59af63a2492f69fde69c4cbe15622e422c9d46b517e08a363aa37f0a15e2bf0f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07-11-2024 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

646KB
MD5

16b65da3e4b40c5d13c7c682deea2db1
SHA1

656bc78fbba8606afcad2dc38b7fa69d59f7a85a
SHA256

3be9008d57075c94568bf85423b88b071e6bd2eaeb85399d9bae516d1a8c62f2
SHA512

d0425c0d00e720d63be4136b6139a108ff6b23bbb3136d472e3d9e3a4c06083ba98ec246645c5a3e32b89910dc161883320d3afca7a4c33c6902fbeb1f9f1839
SSDEEP

12288:lJxJDu5hJdbv+BygQZ2eHF04+KMoeMb01JQntLOCC6+V:zzu5hJdbHZ2eXpemC6+

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

setup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Modifies registry class 27 IoCs

Processes:

dfsvc.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\VisibilityRoots	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Families	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Assemblies	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Visibility	dfsvc.exe
Key deleted	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\StateStore_RandomString = "A0OP4DN2NQYL1O5ZZNPQR9AA"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Marks	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\tria..tion_000000000000000 = 3c004100700070006c00690063006100740069006f006e00540072007500730074002000760065007200730069006f006e003d002200310022000d000a00460075006c006c004e0061006d0065003d002200660069006c0065003a002f002f002f0043003a002f00550073006500720073002f00410064006d0069006e002f0041007000700044006100740061002f004c006f00630061006c002f00540065006d0070002f005400720069006100250032003000530069007300740065006d0061002500320030004f0070006500720061007400690075002e006100700070006c00690063006100740069006f006e00230054007200690061002000530069007300740065006d00610020004f0070006500720061007400690075002e006100700070006c00690063006100740069006f006e002c002000560065007200730069006f006e003d0032002e0037002e0033002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0030003000300030003000300030003000300030003000300030003000300030002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002f0054007200690061002000530069007300740065006d00610020004f0070006500720061007400690075002e006500780065002c002000560065007200730069006f006e003d0032002e0037002e0033002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d0030003000300030003000300030003000300030003000300030003000300030002c002000700072006f0063006500730073006f0072004100720063006800690074006500630074007500720065003d006d00730069006c002c00200074007900700065003d00770069006e003300320022000d000a00540072007500730074006500640054006f00520075006e003d002200740072007500650022000d000a0050006500720073006900730074003d002200740072007500650022003e000d000a003c00440065006600610075006c0074004700720061006e0074003e000d000a003c0050006f006c00690063007900530074006100740065006d0065006e0074002000760065007200730069006f006e003d002200310022003e000d000a003c005000650072006d0069007300730069006f006e005300650074002000760065007200730069006f006e003d002200310022000d000a0063006c006100730073003d002200530079007300740065006d002e00530065006300750072006900740079002e004e0061006d00650064005000650072006d0069007300730069006f006e0053006500740022000d000a004e0061006d0065003d0022004c006f00630061006c0049006e007400720061006e006500740022000d000a004400650073006300720069007000740069006f006e003d002200440065006600610075006c0074002000720069006700680074007300200067006900760065006e00200074006f0020006100700070006c00690063006100740069006f006e00730020006f006e00200074006800650020006c006f00630061006c00200069006e007400720061006e006500740022000d000a0055006e0072006500730074007200690063007400650064003d002200740072007500650022000d000a00490044003d00220043007500730074006f006d0022000d000a00530061006d00650053006900740065003d002200730069007400650022000d000a0078006d006c006e0073003a00610073006d00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600310022000d000a0078006d006c006e0073003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a00610073006d00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600320022000d000a0078006d006c006e0073003a007800730069003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300031002f0058004d004c0053006300680065006d0061002d0069006e007300740061006e006300650022000d000a0078006d006c006e0073003a0063006f002e00760031003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600310022000d000a0078006d006c006e0073003a00610073006d00760033003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a00610073006d002e007600330022000d000a0078006d006c006e0073003a0064007300690067003d00220068007400740070003a002f002f007700770077002e00770033002e006f00720067002f0032003000300030002f00300039002f0078006d006c006400730069006700230022000d000a0078006d006c006e0073003a0063006f002e00760032003d002200750072006e003a0073006300680065006d00610073002d006d006900630072006f0073006f00660074002d0063006f006d003a0063006c00690063006b006f006e00630065002e007600320022003e000d000a003c0049005000650072006d0069007300730069006f006e00200063006c006100