06b95476a373199ef0f7eb7b263222a1aa21f71eafb5b67d85410f2f5981f0a5

General

Target

1/Setup.exe
Size

14.4MB
MD5

db63171e8f58f0e78f588471154b3c27
SHA1

de940ecab24a000a64f27ca6b0fe93c7d5e9f866
SHA256

5451f776144a83c4fbf47d9dc455f4ba2751dc20a36b4022fadb9f5fdfad32ec
SHA512

1dc070e460628eab8b4efb40e1dd3cba77d8c05930fb970adb426812561e112c13b21cdbd00dc5b5b78657e160ac3a18b0ae6329f203f174a6fb4610133e024d
SSDEEP

196608:Ywa/A5/A3Pg2LkIJmgLpY/iLNooeoc+k88MkEQx4enDtJ+fmPOSAWiH5m+6h7MnC:qP1JtpQd8S+fiz+bC

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ContaCam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1\\Setup.exe"	Setup.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1036 set thread context of 2400	1036	Setup.exe	86

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4988	2400	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1036	Setup.exe
1036	Setup.exe
2400	more.com
2400	more.com

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1036	Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1036	Setup.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1036	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1036	Setup.exe
1036	Setup.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2400	1036	Setup.exe	86
PID 1036 wrote to memory of 2400	1036	Setup.exe	86
PID 1036 wrote to memory of 2400	1036	Setup.exe	86
PID 1036 wrote to memory of 2400	1036	Setup.exe	86

C:\Users\Admin\AppData\Local\Temp\1\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\1\Setup.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2400
- - C:\Windows\SysWOW64\msiexec.exe
    C:\Windows\SysWOW64\msiexec.exe
    3⤵
    PID:2952
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2400 -s 356
    3⤵
    - Program crash
    PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2400 -ip 2400
1⤵
PID:720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1\Setup.ini

Filesize
1KB

MD5
1d7387f5fc1836c33f0ab8a825172dae

SHA1
70a32d6d6784bae9bc9dbcbf20eb2b62846b816c

SHA256
6dfbada95b9931e9053c1d3d230f05b5539f401a8dad56f96233c06713d6499f

SHA512
8aed8992a2ce75aa0ebbf874a2b80b44326311bead221e22b86bfa2e83c87886eb325ce371dbba545c9bd843d3f8663eafa3eb979cc2100aa0db34956bef0eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\Setup.ini

Filesize
1KB

MD5
4e31656dd105113b1361fd30b5ec0f78

SHA1
8b0c7c784224e26c15400da6ab25a46d8e13222c

SHA256
3c7f33a8fe67f56d06f9817bbb397ea838d26eb64958d47f6226e1c42a67083b

SHA512
11a838b1fa4e2fc5ca1636481fdcd9315b2c388a744f621af15bdfc76184aa88d93f91e52d55e885309e3ce5a7a6857cee58c8546b4bf396fec260cbdb369bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\Setup.ini

Filesize
58B

MD5
f25df6b9843d84fbf75297bc055ae13d

SHA1
9ae6e0656337cae2204646f23721fe98d2b6ea87

SHA256
f3d2384a7ae24486f1cf1cc5b36d9cbbaa6009d1a14edb9edd8afc2a83e9135f

SHA512
895201ade52ab2571edbbbbab5b38bc45ad7689b36471db61930911a7b34bea3ffec346d109652c4ca4ec7bad533a2bd2da883f45ddb6ba31367f7b05ff84590

Download Submit
C:\Users\Admin\AppData\Local\Temp\1\Setup.ini

Filesize
610B

MD5
604f1439f0d9e99913853924127d8d37

SHA1
f64a18c858b5669943f3022383ec52d18eb8dd48

SHA256
b1a8b6988b711cfc88eb9fec41f73b15e6430535e808302c9bfa1d0beb802a7d

SHA512
e1d102647cded07bea94a0f710b2d8752b48e6facf237fc75f6a82694a580c8c905ebbd135b9218ed2366000ae89244c5dbd8e72ab15d2265a7fec542d403f4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1a773b3f

Filesize
1.2MB

MD5
1c3866deb8e7789657f98840d623a169

SHA1
7411f3699a17972110bdf1b7ada91306d5beacc8

SHA256
af47c75ed2571f28dba14f4bac724b0be1cf80a1b045e89169cc22948dbf8629

SHA512
942e25cd3256269df1f75c2fba8d9e48c90962c2c6907f76a46f8e011ddfb5b579be71b32503e3f606032fc79f3287fdeb4897f76d3202562a2659834947adb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1fee6ca7

Filesize
1.0MB

MD5
fa0fb066d1cd2ba0dd4ff31df0cb3e7f

SHA1
8d3a359fee284b1c15d8b79264276568fd97f16f

SHA256
840f8fad9de85fca3074ed56c2db64999a6004df18ad13caeac38f463456dea7

SHA512
1ee0aeda62f348889c851ea89827173ccb9631fafb13a95fc1a423e7cf575d52b4124553893b866be9fda983abf30f1ff7df5751763e1f8ccd560eb96006333b

Download Submit
memory/1036-208-0x0000000000990000-0x0000000001B62000-memory.dmp

Filesize
17.8MB

Download
memory/1036-215-0x00007FFA13F70000-0x00007FFA14165000-memory.dmp

Filesize
2.0MB

Download
memory/1036-216-0x00000000773B3000-0x00000000773B5000-memory.dmp

Filesize
8KB

Download
memory/1036-217-0x00000000773A0000-0x0000000077953000-memory.dmp

Filesize
5.7MB

Download
memory/1036-218-0x00000000773A0000-0x0000000077953000-memory.dmp

Filesize
5.7MB

Download
memory/1036-214-0x00000000773A0000-0x0000000077953000-memory.dmp

Filesize
5.7MB

Download
memory/2400-220-0x00000000773A0000-0x0000000077953000-memory.dmp

Filesize
5.7MB

Download
memory/2400-222-0x00007FFA13F70000-0x00007FFA14165000-memory.dmp

Filesize
2.0MB

Download
memory/2400-223-0x00000000773A0000-0x0000000077953000-memory.dmp

Filesize
5.7MB

Download
memory/2400-224-0x00000000773A0000-0x0000000077953000-memory.dmp

Filesize
5.7MB

Download
memory/2400-225-0x00000000773A0000-0x0000000077953000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads