06b95476a373199ef0f7eb7b263222a1aa21f71eafb5b67d85410f2f5981f0a5

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 12:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2/Setup.exe
Size

14.4MB
MD5

d4340b687b46726c175ff0d6d49d8017
SHA1

44a7d5267164d3597e797176d3b111df48c98446
SHA256

1353dcc34941316e60be2905322c7c77bee698862eb6a81b4db19b4fc3b6c332
SHA512

22921bd5fbe771f56cef5507dd6c2ecd6cc1d9d5f3ffed45e895daa5cbe597bbf9bb2bd7eb23a1b4015de9c34d24d6e65e5661b412bd963076a9f436f6606b3d
SSDEEP

196608:4wa/A5/A3Pg2LkIJmgLpY/iLNooeoc+k88MkEQx4enDtJ+fmPOSAWiH5m+6h7MnC:KP1JtpQd8S+fiz+bC

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\ContaCam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2\\Setup.exe"	Setup.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2704	1648	WerFault.exe	27

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1648	Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1648	Setup.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1648	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1648	Setup.exe
1648	Setup.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1648 wrote to memory of 2704	1648	Setup.exe	29
PID 1648 wrote to memory of 2704	1648	Setup.exe	29
PID 1648 wrote to memory of 2704	1648	Setup.exe	29
PID 1648 wrote to memory of 2704	1648	Setup.exe	29

C:\Users\Admin\AppData\Local\Temp\2\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\2\Setup.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1648 -s 544
  2⤵
  - Program crash
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2\Setup.ini

Filesize
1KB

MD5
e002f87fcbf98d97561665607fa9e028

SHA1
01cafa1858503f8ab4f9d7b6ae419a5d6fbe9e48

SHA256
7391745684734547348f354cb23a7dc0cbca7e3e902fa394318bb634087e109c

SHA512
9fbbf54219ec46b09b4e3c14e3ea1de5b4b547fe309a3b9fc584ac75a9e31e42940fa2b028e5d741c28f964ccff58caefe5ccd5760d542777957a691e3036401

Download Submit
C:\Users\Admin\AppData\Local\Temp\2\Setup.ini

Filesize
58B

MD5
f25df6b9843d84fbf75297bc055ae13d

SHA1
9ae6e0656337cae2204646f23721fe98d2b6ea87

SHA256
f3d2384a7ae24486f1cf1cc5b36d9cbbaa6009d1a14edb9edd8afc2a83e9135f

SHA512
895201ade52ab2571edbbbbab5b38bc45ad7689b36471db61930911a7b34bea3ffec346d109652c4ca4ec7bad533a2bd2da883f45ddb6ba31367f7b05ff84590

Download Submit
C:\Users\Admin\AppData\Local\Temp\5d663c

Filesize
1.2MB

MD5
1c3866deb8e7789657f98840d623a169

SHA1
7411f3699a17972110bdf1b7ada91306d5beacc8

SHA256
af47c75ed2571f28dba14f4bac724b0be1cf80a1b045e89169cc22948dbf8629

SHA512
942e25cd3256269df1f75c2fba8d9e48c90962c2c6907f76a46f8e011ddfb5b579be71b32503e3f606032fc79f3287fdeb4897f76d3202562a2659834947adb3

Download Submit
memory/1648-208-0x0000000000400000-0x00000000015D2000-memory.dmp

Filesize
17.8MB

Download
memory/1648-214-0x0000000075BF0000-0x000000007683A000-memory.dmp

Filesize
12.3MB

Download
memory/1648-215-0x0000000077A30000-0x0000000077BD9000-memory.dmp

Filesize
1.7MB

Download