65110470f6c6c96877e96a640adcf6178186b675e6d1bc24c19f977a12220294

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-11-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CiscoSetup.exe
Size

16.1MB
MD5

446a85d94adb8e2e9157170b82592d6a
SHA1

1ea726940904e568dbdc4a6ef50b61cae6bb55ea
SHA256

65110470f6c6c96877e96a640adcf6178186b675e6d1bc24c19f977a12220294
SHA512

96684b30d90f32a57b8b264da520c31b063991830e472798d46147e3811fcd27e5c400f7fd3832b5ed0975e43b2efd6cbebd152b58442dd5e630416de6a0e0fe
SSDEEP

393216:qxxFZAWTc+MZ3mOvSY6oDXtVVFOzWyY4bkZsFVf:wAL+WmOvS9qDSzJbki

Score

7^/10

discovery execution

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2092	CiscoSetup.tmp

Loads dropped DLL 2 IoCs

pid	Process
2380	CiscoSetup.exe
2092	CiscoSetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-MCU4C.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-4J6DD.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-C44PS.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-CI64H.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-5AN1I.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-22O3D.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-HCTJU.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-DEJOF.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-DQ2LK.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-2MS22.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-LTU4F.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-T51O2.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-83CIC.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\pl-pl\LC_MESSAGES\is-L9ANO.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-R0UHC.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-OP49I.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-649VF.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-0LF8M.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-BMELF.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-M23J9.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-L6MCJ.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-667R0.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-RSJQS.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-8EEDT.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-17F5T.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-NC3VJ.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-14A04.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\hu-hu\LC_MESSAGES\is-84ITR.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-F2QK9.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-9GLRV.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-5KUS9.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HP3FI.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-HFN2C.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\zh-cn\LC_MESSAGES\is-UQQ2J.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-9ETO8.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-GH1SK.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\Install\Dependency\is-N6G8V.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\nl-nl\LC_MESSAGES\is-FSQK0.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-HCN1L.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\cs-cz\LC_MESSAGES\is-J6PBV.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\it-it\LC_MESSAGES\is-2OS85.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-3NLO7.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-KRN73.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-VBH95.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\zh-hant\LC_MESSAGES\is-5CKKC.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-KNVA8.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-93NOK.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\is-RC7N0.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-PQE1R.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\l10n\de-de\LC_MESSAGES\is-7GHSG.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-BU5JB.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-L3TPK.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\is-KA8N4.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-RL2RL.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-0MB32.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-4R1FL.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\is-56TDO.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-9VI6O.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\ja-jp\LC_MESSAGES\is-T9AEP.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\Setup\5.0.00923\res\is-2MC93.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\is-UER9D.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\it-it\LC_MESSAGES\is-3N2RP.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\pl-pl\LC_MESSAGES\is-D1SNO.tmp	CiscoSetup.tmp
File created	C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\res\is-HSLMM.tmp	CiscoSetup.tmp

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1360	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CiscoSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CiscoSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1360	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1360	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2092	CiscoSetup.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 2092	2380	CiscoSetup.exe	30
PID 2380 wrote to memory of 2092	2380	CiscoSetup.exe	30
PID 2380 wrote to memory of 2092	2380	CiscoSetup.exe	30
PID 2380 wrote to memory of 2092	2380	CiscoSetup.exe	30
PID 2380 wrote to memory of 2092	2380	CiscoSetup.exe	30
PID 2380 wrote to memory of 2092	2380	CiscoSetup.exe	30
PID 2380 wrote to memory of 2092	2380	CiscoSetup.exe	30
PID 2092 wrote to memory of 1360	2092	CiscoSetup.tmp	32
PID 2092 wrote to memory of 1360	2092	CiscoSetup.tmp	32
PID 2092 wrote to memory of 1360	2092	CiscoSetup.tmp	32
PID 2092 wrote to memory of 1360	2092	CiscoSetup.tmp	32

C:\Users\Admin\AppData\Local\Temp\CiscoSetup.exe
"C:\Users\Admin\AppData\Local\Temp\CiscoSetup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Users\Admin\AppData\Local\Temp\is-NAP2R.tmp\CiscoSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-NAP2R.tmp\CiscoSetup.tmp" /SL5="$30130,13456411,1058304,C:\Users\Admin\AppData\Local\Temp\CiscoSetup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\is-MPD09.tmp\cispn.ps1"
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\csc_ui.exe

Filesize
2.9MB

MD5
24de4ed3ff1fa997f867b591be4e001d

SHA1
744d45ebd394880598b597d882ae2b634b9261fb

SHA256
7c4330c4bd0c6890c7efc49af493056b92332c65be2bf885cd2a599369ba5349

SHA512
8a32756cffcd10d6df5f0b6da917a203115431fe101b2b7746b1d8e76956b12f6af5ce89bce29bc505558943f4d661d45e2630b4b5790625b968549146ebec88

Download Submit
C:\Program Files (x86)\Cisco\Cisco Secure Client\UI\l10n\es-es\LC_MESSAGES\is-CRB2Q.tmp

Filesize
346KB

MD5
9d4300c87c9e378a13efa9999d305929

SHA1
0a7bb44a99208085296e782fd2e7b22170e7d03a

SHA256
d92d3e91f1b4036435cc6e39e2ce048de7153a54577695313aca1119df70de82

SHA512
297d7848fb011d8e79a7ee1b48d42227fc8582848b9232f4ed155b5fa1476c25654885fbd39e0207dd86f619bfc0fde41a0d448365e5b1d57d7c359b7eae3b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MPD09.tmp\cispn.ps1

Filesize
2.9MB

MD5
2d47f35f6ec3abdfa6df92cb13bef294

SHA1
16e532caac6b7176369f5fa29a869ffa0def8947

SHA256
85c3c72a135ee57914d27c563e9ae31f417af72fa04ab2d3a09f10eb674455cb

SHA512
e6be961e4f384749f621e3b14f2b1468f3218480de3eeaa0c7a6448f70911fc942b30d1c135729edea9bd489c8b5f42fd255617a79428568df2a58f9d6c0e134

Download Submit
\Users\Admin\AppData\Local\Temp\is-NAP2R.tmp\CiscoSetup.tmp

Filesize
3.4MB

MD5
bfd84005e52425f9b8fe658b9663e1c4

SHA1
49c54a003678dc14a19ac5d07c9bf053b8cd0683

SHA256
2ea785b8a4cf5c5fc457350a4c636dac40137269a1a93d24c1083f1f77324d5d

SHA512
3e4e2a32f50c6bb200af8a37c8653ef55e6d8ff47042266181546fd1ccf125a4fd5d2b7d8801d9179bf5e899c4992092895ee6f0d3f4e11ac8d5a1f40e5f82bf

Download Submit
memory/2092-8-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2092-11-0x0000000000240000-0x00000000005B0000-memory.dmp

Filesize
3.4MB

Download
memory/2092-12-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2092-14-0x0000000000240000-0x00000000005B0000-memory.dmp

Filesize
3.4MB

Download
memory/2092-16-0x0000000000240000-0x00000000005B0000-memory.dmp

Filesize
3.4MB

Download
memory/2092-541-0x0000000000240000-0x00000000005B0000-memory.dmp

Filesize
3.4MB

Download
memory/2380-10-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2380-2-0x0000000000191000-0x0000000000239000-memory.dmp

Filesize
672KB

Download
memory/2380-0-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2380-542-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download