8433fe414ef00a0c1eabb4c12a9274f736715ecb0f73bcc28d7ead059f5f0bc4

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-11-2024 22:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

746KB
MD5

fce837623f5184a71022ae71638c84f7
SHA1

f89872d03aa84d7d445c447a917dbc118a25d42c
SHA256

ac0cd27c71d75b6ea298c5169f845ab40e4b5750cb76368c5364f29178e0594d
SHA512

5cd855b3493e8bb1f17f0ba809efb13c690eb1cc8a12006d2d74a5f8d69a3aadc77718a6e752a5c1455c218fd099895d54dcc41652ea889e41892c49d736755b
SSDEEP

6144:d/QiQXCh5m+ksmpk3U9j0IF2soxvjFEOTb9WmZX/8shzdsY4CpHPhnZSvb:VQi3hc6m6UR0Icp1hf39Wkv8xwJZg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Setup.tmp

pid process

2460 Setup.tmp
Loads dropped DLL 4 IoCs

Processes:

Setup.exeSetup.tmp

pid process

1404 Setup.exe
2460 Setup.tmp
2460 Setup.tmp
2460 Setup.tmp

pid	process
2460	Setup.tmp

pid	process
1404	Setup.exe
2460	Setup.tmp
2460	Setup.tmp
2460	Setup.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Setup.exeSetup.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Setup.exe

description	pid	process	target process
PID 1404 wrote to memory of 2460	1404	Setup.exe	Setup.tmp
PID 1404 wrote to memory of 2460	1404	Setup.exe	Setup.tmp
PID 1404 wrote to memory of 2460	1404	Setup.exe	Setup.tmp
PID 1404 wrote to memory of 2460	1404	Setup.exe	Setup.tmp
PID 1404 wrote to memory of 2460	1404	Setup.exe	Setup.tmp
PID 1404 wrote to memory of 2460	1404	Setup.exe	Setup.tmp
PID 1404 wrote to memory of 2460	1404	Setup.exe	Setup.tmp

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\is-M766O.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-M766O.tmp\Setup.tmp" /SL5="$30144,506127,422400,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-6QBAU.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-6QBAU.tmp\idp.dll

Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
\Users\Admin\AppData\Local\Temp\is-M766O.tmp\Setup.tmp

Filesize
1.0MB

MD5
ee6709a95f2776394f70e2651e647b48

SHA1
0b4dcf16608f71dddd634f9799228752b8b2313f

SHA256
81d5863c75b5d17e4be6b8decfd4b32be5a41e652cf803cea68271d51473f4cf

SHA512
282f4a1add4a6db8c136d1a6b15e33ee37d6a280246757b805926468ae089d641a7a9366db8a16992987597401e4b1fafe22fe196387c3e7cdbc1981db61cc46

Download Submit
memory/1404-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1404-0-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1404-24-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/2460-14-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2460-22-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download