Analysis

  • max time kernel
    52s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-11-2024 16:36

General

  • Target

    WindowBlinds11_setup.exe

  • Size

    95.4MB

  • MD5

    72ecc6b491dbc5a46ab9f215c556691c

  • SHA1

    652c3d358185405793a91dbb8d38cfaab052383d

  • SHA256

    04128112e38f9f5f4f4441396407cc6128226f7638aef512419a9aa24b6be1ce

  • SHA512

    6e355a4c1947c68aa75af13ca5d1c59dc72e17df22cf423400d53b2875385d16771121a2f80b70c250eb50ad65a5cba5c13b67028ae6c269f87e319d54bba2c5

  • SSDEEP

    1572864:SAwUb6en83FlhNoMEvpbfJimmatUGKWvhJiorxsJivsE2I+oYk0qQIr5ZuW+a+:jGiMrhNohTcBoUfWJcSOcUE71YZqbLwr

Score
5/10

Malware Config

Signatures

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2748
    • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1981986 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3533259084-2542256011-65585152-1000"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Windows\SysWOW64\reg.exe
        "C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:32
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1972
      • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe
        "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp

    Filesize

    39B

    MD5

    865c04af1ace3192feae236929e93f75

    SHA1

    5a7e1395345d4f17e7ffb9fbebcfd848f25f583a

    SHA256

    8cea363a44ac2993ef8a802e01e7f810e54fd4740db077c953a0512edd5e4c59

    SHA512

    19bebd5127a267295666625175e7b8e533f1ab355b7cbede457632ca527ab2da32fda25e2980c3e0ba8e294a8ddd62647a9a21bfe8df111e60e60a7abd0bb49e

  • C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

    Filesize

    326KB

    MD5

    80d93d38badecdd2b134fe4699721223

    SHA1

    e829e58091bae93bc64e0c6f9f0bac999cfda23d

    SHA256

    c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59

    SHA512

    9f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4

  • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Encoding.lmd

    Filesize

    393KB

    MD5

    6eec47ab86d212fe3ed0f56985c8e817

    SHA1

    06da90bcc06c73ce2c7e112818af65f66fcae6c3

    SHA256

    d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed

    SHA512

    36d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb

  • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe

    Filesize

    58KB

    MD5

    55bbf335f75f2a2fe0a5daf603964d41

    SHA1

    f1b9686e8a9f10682722fc5e08c02c016b597804

    SHA256

    723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43

    SHA512

    af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6

  • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

    Filesize

    97KB

    MD5

    da1d0cd400e0b6ad6415fd4d90f69666

    SHA1

    de9083d2902906cacf57259cf581b1466400b799

    SHA256

    7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

    SHA512

    f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

  • \Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

    Filesize

    1.3MB

    MD5

    68ac216f38a5f7c823712c216ca4b060

    SHA1

    f6ad96e91103c40eb33fd3f1324d99093e5d014e

    SHA256

    748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80

    SHA512

    9b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b

  • memory/2644-43-0x0000000004BD0000-0x0000000004D14000-memory.dmp

    Filesize

    1.3MB

  • memory/2644-104-0x0000000004BD0000-0x0000000004D14000-memory.dmp

    Filesize

    1.3MB

  • memory/2644-39-0x0000000000870000-0x0000000000873000-memory.dmp

    Filesize

    12KB

  • memory/2644-38-0x0000000010000000-0x0000000010051000-memory.dmp

    Filesize

    324KB

  • memory/2644-110-0x0000000004BD0000-0x0000000004D14000-memory.dmp

    Filesize

    1.3MB

  • memory/2644-44-0x00000000008E0000-0x00000000008E3000-memory.dmp

    Filesize

    12KB

  • memory/2644-109-0x0000000010000000-0x0000000010051000-memory.dmp

    Filesize

    324KB

  • memory/2644-55-0x0000000002360000-0x0000000002370000-memory.dmp

    Filesize

    64KB

  • memory/2644-105-0x0000000000920000-0x0000000000D08000-memory.dmp

    Filesize

    3.9MB

  • memory/2644-103-0x0000000010000000-0x0000000010051000-memory.dmp

    Filesize

    324KB

  • memory/2644-74-0x0000000000920000-0x0000000000D08000-memory.dmp

    Filesize

    3.9MB

  • memory/2644-99-0x0000000004BD0000-0x0000000004D14000-memory.dmp

    Filesize

    1.3MB

  • memory/2644-100-0x00000000008E0000-0x00000000008E3000-memory.dmp

    Filesize

    12KB

  • memory/2644-98-0x0000000010000000-0x0000000010051000-memory.dmp

    Filesize

    324KB

  • memory/2644-97-0x0000000000920000-0x0000000000D08000-memory.dmp

    Filesize

    3.9MB

  • memory/2644-101-0x0000000002360000-0x0000000002370000-memory.dmp

    Filesize

    64KB

  • memory/2644-30-0x0000000000920000-0x0000000000D08000-memory.dmp

    Filesize

    3.9MB

  • memory/2748-7-0x0000000003300000-0x00000000036E8000-memory.dmp

    Filesize

    3.9MB

  • memory/2748-17-0x0000000003300000-0x00000000036E8000-memory.dmp

    Filesize

    3.9MB

  • memory/2748-19-0x0000000003300000-0x00000000036E8000-memory.dmp

    Filesize

    3.9MB

  • memory/2748-20-0x0000000003300000-0x00000000036E8000-memory.dmp

    Filesize

    3.9MB