Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 16:15

General

  • Target

    setup.exe

  • Size

    880KB

  • MD5

    43d3ff349ad31e0ad76201755445cb1e

  • SHA1

    7b3b15c369203cf892fb0b023201c5627e23973a

  • SHA256

    5c402fd8244e177338a2a8f0c7b8df055d5a06ebd7a5225edb3d3cdaf1d1c749

  • SHA512

    771f98fcade1687c3714e6631d800ba8f186cc6de46ee36e52e78d04727f0bc7f9352d5f32788a315bd1dc5b84fabd585ea50c1bf32bbd7fc168b87a8a97d101

  • SSDEEP

    24576:L20Bj512nz5ME9t+Fez6ovAJv9aGk3KgY7rmvZf5/I:L2Xzh/fvAJ4GkJECvTI

Score
8/10

Malware Config

Signatures

  • Possible privilege escalation attempt 12 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 8 IoCs
  • Modifies file permissions 1 TTPs 12 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 33 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3332
    • C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp" /SL5="$70110,660927,54272,C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:3368
      • C:\Windows\Temp\gpedit\installer.exe
        "C:\Windows\Temp\gpedit\installer.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Windows\Temp\gpedit\x64.bat" "
          4⤵
          • Drops file in System32 directory
          • Suspicious use of WriteProcessMemory
          PID:1244
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\SysWOW64\gpedit.dll
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:740
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\SysWOW64\gpedit.dll /grant:r Admin:f
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:4340
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\SysWOW64\fde.dll
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:876
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\SysWOW64\fde.dll /grant:r Admin:f
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:1904
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\SysWOW64\gptext.dll
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:2148
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\SysWOW64\gptext.dll /grant:r Admin:f
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:2728
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\SysWOW64\appmgr.dll
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:1404
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\SysWOW64\appmgr.dll /grant:r Admin:f
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:644
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\SysWOW64\fdeploy.dll
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:3312
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\SysWOW64\fdeploy.dll /grant:r Admin:f
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:4636
          • C:\Windows\system32\takeown.exe
            takeown /f C:\Windows\SysWOW64\GPBAK\*
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:3104
          • C:\Windows\system32\icacls.exe
            icacls C:\Windows\SysWOW64\GPBAK\* /grant:r Admin:f
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:4024
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /s C:\Windows\SysWOW64\gpedit.dll
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2832
            • C:\Windows\SysWOW64\regsvr32.exe
              /s C:\Windows\SysWOW64\gpedit.dll
              6⤵
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4576
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /s C:\Windows\SysWOW64\fde.dll
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:2484
            • C:\Windows\SysWOW64\regsvr32.exe
              /s C:\Windows\SysWOW64\fde.dll
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4260
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /s C:\Windows\SysWOW64\gptext.dll
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1448
            • C:\Windows\SysWOW64\regsvr32.exe
              /s C:\Windows\SysWOW64\gptext.dll
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3608
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /s C:\Windows\SysWOW64\appmgr.dll
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:1564
            • C:\Windows\SysWOW64\regsvr32.exe
              /s C:\Windows\SysWOW64\appmgr.dll
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4072
          • C:\Windows\system32\regsvr32.exe
            regsvr32 /s C:\Windows\SysWOW64\fdeploy.dll
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4052
            • C:\Windows\SysWOW64\regsvr32.exe
              /s C:\Windows\SysWOW64\fdeploy.dll
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              PID:3720
  • C:\Windows\system32\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\system32\gpedit.msc"
    1⤵
    • Drops file in System32 directory
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:5040

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-VQK3I.tmp\setup.tmp

    Filesize

    680KB

    MD5

    e60a74a65005e4c4f61cbe9c09d368df

    SHA1

    1d649b2ab5e08632d64e23f5f9e5675b68e184b4

    SHA256

    78f6692d50d07bd78a97294d196f9ae7d1fc48b058375e5d7bb766970faab758

    SHA512

    a73b84739f4da0827976cf473e63ba3dc7649ab2d37be13c8fb786487d0dc7ef5b2bd446d8c745d75266447357bde4f32f58f1f1c92b156f06f141fea2873856

