b0669b7c7af17ac57206e5763439af214c3ac95f78f54c725cd4755f313b42a7

Resubmissions

17-01-2025 02:42

250117-c64j4szpbj 10

14-01-2025 02:47

250114-dacl7axjdr 10

12-01-2025 05:53

250112-glgbas1pdp 10

06-01-2025 23:08

250106-24x2zstrcm 10

Analysis

max time kernel
5s
max time network
6s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Set-up.exe
Size

1.1MB
MD5

66f7c3478c05fc5076831c995d1aa078
SHA1

87768180fdaec44732d4b6594ca2581f6f98f4cd
SHA256

b0669b7c7af17ac57206e5763439af214c3ac95f78f54c725cd4755f313b42a7
SHA512

9c11ad42729e31fd2d1dc02707d2a10837c0cda919516fd49c2b539e98959f2ca2e64e3887b3576f507c69bc923702ec7ae2dc71b450a82440011b824bc684a8
SSDEEP

24576:giC44xR9ylHUJpixIJB4eWlhpJTXaNDBoSQp/YFoA9:cNp3eQ0JTXarM/YFoY

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Set-up.exe

Executes dropped EXE 1 IoCs

pid	Process
5068	Speeds.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3448	tasklist.exe
2064	tasklist.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\CompaniesWeb	Set-up.exe
File opened for modification	C:\Windows\StylesArmy	Set-up.exe
File opened for modification	C:\Windows\HazardIndianapolis	Set-up.exe
File opened for modification	C:\Windows\AveLiked	Set-up.exe
File opened for modification	C:\Windows\PuzzleGorgeous	Set-up.exe
File opened for modification	C:\Windows\PussyManager	Set-up.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Speeds.com

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
5068	Speeds.com
5068	Speeds.com
5068	Speeds.com
5068	Speeds.com
5068	Speeds.com
5068	Speeds.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	tasklist.exe
Token: SeDebugPrivilege	2064	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
5068	Speeds.com
5068	Speeds.com
5068	Speeds.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
5068	Speeds.com
5068	Speeds.com
5068	Speeds.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3644 wrote to memory of 4584	3644	Set-up.exe	82
PID 3644 wrote to memory of 4584	3644	Set-up.exe	82
PID 3644 wrote to memory of 4584	3644	Set-up.exe	82
PID 4584 wrote to memory of 3448	4584	cmd.exe	84
PID 4584 wrote to memory of 3448	4584	cmd.exe	84
PID 4584 wrote to memory of 3448	4584	cmd.exe	84
PID 4584 wrote to memory of 1500	4584	cmd.exe	85
PID 4584 wrote to memory of 1500	4584	cmd.exe	85
PID 4584 wrote to memory of 1500	4584	cmd.exe	85
PID 4584 wrote to memory of 2064	4584	cmd.exe	87
PID 4584 wrote to memory of 2064	4584	cmd.exe	87
PID 4584 wrote to memory of 2064	4584	cmd.exe	87
PID 4584 wrote to memory of 2380	4584	cmd.exe	88
PID 4584 wrote to memory of 2380	4584	cmd.exe	88
PID 4584 wrote to memory of 2380	4584	cmd.exe	88
PID 4584 wrote to memory of 2172	4584	cmd.exe	89
PID 4584 wrote to memory of 2172	4584	cmd.exe	89
PID 4584 wrote to memory of 2172	4584	cmd.exe	89
PID 4584 wrote to memory of 3444	4584	cmd.exe	90
PID 4584 wrote to memory of 3444	4584	cmd.exe	90
PID 4584 wrote to memory of 3444	4584	cmd.exe	90
PID 4584 wrote to memory of 4496	4584	cmd.exe	91
PID 4584 wrote to memory of 4496	4584	cmd.exe	91
PID 4584 wrote to memory of 4496	4584	cmd.exe	91
PID 4584 wrote to memory of 4220	4584	cmd.exe	92
PID 4584 wrote to memory of 4220	4584	cmd.exe	92
PID 4584 wrote to memory of 4220	4584	cmd.exe	92
PID 4584 wrote to memory of 5080	4584	cmd.exe	93
PID 4584 wrote to memory of 5080	4584	cmd.exe	93
PID 4584 wrote to memory of 5080	4584	cmd.exe	93
PID 4584 wrote to memory of 5068	4584	cmd.exe	94
PID 4584 wrote to memory of 5068	4584	cmd.exe	94
PID 4584 wrote to memory of 5068	4584	cmd.exe	94
PID 4584 wrote to memory of 4212	4584	cmd.exe	95
PID 4584 wrote to memory of 4212	4584	cmd.exe	95
PID 4584 wrote to memory of 4212	4584	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c move Spice Spice.cmd & Spice.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3448
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1500
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2064
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 436262
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Cheap
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3444
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Projection" Bibliography
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 436262\Speeds.com + Business + Namibia + Seattle + States + Supervision + Guaranteed + Snow + Ti + Advantages 436262\Speeds.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4220
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Consultant + ..\Homes + ..\Magnetic + ..\Jewellery + ..\Kitty + ..\Makes + ..\Charged n
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5080
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\Speeds.com
    Speeds.com n
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5068
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\Speeds.com