730073003d002200530079007300740065006d002e00530065006300750072006900740079002e005000650072006d0069007300730069006f006e0073002e00460069006c00650049004f005000650072006d0069007300730069006f006e002c0020006d00730063006f0072006c00690062002c002000560065007200730069006f006e003d0034002e0030002e0030002e0030002c002000430075006c0074007500720065003d006e00650075007400720061006c002c0020005000750062006c00690063004b006500790054006f006b0065006e003d00620037003700610035006300350036003100390033003400650030003800390022000d000a00760065007200730069006f006e003d002200310022000d000a0052006500610064003d00220043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c00540065006d0070005c0022000d000a00500061007400680044006900730063006f0076006500720079003d00220043003a005c00550073006500720073005c00410064006d0069006e005c0041007000700044006100740061005c004c006f00630061006c005c00540065006d0070005c0022002f003e000d000a003c002f005000650072006d0069007300730069006f006e005300650074003e000d000a003c002f0050006f006c00690063007900530074006100740065006d0065006e0074003e000d000a003c002f00440065006600610075006c0074004700720061006e0074003e000d000a003c004500780074007200610049006e0066006f00200044006100740061003d00220030003000300031003000300030003000300030004600460046004600460046004600460030003100300030003000300030003000300030003000300030003000300030003000430030003200300030003000300030003000350037003500330037003900370033003700340036003500360044003200450035003700360039003600450036003400360046003700370037003300320045003400360036004600370032003600440037003300320043003200300035003600360035003700320037003300360039003600460036004500330044003300340032004500330030003200450033003000320045003300300032004300320030003400330037003500360043003700340037003500370032003600350033004400360045003600350037003500370034003700320036003100360043003200430032003000350030003700350036003200360043003600390036003300340042003600350037003900350034003600460036004200360035003600450033004400360032003300370033003700360031003300350036003300330035003300360033003100330039003300330033003400360035003300300033003800330039003000350030003100300030003000300030003000330030003500330037003900370033003700340036003500360044003200450035003300360035003600330037003500370032003600390037003400370039003200450035003000360046003600430036003900360033003700390032004500340031003700300037003000360043003600390036003300360031003700340036003900360046003600450035003400370032003700350037003300370034003400350037003800370034003700320036003100340039003600450036003600360046003000310030003000300030003000300031003800370032003600350037003100370035003600350037003300370034003700330035003300360038003600350036004300360043003400390036004500370034003600350036003700370032003600310037003400360039003600460036004500300030003000310030003200300030003000300030003000300031003000420022002f003e000d000a003c002f004100700070006c00690063006100740069006f006e00540072007500730074003e000d000a000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "4M4AGHQ9Z57YEK5QD2ZGZZVR"	dfsvc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString = "5VXZDC2KARPQVB7WNTMLJCMY"	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Components	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\tria..tion_000000000000000 = 66696c653a2f2f2f433a2f55736572732f41646d696e2f417070446174612f4c6f63616c2f54656d702f5472696125323053697374656d612532304f706572617469752e6170706c69636174696f6e23547269612053697374656d61204f706572617469752e6170706c69636174696f6e2c2056657273696f6e3d322e372e332e302c2043756c747572653d6e65757472616c2c205075626c69634b6579546f6b656e3d303030303030303030303030303030302c2070726f636573736f724172636869746563747572653d6d73696c	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\tria..tion_000000000000000	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Categories	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\Installations	dfsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager\Applications	dfsvc.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\PackageMetadata\{2ec93463-b0c3-45e1-8364-327e96aea856}_{60051b8f-4f12-400a-8e50-dd05ebd438d1}\NonCanonicalData	dfsvc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dfsvc.exe

description	pid	Process
Token: SeDebugPrivilege	2100	dfsvc.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

setup.exe

description	pid	Process	procid_target
PID 1804 wrote to memory of 2100	1804	setup.exe	30
PID 1804 wrote to memory of 2100	1804	setup.exe	30
PID 1804 wrote to memory of 2100	1804	setup.exe	30
PID 1804 wrote to memory of 2100	1804	setup.exe	30

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2100-0-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x00000000010A0000-0x00000000010A8000-memory.dmp

Filesize
32KB

Download
memory/2100-5-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download
memory/2100-14-0x000007FEF5AA3000-0x000007FEF5AA4000-memory.dmp

Filesize
4KB

Download
memory/2100-15-0x000007FEF5AA0000-0x000007FEF648C000-memory.dmp

Filesize
9.9MB

Download