  • C:\Windows\Temp\gpedit\Installer.exe

    Filesize

    5KB

    MD5

    5e0ece1cfe6a91a811f49bd35234d4a2

    SHA1

    a458b8ef3d88b3e5ff5c732532ffc7677dea3d2e

    SHA256

    bba8c14f2816d3a107f5609f5be9cfdc63ac1c499d2ee3d73b117af77ba9a6a5

    SHA512

    76801b41aebcaa216134e70f8a8b4bcb416736cee5b241ae5f8ffee89e3c41131a9d69bd9ae25bc3f4d7f09b32f2b05f8e70efe880477f3e6bc28ef1f8d3a929

  • C:\Windows\Temp\gpedit\appmgr.dll

    Filesize

    289KB

    MD5

    76422d781c0fbbb368f8559dc12a39b1

    SHA1

    148ec10a2f8fab845f8e1b2a8c013fcb9451ecb2

    SHA256

    2613b7e843d0ad5959a74d2b2601f5e981e8e1fdc39a44da175ab076c08839a3

    SHA512

    2f86df50d71740cf5e571fa8ba478ba70ec12cf94d96ede50d864dddd92d3b3a5991c874264c05edf0a5824df9b9f1c513a429bc97ec275a7eb001f98097cb84

  • C:\Windows\Temp\gpedit\conf.adm

    Filesize

    39KB

    MD5

    6c2422f9265d2ead5cfb47540bd46c71

    SHA1

    2e19092c1883ef8578b066569843a3b4156138ee

    SHA256

    3c21ed1d9ee8de426d9dd329499ce4eb9cc24122aea61694fcfe9115c0ea2ea7

    SHA512

    686dc55296226967df3a447271dbb16b72f114de4134efbdebc8c392b2e660fc4dc1fd077054b4d7924e73ccde123ef2098b286a90878ef4b2e2cdd832fe5ce2

  • C:\Windows\Temp\gpedit\fde.dll

    Filesize

    122KB

    MD5

    cba0be94e3985f6db7701e259c73b43b

    SHA1

    8b20257ee2add36f93943a33f7f683928d86463d

    SHA256

    a1f26b60132f7db711140b4f170bd3a9c92053bf178bef6d5809e12c483bf7fc

    SHA512

    a9b6cf644980b841e6c1d34483bada401b53ed54bfb0846a069e9a301decb997792939fd45e6a0e5612cc4c50f1fa236f1a190422b4f1abce7cb4a4537510334

  • C:\Windows\Temp\gpedit\fdeploy.dll

    Filesize

    72KB

    MD5

    5e12974f81fae8f695e2b4ea05418af3

    SHA1

    c5b887f1b8909b217818c220a9bb21c95a56b387

    SHA256

    5f6331af5e4159a48a5f2da6c9b52c970564f58fc5a889cbcb90f9edca011d90

    SHA512

    6e9c4dc6bd514ff3ab2cd3a808eda06ada2728e7d30985a2211beb99a75004a4128ba9c0582fe471a16fd5cac3e98e6ecfaece1ec498455b5a7135642dbd35f0

  • C:\Windows\Temp\gpedit\gpedit.dll

    Filesize

    553KB

    MD5

    65f8da8424ad27a365f61ccc8621fed2

    SHA1

    59979870fcdf01414b9999578d6bee4426feb3ba

    SHA256

    92beba4934d0263fd21827cc96e02689da9abaed571fe88836b3469f70d4a28e

    SHA512

    8f64574466cb4f9646b550899101b62fa84c5b6afe72f517860ff8c27599cc817986d0dc6f42a30d57efe3fe4b27cb1389db3795b71e66f5a4f7e3b07733fd71

  • C:\Windows\Temp\gpedit\gpedit.msc

    Filesize

    34KB

    MD5

    c9ad01520798dc5cd144c2dce97657c3

    SHA1

    90973c38ddb1ace1fbf8eefd043141553868f3c7

    SHA256

    da7f0d319289ddbcd70d110f72778cec6246e342f65fef727219bd575405d89b

    SHA512

    7a2b335a880b034dcac8ff61fc8e87e3af2a54625200a7ee2daa2d5d02753ff713e1e81718b3cd4c4b6bf1eb874994bcfe7761b93e78b3f4298fb545b12d69c6

  • C:\Windows\Temp\gpedit\gptext.dll

    Filesize

    195KB

    MD5

    e75463b95cb67b77bb6fa71e4f0539e8

    SHA1

    1c78c2d1a5d2ad62d83a8fe2f11e56dbcc3a50ac

    SHA256

    e11ff0a739e09df75cd1af7833ba8fe8783e8b937e2d5f3dc25a8f6d234ba93b

    SHA512

    3df066f7cc265b75010d9ccd1ab5b574b590dd0fc7a73c6ace488ac3a641d4eb9c253393fffaf941083c7fb6b55638457df9abbdd73b48d4b9824196a284e1d9