Filesize
2KB

MD5
0b0757d63d90e5a9024f7f089b03f283

SHA1
b9c6aee935d1a90d9513d031e81621f3afc6e3db

SHA256
661ec5672647232f76fa7f58be55099f2db70832a30e4d2b67464c047f116f1d

SHA512
90b6390cdd66445b6679220c16062f5f2765052abfa24f137771297a005c101bd02ee2b49ad996fa9b527bce6537ed776ac2726775ff815c1fdcc5756d59f20e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\Speeds.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\436262\n

Filesize
508KB

MD5
3116a3f04c1846ac0d15a1d06dc7ba1c

SHA1
dc22823f0c2a3c1edff41fa84d9c3b5ccdca5f84

SHA256
fa7fc8f001eea27adea8eb6be994ed120a79fddc1c769755e5ee93e1ce1f0f5f

SHA512
c0b261bcb5181a5ae2d67254ff7d814b7c4ef4b59dd50dbf2369132c36704d2752d795192355577c9da7b6bc3b9ee414eee970a804ce8683d24a14d305f97caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Advantages

Filesize
9KB

MD5
2db499d040a1bfc89e7640193406b961

SHA1
a70ce0ee46ea92972ed69a401a93b39cebdad2f0

SHA256
13d612e6aea258d8e6e52a11c2bbca91a3857c010ea9ceca3500d650ddb7c51b

SHA512
45d7a70ed002c69746aa0458f41db2b2bc8c948e639e57fe0dd5fa8acdb63fe057d445e659fd2db0c1a3e823de1b8a8bb4adb67b8930d1e5a214e8c4e1386d11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Bibliography

Filesize
2KB

MD5
abd352ea5ed60166c2a61a44bcc60df4

SHA1
1f475862b8fa4a6611ddbf492f1bb832eb676129

SHA256
f9e653d6da8ff3eb2598bcb2a06434a3a788a27f3b3d2eee98447563c0eb629d

SHA512
ac2bb72355c72aa131e7072a91041d5e84f57921e8551a69ee09d543ad20111f2892a76117c996eb8411a1a6856019d60c9f880f234cc4457a0b360c0b1e14a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Business

Filesize
145KB

MD5
f233d02956728b22042bbaecd44b88ca

SHA1
17f7b7cfb477896c0cfac1dd268a35713ff58f34

SHA256
6cb1ac9e0628fda2644691a900479634e7a2055bfeb306be6b12ba9f97ff869e

SHA512
c73d65fc0e2bba3b1b26816cf229a8ee40d11e72f842fa75e273a465e707d7fbb91bfd7addd7cc4d8e24c74b5322d57fc9c2410d88c95267e509701e2c7fdf84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Charged

