 e6c3d8835d1de4e9606e5588e741cd1be27398f6
SHA256 3cc5043caa157e5f9b1870527b8c323850bdae1e58d6760e4e895d2ab8a35a05
SHA512 9e36b96acc97bc7cd45e67a47f1ae7ab7d3818cc2fdaad147524ce9e4baedfaac9cd012923ec65db763bfd850c65b497376bb0694508bee59747f97bf1591fd4

C:\Program Files\Microsoft Office 15\ClientX64\vIntegratedOffice.ico

MD5 3ea9bcbc01e1a652de5a6fc291a66d1a
SHA1 aee490d53ee201879dff37503a0796c77642a792
SHA256 a058bfd185fe714927e15642004866449bce425d34292a08af56d66cf03ebe6c
SHA512 7c740132f026341770b6a20575786da581d8a31850d0d680978a00cc4dfca1e848ef9cdc32e51bae680ea13f6cc0d7324c38765cb4e26dcb2e423aced7da0501

F:\autorun.inf

MD5 5513829683bff23161ca7d8595c25c72
SHA1 9961b65bbd3bac109dddd3a161fc30650e8a7096
SHA256 94e323bd9071db7369ade16f45454e7a0dbfb6a39efddc1234c4719d1f7ee4c2
SHA512 308c84446106cda0a71e37b0de46aaf4b7361f9ddcc3c4c29f8e87da8acb606525dce8a42caf9d74e708c56b31c524f9535a2f5f4757c6c357401da1c495ddb6

memory/1692-269-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/1692-271-0x00000000008C0000-0x00000000008C1000-memory.dmp