  • C:\Windows\Temp\gpedit\inetres.adm

    Filesize

    1.4MB

    MD5

    bb39b39e6d48620dfd401733bc8dbbd2

    SHA1

    c832b2edbe26eec52bb560b41e99eeaeef8b4b1a

    SHA256

    e749d975062f79b5a63a123f75cd615b0b5b833316ca6fd17b999b884193e194

    SHA512

    69542ef1e8cbb372ee586dceca019b3434df2de2011573150cc3d84dee5fffcfc3b020f99af4239e03d583a6dab2aeb95998062f7b16ea570738930861add93a

  • C:\Windows\Temp\gpedit\system.adm

    Filesize

    1.7MB

    MD5

    81e9f4f83b5a6b43293db805f31629df

    SHA1

    28baaaf9958b0f27e60f873ac275cc593b55e2b3

    SHA256

    c4fa35170090dccd405ff951dadc2a64b6e3618728efb5f41ccf939971eabcd2

    SHA512

    a79b9e04ba5c2094c9cdc4e738b5fbd900a2dc0613d0fa2002b1cce79293f84f43454c1e8102b307baf6958b8b4fcb96eda84665e987136266df0bfa56926b27

  • C:\Windows\Temp\gpedit\wmplayer.adm

    Filesize

    65KB

    MD5

    9780ba64ffd34694fdfa0066b907bd04

    SHA1

    ffc36cfb3934499c73092751a5eb406720eb915b

    SHA256

    c954c69ee2490819cee734265470a3cc1cec1159ab5233258769ef6f703509eb

    SHA512

    eb5d672bf06c7943618e10b52e44427689c3d373c4eb5e196aa26aa88e7bba91a99a2d263789ea11eb6c37fee2bf57d34d6d8dc1aae54b90185b3dc76e5f8806

  • C:\Windows\Temp\gpedit\wuau.adm

    Filesize

    39KB

    MD5

    989878dae9f52b78fb79b49ef9759ec0

    SHA1

    94cc11280f7cd7fd93652f40013e79c15f2e751a

    SHA256

    9f0f5b397eb903c36a668ffa7274574994d56b832439b750f4e85e472253bfea

    SHA512

    6d5b01d4e263a35df6abc9a7a8e1d22c27c017a2c8f2a33b5a432ac1d8bdd95629afb68d4699c987e0c951f20ef1b81a66ff794aa1ea3610c0306d44d28700a3

  • C:\Windows\Temp\gpedit\x64.bat

    Filesize

    2KB

    MD5

    6c718c722c6b289de25ce1c758fdf970

    SHA1

    06264f2bcde0dc43b035340ec2f36ed04999a30e

    SHA256

    a13339020b5b3ccb7e185ff26b9a9916a48663dc0ce6d88c3d310556ad4a733f

    SHA512

    ff3b2a737de7b40d10ddb18cebd8993fd0e809f07ced2b7931fcb3cbcaaa2e0fde34b0fb0693b2ee667688c2fa1b54593f48244d4d9f144dae5e6beda093babb

  • memory/2804-53-0x000000001BF40000-0x000000001C40E000-memory.dmp

    Filesize

    4.8MB

  • memory/2804-54-0x00007FFA23620000-0x00007FFA23FC1000-memory.dmp

    Filesize

    9.6MB

  • memory/2804-57-0x00007FFA23620000-0x00007FFA23FC1000-memory.dmp

    Filesize

    9.6MB

  • memory/2804-51-0x00007FFA238D5000-0x00007FFA238D6000-memory.dmp

    Filesize

    4KB

  • memory/2804-52-0x00007FFA23620000-0x00007FFA23FC1000-memory.dmp

    Filesize

    9.6MB

  • memory/3332-13-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/3332-0-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/3332-2-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

  • memory/3332-120-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

  • memory/3368-14-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

  • memory/3368-10-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

  • memory/3368-119-0x0000000000400000-0x00000000004BA000-memory.dmp

    Filesize

    744KB

  • memory/4072-113-0x0000000002790000-0x000000000281F000-memory.dmp

    Filesize

    572KB

  • memory/4576-104-0x0000000000B80000-0x0000000000C0F000-memory.dmp

    Filesize

    572KB