Filesize
60KB

MD5
7ddf15938b975dd3beba0bae5b370aac

SHA1
e4af1e13f17051f3aec6519e9790b00e9b01398f

SHA256
55c8fe9b320ebdeff4dfc5e71fb5de5066a640025356c099f8064b43537af222

SHA512
1e815612a3070f5bc76d3ac1417369df88ef52c6dccbce13742fd175e72a34c32c34ecf3363af193bcfb9e2d1c214869040faca0178fb31a1ffb70a44a239dd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Cheap

Filesize
477KB

MD5
b75b04863ca47ca9eaf26134e6af93fb

SHA1
ab2c3acb03019a22d053939e7767c26a0fd215d5

SHA256
441949efd57076c763e6816bb6f4f4010d79b22e2387b9044ef83ef03fc139f8

SHA512
b931e399c9d8036881f847ec6af5bf5186a5f402231628f1bc37c64a27b6b08d298c1326e7ffb40206c79a101a5a78a9732d8b813588780d4948b072433eb416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Consultant

Filesize
69KB

MD5
872dbdf47a928a98c480d08edd43846d

SHA1
11da1832df3527110fa64f683c37ea4359689cfe

SHA256
9243a1f850d1bc269c6a69851f5915c646c56cabe007b10b06a54f8efd1ba503

SHA512
89b12431d0692f68065393cf51eb522251c1064cf14b2127b38860198385dd752b1011a0e35bd7f61be772dd97553712db39b66dc0c8d3d7713ea8751396900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Guaranteed

Filesize
113KB

MD5
ad486ed247a8a8e27c4a46c8139757b6

SHA1
41ad8100c999133c1ad8442da32f575ef31f312b

SHA256
96f26c88dad7a5d48605b1b986d24fcf693b5f3d30fcc29a202f7e2ab27da915

SHA512
a118d4a4d2b49e29e259619497344dd0ef84cd72b885143b07ec57359a391dd8584af73d36d7a8afec11d4455aa3b70402637ebb081a4aa0261cfff5755eac52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Homes

Filesize
54KB

MD5
809a0546476589eaee4e818e30bca5e0

SHA1
0567ad9b4dc58ec6076ac8676c4d400bb1e11f0b

SHA256
eb8fda163946f7c2d7bfc81c2d545748c423f49e8fcf17b4a05af42f9a322700

SHA512
76795769e7614122cdcc01262c47cbe4e7f232bd2edb0ed70437a2e9fa473181b9cf6a9a9b22872a7b27d8876d86e99c754fe5852317982e9e874eafc36db7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Jewellery

Filesize
62KB

MD5
a7981c10c733eac00d52617b85b06755

SHA1
9a6a435218affa8ec4295e2e64b08e45f09a4f8f

SHA256
d695d1882c9270c4a42fade6c3ed4716550af17091a4cd74c6989ac1919a4ff0

SHA512
7526655d847f265e55932ce93831af6bf73b8d9471a339e6cc92dd7beddfe3330527208262db1a1dc55ae4b75337d9c59899fe869590bab20911760558f552ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Kitty

Filesize
80KB

MD5
03101d52a75fb99a2398fcba4ae688e5

SHA1
98cfb8268940bd60cdf6bfb24a30a5f86fee5a56

SHA256
9cbccce36a286f88967626e387ac295b6907b3669d5aa0784511dec8a5e6e041

SHA512
0978d188221a9b338c4d8dc06c3110de8a5f26b788021e4ed90b6f6782899461d3061e18620bb55536f6766557ff6d54c6d49759b4d32d974c409d766f1809de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Magnetic

Filesize
98KB

MD5
f6c01a9b9e3e77513489bc1bda742bc0

SHA1
dc6df8c31f098b789fdd22a43be5e77958b97c8f

SHA256
dcd7845c77fb63b78b0d2c0e14e387c6312fab8a41269673841bb76e8fc3550f

SHA512
5affc76efe48140746e08dcbef39244d3207c488eabc3427fb716b6c56ce5a3790a388f38fc563a23a332c367f705bbaad213cc440810bb4869dd4f989000d8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Makes

