5451f776144a83c4fbf47d9dc455f4ba2751dc20a36b4022fadb9f5fdfad32ec

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

14.4MB
MD5

db63171e8f58f0e78f588471154b3c27
SHA1

de940ecab24a000a64f27ca6b0fe93c7d5e9f866
SHA256

5451f776144a83c4fbf47d9dc455f4ba2751dc20a36b4022fadb9f5fdfad32ec
SHA512

1dc070e460628eab8b4efb40e1dd3cba77d8c05930fb970adb426812561e112c13b21cdbd00dc5b5b78657e160ac3a18b0ae6329f203f174a6fb4610133e024d
SSDEEP

196608:Ywa/A5/A3Pg2LkIJmgLpY/iLNooeoc+k88MkEQx4enDtJ+fmPOSAWiH5m+6h7MnC:qP1JtpQd8S+fiz+bC

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\ContaCam = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Setup.exe"	Setup.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1000	1268	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1268	Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1268	Setup.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1268	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1268	Setup.exe
1268	Setup.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1268 wrote to memory of 1000	1268	Setup.exe	32
PID 1268 wrote to memory of 1000	1268	Setup.exe	32
PID 1268 wrote to memory of 1000	1268	Setup.exe	32
PID 1268 wrote to memory of 1000	1268	Setup.exe	32

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 548
  2⤵
  - Program crash
  PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Setup.ini

Filesize
1KB

MD5
4e31656dd105113b1361fd30b5ec0f78

SHA1
8b0c7c784224e26c15400da6ab25a46d8e13222c

SHA256
3c7f33a8fe67f56d06f9817bbb397ea838d26eb64958d47f6226e1c42a67083b

SHA512
11a838b1fa4e2fc5ca1636481fdcd9315b2c388a744f621af15bdfc76184aa88d93f91e52d55e885309e3ce5a7a6857cee58c8546b4bf396fec260cbdb369bdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.ini

Filesize
58B

MD5
f25df6b9843d84fbf75297bc055ae13d

SHA1
9ae6e0656337cae2204646f23721fe98d2b6ea87

SHA256
f3d2384a7ae24486f1cf1cc5b36d9cbbaa6009d1a14edb9edd8afc2a83e9135f

SHA512
895201ade52ab2571edbbbbab5b38bc45ad7689b36471db61930911a7b34bea3ffec346d109652c4ca4ec7bad533a2bd2da883f45ddb6ba31367f7b05ff84590

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6801020

Filesize
1.2MB

MD5
1c3866deb8e7789657f98840d623a169

SHA1
7411f3699a17972110bdf1b7ada91306d5beacc8

SHA256
af47c75ed2571f28dba14f4bac724b0be1cf80a1b045e89169cc22948dbf8629

SHA512
942e25cd3256269df1f75c2fba8d9e48c90962c2c6907f76a46f8e011ddfb5b579be71b32503e3f606032fc79f3287fdeb4897f76d3202562a2659834947adb3

Download Submit
memory/1268-208-0x0000000000400000-0x00000000015D2000-memory.dmp

Filesize
17.8MB

Download
memory/1268-214-0x0000000075570000-0x00000000761BA000-memory.dmp

Filesize
12.3MB

Download
memory/1268-215-0x0000000077900000-0x0000000077AA9000-memory.dmp

Filesize
1.7MB

Download