71916efd98ebad32e60025ebb48cbc3bb8556d60a82260143580fa2b3f90c72c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-12-2024 00:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SnSetup1.7.exe
Size

601KB
MD5

bfe8e9072c8e530229f4984f4e64c534
SHA1

cf95d3be5395744e696d9cf0484915d185a3eaab
SHA256

91f02fafb1a3ab7a20761d308d7a1f224e889cb0bc43daadf9d9cb5d5c6e65e3
SHA512

a83b872c670c54839842f0e246e8a6739f8b5aab8a23e2678c999e891a8caf21fec7a4ad84e7691dbd0072db01215e88b120be526adf5bc8ea01130d757adf84
SSDEEP

12288:0zWyF45rsw9308qtvMwiM4HZS/dfLhaIGn0uERTtIiaO+tP/etJz:0zWyF4qQk8qh4M4Hk99aI1ttIiaOG/eX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2400	Install.exe
3060	Install.exe

Loads dropped DLL 2 IoCs

pid	Process
1972	SnSetup1.7.exe
1972	SnSetup1.7.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 16 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{8e9bdcb6-660e-0645-b389-5e1d5d052b44}\SETEDEA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8e9bdcb6-660e-0645-b389-5e1d5d052b44}	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{05a333c6-a3c2-fd48-a9df-e764e72384b8}\SETEEA6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e5485ddf-a195-f54c-8054-2a061f3beb7a}\SETEED4.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{993ddb2b-3874-5d48-87c1-76600f40c186}\SETED8C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{e5485ddf-a195-f54c-8054-2a061f3beb7a}\SETEED4.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e5485ddf-a195-f54c-8054-2a061f3beb7a}\snserial.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{e5485ddf-a195-f54c-8054-2a061f3beb7a}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{993ddb2b-3874-5d48-87c1-76600f40c186}\SETED8C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{993ddb2b-3874-5d48-87c1-76600f40c186}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8e9bdcb6-660e-0645-b389-5e1d5d052b44}\SETEDEA.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05a333c6-a3c2-fd48-a9df-e764e72384b8}\SETEEA6.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05a333c6-a3c2-fd48-a9df-e764e72384b8}\snbus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{05a333c6-a3c2-fd48-a9df-e764e72384b8}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{993ddb2b-3874-5d48-87c1-76600f40c186}\snbus.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{8e9bdcb6-660e-0645-b389-5e1d5d052b44}\snserial.inf	DrvInst.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\Data\register-en-US.htm	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\Data\register-zh-TW.htm	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\install.exe	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\License.txt	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\Language\sncht.ini	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\Data\register-en-US.htm	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\Settings.ini	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\Uninstall.exe	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\Data\register-zh-CN.htm	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\SerialNull.exe	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\SnBus.sys	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\Readme.txt	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\Data\register-zh-TW.htm	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\SnSerial.sys	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\SnBus.inf	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\SnSerial.inf	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\Language\snchs.ini	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\Language\snchs.ini	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\Language\sncht.ini	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\SnSerial.sys	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\SnSerial.inf	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\install.exe	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\Help.chm	SnSetup1.7.exe
File opened for modification	C:\Program Files (x86)\SUDT\SUDT SerialNull\Language\sneng.ini	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\Data\register-zh-CN.htm	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\SerialNull.exe	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\License.txt	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\Language\sneng.ini	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\SnBus.sys	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\SnBus.inf	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\Readme.txt	SnSetup1.7.exe
File created	C:\Program Files (x86)\SUDT\SUDT SerialNull\Help.chm	SnSetup1.7.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	Install.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	Install.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SnSetup1.7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install.exe

Checks SCSI registry key(s) 3 TTPs 16 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	Install.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	Install.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	Install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	804	svchost.exe
Token: SeSecurityPrivilege	804	svchost.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2400	1972	SnSetup1.7.exe	96
PID 1972 wrote to memory of 2400	1972	SnSetup1.7.exe	96
PID 1972 wrote to memory of 2400	1972	SnSetup1.7.exe	96
PID 804 wrote to memory of 2092	804	svchost.exe	99
PID 804 wrote to memory of 2092	804	svchost.exe	99
PID 804 wrote to memory of 3148	804	svchost.exe	100
PID 804 wrote to memory of 3148	804	svchost.exe	100
PID 1972 wrote to memory of 3060	1972	SnSetup1.7.exe	101
PID 1972 wrote to memory of 3060	1972	SnSetup1.7.exe	101
PID 1972 wrote to memory of 3060	1972	SnSetup1.7.exe	101
PID 804 wrote to memory of 1676	804	svchost.exe	102
PID 804 wrote to memory of 1676	804	svchost.exe	102
PID 804 wrote to memory of 4480	804	svchost.exe	103
PID 804 wrote to memory of 4480	804	svchost.exe	103

C:\Users\Admin\AppData\Local\Temp\SnSetup1.7.exe
"C:\Users\Admin\AppData\Local\Temp\SnSetup1.7.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Program Files (x86)\SUDT\SUDT SerialNull\Install.exe
  "C:\Program Files (x86)\SUDT\SUDT SerialNull\Install.exe" -u
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Checks SCSI registry key(s)
  PID:2400
- C:\Program Files (x86)\SUDT\SUDT SerialNull\Install.exe
  "C:\Program Files (x86)\SUDT\SUDT SerialNull\Install.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3060

