1230f1313b7c82b3fda1ef9f3860d668ed66846cc6252ad2a2b92db29a59d6a9

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

351.1MB
MD5

b6cf2050dc61fcc253eb7d7f9105f4c8
SHA1

f88ec60af42abdd3b67a980ae14eb4e58b3bc0e7
SHA256

42d6496db190c2800501a8205f23b610e5efe24312fcfe1ea8b9f6d66aaea9f1
SHA512

944de25459b38cce873f6076e14e40bf701f138002bc9182bba37ea08073185430432b24d07c369a023ebfc5d22d8f97dc622c8d9bc98c98c43fbd288ed307fa
SSDEEP

196608:Hi4rZPnHKOfiGJDxGOOBvaxvQAoOQpDbVHqHI+uzIQDQdy1VM1fzN6Do3pOVNAUe:Hi4rZPxfiGJDxGOOBvaxnQzMj

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description	pid	Process	procid_target
PID 1740 set thread context of 2600	1740	Setup.exe	30

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Setup.exemore.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exemore.com

pid	Process
1740	Setup.exe
1740	Setup.exe
2600	more.com
2600	more.com

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Setup.exe

pid	Process
1740	Setup.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Setup.exe

description	pid	Process	procid_target
PID 1740 wrote to memory of 2600	1740	Setup.exe	30
PID 1740 wrote to memory of 2600	1740	Setup.exe	30
PID 1740 wrote to memory of 2600	1740	Setup.exe	30
PID 1740 wrote to memory of 2600	1740	Setup.exe	30
PID 1740 wrote to memory of 2600	1740	Setup.exe	30

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2600

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5d333a56

Filesize
1.3MB

MD5
94175bd77bc17ca8f7c2196caba3f614

SHA1
f9602cc39643864461fd30e04d01be8c8e82d411

SHA256
526680305be37788cfd31337114c567329ee6f16a139f5496a9a9550442bd7c8

SHA512
4e66917165b19e22fd2aa2f3cafb77e322046f8bf720b143719561936c69916c2a004537dbc2ad14dace514478318d6d31e9372387d383db9bb6369e6366addb

Download Submit
C:\Users\Admin\AppData\Local\Temp\61b99acc

Filesize
1.1MB

MD5
232791559e5c8ba3fb526c8cb9d006eb

SHA1
ae530bc309ceaae73ad8ccb127f7b2bdd2bd9ae8

SHA256
2e991e33f1acb0a6a12c9d152f2796db6118f966398e0f76d8d1b366a611bee2

SHA512
4374d7d5d050087e40bbb63b447756ef07b29ffe61669236fe00776f30a7df8204f5ab6b5974ec63a40e8f73a24831aaba12fd1c54b6dd967377e194d6e94efe

Download Submit
memory/1740-10-0x0000000073B60000-0x0000000073CD4000-memory.dmp

Filesize
1.5MB

Download
memory/1740-7-0x0000000073B60000-0x0000000073CD4000-memory.dmp

Filesize
1.5MB

Download
memory/1740-8-0x0000000076D70000-0x0000000076F19000-memory.dmp

Filesize
1.7MB

Download
memory/1740-9-0x0000000073B73000-0x0000000073B75000-memory.dmp

Filesize
8KB

Download
memory/1740-0-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1740-11-0x0000000073B60000-0x0000000073CD4000-memory.dmp

Filesize
1.5MB

Download
memory/1740-1-0x00000000003A0000-0x0000000000F7C000-memory.dmp

Filesize
11.9MB

Download
memory/2600-15-0x0000000073B60000-0x0000000073CD4000-memory.dmp

Filesize
1.5MB

Download
memory/2600-16-0x0000000076D70000-0x0000000076F19000-memory.dmp

Filesize
1.7MB

Download
memory/2600-17-0x0000000073B60000-0x0000000073CD4000-memory.dmp

Filesize
1.5MB

Download
memory/2600-18-0x0000000073B60000-0x0000000073CD4000-memory.dmp

Filesize
1.5MB

Download
memory/2600-20-0x0000000073B60000-0x0000000073CD4000-memory.dmp

Filesize
1.5MB

Download