6851b72e0bfaf608294bcac6ffef07e5e6591aee8b94ce9afad46b6e6cc32a59

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-11-2024 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup_installer/Wed09d27135e5a8b3b.exe
Size

379KB
MD5

9b07fc470646ce890bcb860a5fb55f13
SHA1

ef01d45abaf5060a0b32319e0509968f6be3082f
SHA256

506c6ee68b29701403739da25679b640d21b1b121f45dde5bc25705901a6ed0b
SHA512

4cc1b725c6fb539d832d2d5315bbc63e967a41129d25c2102b2df19e4931e4e06c2a9f70a3336d98b9e031c636d021e713f10dbbd86a57f447a7581221a470cc
SSDEEP

6144:6/QiQPMzDY39EiBeNyz9P8S9vkOQ/UBTlakaBdGOzGfnXpiQCsoazZPElpMQgqok:CQiGMwNEiBePS9v+MBTlPadSfXioRcpn

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

Wed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.tmp

pid process

2300 Wed09d27135e5a8b3b.tmp
988 Wed09d27135e5a8b3b.tmp

pid	process
2300	Wed09d27135e5a8b3b.tmp
988	Wed09d27135e5a8b3b.tmp

Loads dropped DLL 8 IoCs

Processes:

Wed09d27135e5a8b3b.exeWed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.exeWed09d27135e5a8b3b.tmp

pid	process
1244	Wed09d27135e5a8b3b.exe
2300	Wed09d27135e5a8b3b.tmp
2300	Wed09d27135e5a8b3b.tmp
2300	Wed09d27135e5a8b3b.tmp
2988	Wed09d27135e5a8b3b.exe
988	Wed09d27135e5a8b3b.tmp
988	Wed09d27135e5a8b3b.tmp
988	Wed09d27135e5a8b3b.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Wed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.exeWed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed09d27135e5a8b3b.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed09d27135e5a8b3b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed09d27135e5a8b3b.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wed09d27135e5a8b3b.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Wed09d27135e5a8b3b.tmp

pid process

988 Wed09d27135e5a8b3b.tmp

pid	process
988	Wed09d27135e5a8b3b.tmp

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Wed09d27135e5a8b3b.exeWed09d27135e5a8b3b.tmpWed09d27135e5a8b3b.exe

description	pid	process	target process
PID 1244 wrote to memory of 2300	1244	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 1244 wrote to memory of 2300	1244	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 1244 wrote to memory of 2300	1244	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 1244 wrote to memory of 2300	1244	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 1244 wrote to memory of 2300	1244	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 1244 wrote to memory of 2300	1244	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 1244 wrote to memory of 2300	1244	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 2300 wrote to memory of 2988	2300	Wed09d27135e5a8b3b.tmp	Wed09d27135e5a8b3b.exe
PID 2300 wrote to memory of 2988	2300	Wed09d27135e5a8b3b.tmp	Wed09d27135e5a8b3b.exe
PID 2300 wrote to memory of 2988	2300	Wed09d27135e5a8b3b.tmp	Wed09d27135e5a8b3b.exe
PID 2300 wrote to memory of 2988	2300	Wed09d27135e5a8b3b.tmp	Wed09d27135e5a8b3b.exe
PID 2300 wrote to memory of 2988	2300	Wed09d27135e5a8b3b.tmp	Wed09d27135e5a8b3b.exe
PID 2300 wrote to memory of 2988	2300	Wed09d27135e5a8b3b.tmp	Wed09d27135e5a8b3b.exe
PID 2300 wrote to memory of 2988	2300	Wed09d27135e5a8b3b.tmp	Wed09d27135e5a8b3b.exe
PID 2988 wrote to memory of 988	2988	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 2988 wrote to memory of 988	2988	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 2988 wrote to memory of 988	2988	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 2988 wrote to memory of 988	2988	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 2988 wrote to memory of 988	2988	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 2988 wrote to memory of 988	2988	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp
PID 2988 wrote to memory of 988	2988	Wed09d27135e5a8b3b.exe	Wed09d27135e5a8b3b.tmp

C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe
"C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\is-L299H.tmp\Wed09d27135e5a8b3b.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-L299H.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$4010A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe" /SILENT
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\is-31QD2.tmp\Wed09d27135e5a8b3b.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-31QD2.tmp\Wed09d27135e5a8b3b.tmp" /SL5="$5010A,140785,56832,C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed09d27135e5a8b3b.exe" /SILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-L299H.tmp\Wed09d27135e5a8b3b.tmp

Filesize
691KB

MD5
9303156631ee2436db23827e27337be4

SHA1
018e0d5b6ccf7000e36af30cebeb8adc5667e5fa

SHA256
bae22f27c12bce1faeb64b6eb733302aff5867baa8eed832397a7ce284a86ff4

SHA512
9fe100fafb1c74728109667b5a2261a31e49c45723de748adaa1d9cb9f8daa389b871056c70066fa3a05be82a5017c8dd590ae149a56d824a9e250d31091a40f

Download Submit
\Users\Admin\AppData\Local\Temp\is-MF69T.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-MF69T.tmp\idp.dll

Filesize
216KB

MD5
b37377d34c8262a90ff95a9a92b65ed8

SHA1
faeef415bd0bc2a08cf9fe1e987007bf28e7218d

SHA256
e5a0ad2e37dde043a0dd4ad7634961ff3f0d70e87d2db49761eb4c1f468bb02f

SHA512
69d8da5b45d9b4b996d32328d3402fa37a3d710564d47c474bf9e15c1e45bc15b2858dbab446e6baec0c099d99007ff1099e9c4e66cfd1597f28c420bb50fdcc

Download Submit
memory/988-45-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1244-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1244-3-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/1244-28-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2300-8-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2300-25-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2988-26-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2988-22-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2988-44-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download