Filesize
85KB

MD5
42eacde64ff1b221406fdc1f1b682f88

SHA1
b5e491daf65c58b8d964be8a515fbb8d2b2783c1

SHA256
04b2d94d1fd0aba93a76322b0664185736a828453770ad671d4c85e356ca68f1

SHA512
9431c564acab520ebeeb0e641108c79d0bdaa950bb4655c2fa45d4e41dab5a3d9a2e3cccbe7a1ab7590e27a7f12f7e83d2e944f722f929ebe7f45f8d058bb04e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Namibia

Filesize
137KB

MD5
4b52dc1da166ceb21950a00cbaec142a

SHA1
bea61fea47a9a34a0021df1c42609a72561da961

SHA256
0b15c634aec2503a973ac51b8c9e7df1b52ccbcb31c04020e809c3822246c369

SHA512
ea3b650b0ee3f33f3df0d1ea7bd9de3691f622b051a6b2f3f4445dfa58bd6219f05fb93be384ee9307abf31175097c71ba3ec3bc1aa17e1eedded8fda370d313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Seattle

Filesize
124KB

MD5
75e725190a03d747f4cc75c8c72b614e

SHA1
f3d2c5129ad614e2f4b7dd0bcebe71c1eb6e98c9

SHA256
43bfe25ffbb727c54b5357d9b4e97dfcbd0da708819dd5bd02b30bc6afeeb48f

SHA512
168bb2582b12c20502e56faf5a084ed440ba40c0d3e74aeec4d1b8dbb16a768c27b6b790d6017f78ed22b306be65456ef18bea2f813ee05d56d9eed00fcdc0ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Snow

Filesize
86KB

MD5
45647a079988a74af0493edeaa1fd868

SHA1
8092731280bd574ae0e23619846ded72aaa86786

SHA256
ba3e7e4bc727d21ea6a4554f7f21ec44851c1ab9584c76818733530f0c85ca49

SHA512
afd20508d5c1443232f4e15330d96a1b878b40db21ac14e053b9858104d603cba5769a0f9157226edced3bf5cb1580248f93d8022f86763c4c0795f2181d792f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Spice

Filesize
30KB

MD5
b68bbaaa205a6e08bdfbb96c6779a9e4

SHA1
398cf8f083202cb48d74a0791fac852187d758f4

SHA256
91e15f040ca367027e4842e2e85f3dbdf014428ba9ae62885d54124fe75d530d

SHA512
fe480aae66aa2ba0721ef0d762777eb6339184a825b623bcd43dee86fa5bc31c8f64f3d45a9da52a661ea299ad96a82be86899c92773b8accae6069257c1ff32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\States

Filesize
145KB

MD5
bee64a1975f7467e3a9c530b5be5a9cb

SHA1
c7bfdd5a5295fcfd37a5d04950b1dad19dca3f80

SHA256
5c3b7a9fa2397cc80de9f1bdbe85c11fc53f7e7dda6edd8936b079dd989689ef

SHA512
7288d58cc0b644c7dde4d598470db31c6175fca87e7666bd5032f5b46569547866d4b4ea9900c7cd614e7b87fb8c55b84897fa0b48d5b7c0e8a37446f72007d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Supervision

Filesize
110KB

MD5
4dc21cd846bd9ca6d21015a030b85ba8

SHA1
6010cd5467f9d75b46695a4aa8407cc6f6e2936e

SHA256
8e29affa0895283638652b9f23c61b30aa9dda123b3271a641bb46f7e3378676

SHA512
154444ee9f960b927c5302c8b690ae68e35571bb670466de542ace50df5dbef2f9a22b88caf2e6e47ef45227e57248305d4a132b9c5ff47da6b4e5399e4c5645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Ti

Filesize
53KB

MD5
48854b976de62245a8824b54c5e4e14b

SHA1
ab6a7cd58992d8fc5faae9ff43506635b035cd18

SHA256
902a6c914d31bcfb40333766093f98691231e658189a130241bcf3f26ec5af76

SHA512
a7dbc84b2f91b4738439501d64782b28fd237190b591d4176bdee47d40e7ada1ff7d6a00ead5f81bad04a198f3c63310f53ff2052be536280c7fc5edd8182a10

Download Submit