9dc2dcabca1538137079bb81847c1aaa9b390a54d58776b569a2fd5b3c2d14e6

Analysis

max time kernel
139s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mal2/Setup.exe
Size

80KB
MD5

2a8613b7d99903516b8fe02fd820bf52
SHA1

78a96addcb556ab1d490fac80f929305263d06b9
SHA256

f1d68c5e7c7660d4f2ce412c109b7fe3e088872fa0ebe61ca9ab9dd92a496407
SHA512

af0902aeb6169ea507b787da7b61c3533df4610c3f51c1d8f65dfc9008c8ce2580f2d86a49a4d0acc2c51c731f3e4c447d0d1d8e779dc1c75e43d30b79c46436
SSDEEP

1536:9A8oAY5SXfidLez+Q+EGfdUHLLXJ+CqoVpPBucQwk7qnKXKo5OMY8xk03ben8TK:M7Ohz+Q+EGlUHLLXJ+CqoTPBucQwktXS

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

nc.exe

pid	Process
1816	nc.exe

Loads dropped DLL 1 IoCs

Processes:

AutoIt3.exe

pid	Process
1680	AutoIt3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description	pid	Process	procid_target
PID 2284 set thread context of 2264	2284	Setup.exe	93

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Setup.exemore.comAutoIt3.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AutoIt3.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exemore.com

pid	Process
2284	Setup.exe
2284	Setup.exe
2264	more.com
2264	more.com

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Setup.exemore.com

pid	Process
2284	Setup.exe
2264	more.com

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Setup.exemore.com

description	pid	Process	procid_target
PID 2284 wrote to memory of 1816	2284	Setup.exe	87
PID 2284 wrote to memory of 1816	2284	Setup.exe	87
PID 2284 wrote to memory of 2264	2284	Setup.exe	93
PID 2284 wrote to memory of 2264	2284	Setup.exe	93
PID 2284 wrote to memory of 2264	2284	Setup.exe	93
PID 2284 wrote to memory of 2264	2284	Setup.exe	93
PID 2264 wrote to memory of 1680	2264	more.com	99
PID 2264 wrote to memory of 1680	2264	more.com	99
PID 2264 wrote to memory of 1680	2264	more.com	99
PID 2264 wrote to memory of 1680	2264	more.com	99
PID 2264 wrote to memory of 1680	2264	more.com	99

C:\Users\Admin\AppData\Local\Temp\mal2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\mal2\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Users\Admin\AppData\Roaming\DJGB\NQRIOHGMUAH\nc.exe
  C:\Users\Admin\AppData\Roaming\DJGB\NQRIOHGMUAH\nc.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe

Filesize
921KB

MD5
3f58a517f1f4796225137e7659ad2adb

SHA1
e264ba0e9987b0ad0812e5dd4dd3075531cfe269

SHA256
1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48

SHA512
acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634

Download Submit
C:\Users\Admin\AppData\Local\Temp\f1efccc5

Filesize
2.3MB

MD5
a582b44e168cf15cd93faacdfe29a1b9

SHA1
be3cd2bb2ac33dde19af51652eeeab541a92a369

SHA256
8f5aab86ad6bf555975379716aca9222bb823e9c375890798466eef63ac509a8

SHA512
d97d7d716db1abacce5eec8905446c9b6a6ce2f93033b7931b4a8d696b614e60cfcd14d5bc1c7a7b20023cba5b3ea96017d8dcce38e21a3a02f9708e57d4ef76

Download Submit
C:\Users\Admin\AppData\Roaming\DJGB\NQRIOHGMUAH\nc.exe

Filesize
285KB

MD5
7fb44c5bca4226d8aab7398e836807a2

SHA1
47128e4f8afabfde5037ed0fcaba8752c528ff52

SHA256
a64ead73c06470bc5c84cfc231b0723d70d29fec7d385a268be2c590dc5eb1ef

SHA512
f0bd093f054c99bcc50df4005d0190bd7e3dcefea7008ae4c9b67a29e832e02ae9ff39fa75bc1352c127aeb13afdea9bfdcc238ac826ef17f288d6fbd2ec8cab

Download Submit
memory/1680-49-0x0000000000810000-0x0000000000883000-memory.dmp

Filesize
460KB

Download
memory/1680-50-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download
memory/1680-51-0x0000000000810000-0x0000000000883000-memory.dmp

Filesize
460KB

Download
memory/1816-19-0x00000227BDE80000-0x00000227BE0F0000-memory.dmp

Filesize
2.4MB

Download
memory/1816-29-0x00000227BC520000-0x00000227BC521000-memory.dmp

Filesize
4KB

Download
memory/1816-30-0x00000227BDE80000-0x00000227BE0F0000-memory.dmp

Filesize
2.4MB

Download
memory/2264-47-0x0000000072910000-0x0000000072A8B000-memory.dmp

Filesize
1.5MB

Download
memory/2264-42-0x0000000072910000-0x0000000072A8B000-memory.dmp

Filesize
1.5MB

Download
memory/2264-41-0x0000000072910000-0x0000000072A8B000-memory.dmp

Filesize
1.5MB

Download
memory/2264-38-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download
memory/2264-36-0x0000000072910000-0x0000000072A8B000-memory.dmp

Filesize
1.5MB

Download
memory/2284-15-0x0000000072910000-0x0000000072A8B000-memory.dmp

Filesize
1.5MB

Download
memory/2284-33-0x0000000072923000-0x0000000072925000-memory.dmp

Filesize
8KB

Download
memory/2284-31-0x0000000072910000-0x0000000072A8B000-memory.dmp

Filesize
1.5MB

Download
memory/2284-32-0x0000000072923000-0x0000000072924000-memory.dmp

Filesize
4KB

Download
memory/2284-0-0x0000000072910000-0x0000000072A8B000-memory.dmp

Filesize
1.5MB

Download
memory/2284-10-0x0000000072923000-0x0000000072924000-memory.dmp

Filesize
4KB

Download
memory/2284-13-0x0000000072910000-0x0000000072A8B000-memory.dmp

Filesize
1.5MB

Download
memory/2284-12-0x0000000072910000-0x0000000072A8B000-memory.dmp

Filesize
1.5MB

Download
memory/2284-1-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

Filesize
2.0MB

Download