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:804
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{8ffaeb9e-8f18-bb41-8be4-9c4c56772c1e}\snbus.inf" "9" "4c49640e7" "0000000000000100" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\SUDT\SUDT SerialNull"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:2092
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{05a4a71f-6e97-f64c-85df-42a2411c4447}\snserial.inf" "9" "449a1470b" "0000000000000158" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files (x86)\SUDT\SUDT SerialNull"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:3148
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4a66c3a3-cd07-054d-bb91-b6ffe7c5e4e4}\snbus.inf" "9" "4c49640e7" "000000000000015C" "WinSta0\Default" "000000000000017C" "208" "C:\Program Files (x86)\SUDT\SUDT SerialNull"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1676
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{8b9396b0-5480-744f-ba59-2bf8c5470c1c}\snserial.inf" "9" "449a1470b" "000000000000017C" "WinSta0\Default" "0000000000000100" "208" "C:\Program Files (x86)\SUDT\SUDT SerialNull"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\SUDT\SUDT SerialNull\SerialNull.exe

Filesize
193KB

MD5
cfe544e042b57980bdc5c044e64d06a3

SHA1
38057e44e41d5eeb706e2e27b35b8e8d87d0fb24

SHA256
502f20ca9cf7259a73217d3144fdd2aefb697b997717b5a16e9c92a2d276afc9

SHA512
f741ac253760e579d9d0a10667863987ae35fbd806bbea9bef36f1062a7fea24358336d778970f44390576702568355c768453a9188ef9a9c13b84f88efd3e50

Download Submit
C:\Program Files (x86)\SUDT\SUDT SerialNull\install.exe

Filesize
57KB

MD5
242b49803d0dc2c25486ab866d8516cb

SHA1
8d4302a242f4e3be1678e21e9bf79cc27f123e7d

SHA256
0d03931dae04b1d6cae8d3745c3aff6315e0df8c6b0bb2589fe77b50580e88f6

SHA512
02ba717114ac8fe22898356403065203d719e97b6bc4ececaf849fb21e02529bf54f367bd3468103045cc63a60c77935d8efa04fec67f6d80b60e43067966577

Download Submit
C:\Program Files (x86)\SUDT\SUDT SerialNull\snbus.inf

Filesize
1KB

MD5
96d0078ea02ed681f67d8c8e6409473c

SHA1
a45fad9dc80b4e74b0ec31af2187b0e4b6cfee3b

SHA256
3804a768e956d3f30666258972b3215b738fdd58383b8ea808d31042f4fda439

SHA512
e53e058248544cdbcf219130ba4ec3dce6e6885745064e8da52174490b348952b72addb7bc45625d73521fea7c290f1698adc1efeada744a8eda08f7008247b3

Download Submit
C:\Program Files (x86)\SUDT\SUDT SerialNull\snserial.inf

Filesize
1KB

MD5
c2aeabdadd719d5ff4097c4fe2995af7

SHA1
39cca12c94d4ba8aa41a6560a00b031de6899606

SHA256
392e836b5a9cdbba0f9b4eb8346a6c0281c134c070a40d99a2c71ad0d2362520

SHA512
7854dce413a860dde871d143480fc21ddbd2441516d9a913f568883aec726f0d45d5385dc2ac9fdf449babef2c72715378d683b097f869fd4f6ec6fe54281d38

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA077.tmp\Header.bmp

Filesize
27KB

MD5
f12f2234e5496f8518390223324d8b1c

SHA1
6e470e2b41ad38422a5beb4e7f4d28b721dcf2a5

SHA256
46fbe97a281202d59414e0ca9a68009b8423ff5fdbc0027f4a309b588c9af7ec

SHA512
d83aed727d741e1e7d036a2c4021195b46ec474e021486d5f699b2a651d27287af5aabab9772232ee57c6856670d128b21db356f061396ebf779ceaca0af36d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA077.tmp\LangDLL.dll

Filesize
5KB

MD5
83c5a8e90cd10cb31a9215eb4421341f

SHA1
52ddbbfa955936f87516c52b2bb679a6b4363e22

SHA256
da006773e11871b8834036c30acab8fabcce2c9e9f52bb2b425f947bdf33f7c6

SHA512
46c20fd762a643028f3c4287ed3dbd762bc1cd17ee5ad1d90cbad23f15901fbab14b726d7f3e45eeb370fb6a2ee5268a2e9ebaae7ab6067c855361d24fc806a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsaA077.tmp\System.dll

Filesize
10KB

MD5
d4d09da0218ba046a66a294f0cca9dfe

SHA1
417b1acdeb0a4de6ac752a93080ca5b9164eb44b

SHA256
9090e47d239aa1da9598a483861165e0153c01ad9ff9d65cb6c0f4497a1da5b3

SHA512
3bc9a65842301dab56c139cc5a3457158d37ef294583728c93da1e11ae457df9551b0f8fbd03d5ea3058f3bc794d0ede57ea3efd5d663b45d25647a39cd955bf

Download Submit