1230f1313b7c82b3fda1ef9f3860d668ed66846cc6252ad2a2b92db29a59d6a9

Analysis

max time kernel
35s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

351.1MB
MD5

b6cf2050dc61fcc253eb7d7f9105f4c8
SHA1

f88ec60af42abdd3b67a980ae14eb4e58b3bc0e7
SHA256

42d6496db190c2800501a8205f23b610e5efe24312fcfe1ea8b9f6d66aaea9f1
SHA512

944de25459b38cce873f6076e14e40bf701f138002bc9182bba37ea08073185430432b24d07c369a023ebfc5d22d8f97dc622c8d9bc98c98c43fbd288ed307fa
SSDEEP

196608:Hi4rZPnHKOfiGJDxGOOBvaxvQAoOQpDbVHqHI+uzIQDQdy1VM1fzN6Do3pOVNAUe:Hi4rZPxfiGJDxGOOBvaxnQzMj

Score

5^/10

discovery

Malware Config

Signatures

Suspicious use of SetThreadContext 1 IoCs

Processes:

Setup.exe

description	pid	Process	procid_target
PID 2172 set thread context of 2992	2172	Setup.exe	29

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Setup.exemore.com

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	more.com

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

Setup.exemore.com

pid	Process
2172	Setup.exe
2172	Setup.exe
2992	more.com
2992	more.com

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

Setup.exe

pid	Process
2172	Setup.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

Setup.exe

description	pid	Process	procid_target
PID 2172 wrote to memory of 2992	2172	Setup.exe	29
PID 2172 wrote to memory of 2992	2172	Setup.exe	29
PID 2172 wrote to memory of 2992	2172	Setup.exe	29
PID 2172 wrote to memory of 2992	2172	Setup.exe	29
PID 2172 wrote to memory of 2992	2172	Setup.exe	29

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\more.com
  C:\Windows\SysWOW64\more.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2a6786d9

Filesize
1.3MB

MD5
94175bd77bc17ca8f7c2196caba3f614

SHA1
f9602cc39643864461fd30e04d01be8c8e82d411

SHA256
526680305be37788cfd31337114c567329ee6f16a139f5496a9a9550442bd7c8

SHA512
4e66917165b19e22fd2aa2f3cafb77e322046f8bf720b143719561936c69916c2a004537dbc2ad14dace514478318d6d31e9372387d383db9bb6369e6366addb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2a94e979

Filesize
1.1MB

MD5
a5e4f1320f0cd747a8d348588c13ca1d

SHA1
36af4e723bbc43a3ac1a048b90f469b8313ff1e0

SHA256
c18e5f271525d4675102afd319eefcf7b520948c4b475e7b88dbf220ca74c476

SHA512
95649647f93dc7cabaa52171814b6ab3d4888005972f1c8d610b0ff89de0a7b9b8850fc37464a03bd0c1524b3240ad2eb11b5611fbcd6c0d41e21b50282f76fe

Download Submit
memory/2172-10-0x00000000740F0000-0x0000000074264000-memory.dmp

Filesize
1.5MB

Download
memory/2172-7-0x00000000740F0000-0x0000000074264000-memory.dmp

Filesize
1.5MB

Download
memory/2172-8-0x0000000077310000-0x00000000774B9000-memory.dmp

Filesize
1.7MB

Download
memory/2172-9-0x0000000074103000-0x0000000074105000-memory.dmp

Filesize
8KB

Download
memory/2172-0-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2172-14-0x00000000740F0000-0x0000000074264000-memory.dmp

Filesize
1.5MB

Download
memory/2172-1-0x0000000000340000-0x0000000000F1C000-memory.dmp

Filesize
11.9MB

Download
memory/2992-16-0x00000000740F0000-0x0000000074264000-memory.dmp

Filesize
1.5MB

Download
memory/2992-17-0x0000000077310000-0x00000000774B9000-memory.dmp

Filesize
1.7MB

Download
memory/2992-18-0x00000000740F0000-0x0000000074264000-memory.dmp

Filesize
1.5MB

Download
memory/2992-19-0x00000000740F0000-0x0000000074264000-memory.dmp

Filesize
1.5MB

Download
memory/2992-21-0x00000000740F0000-0x0000000074264000-memory.dmp

Filesize
1.5MB

Download