405aa9de90e7eed532c8d80ba66cd199599743a8a2452f039acd78f113555a4a

Analysis

max time kernel
148s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26/01/2025, 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Set-up.exe
Size

1.1MB
MD5

0d9501d1845ecc0172d0d0aff07ab6ce
SHA1

ecb39c6db530afb68817717d65bce683208dcc80
SHA256

405aa9de90e7eed532c8d80ba66cd199599743a8a2452f039acd78f113555a4a
SHA512

f3c9bf6e48f0beacd6c02b130007aabea97a3f71f9f057bf67bd969eeb0623f274e08e365cd790993456f75ccb4cac005af4c5e330458ce50753fc0c25a2592c
SSDEEP

24576:tOS2x2Z0kTRCzP+gCnkLt0y9k3mkcRCwVTKMPuz8JvWOKKH24C:sJMTRC7zCnYmy9k3oRCgTKPzeH2d

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4832	Talent.com

Enumerates processes with tasklist 1 TTPs 2 IoCs

discovery

Process Discovery

T1057

pid	Process
3652	tasklist.exe
2220	tasklist.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\StatFree	Set-up.exe
File opened for modification	C:\Windows\HotelDive	Set-up.exe
File opened for modification	C:\Windows\ArtistClosure	Set-up.exe
File opened for modification	C:\Windows\IgnoredFascinating	Set-up.exe
File opened for modification	C:\Windows\GladTraditions	Set-up.exe
File opened for modification	C:\Windows\FragrancesPsychiatry	Set-up.exe
File opened for modification	C:\Windows\AliasShopper	Set-up.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Talent.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4832	Talent.com
4832	Talent.com
4832	Talent.com
4832	Talent.com
4832	Talent.com
4832	Talent.com

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	tasklist.exe
Token: SeDebugPrivilege	2220	tasklist.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4832	Talent.com
4832	Talent.com
4832	Talent.com

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4832	Talent.com
4832	Talent.com
4832	Talent.com

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 3648	572	Set-up.exe	77
PID 572 wrote to memory of 3648	572	Set-up.exe	77
PID 572 wrote to memory of 3648	572	Set-up.exe	77
PID 3648 wrote to memory of 3652	3648	cmd.exe	79
PID 3648 wrote to memory of 3652	3648	cmd.exe	79
PID 3648 wrote to memory of 3652	3648	cmd.exe	79
PID 3648 wrote to memory of 1084	3648	cmd.exe	80
PID 3648 wrote to memory of 1084	3648	cmd.exe	80
PID 3648 wrote to memory of 1084	3648	cmd.exe	80
PID 3648 wrote to memory of 2220	3648	cmd.exe	82
PID 3648 wrote to memory of 2220	3648	cmd.exe	82
PID 3648 wrote to memory of 2220	3648	cmd.exe	82
PID 3648 wrote to memory of 5092	3648	cmd.exe	83
PID 3648 wrote to memory of 5092	3648	cmd.exe	83
PID 3648 wrote to memory of 5092	3648	cmd.exe	83
PID 3648 wrote to memory of 1656	3648	cmd.exe	84
PID 3648 wrote to memory of 1656	3648	cmd.exe	84
PID 3648 wrote to memory of 1656	3648	cmd.exe	84
PID 3648 wrote to memory of 2316	3648	cmd.exe	85
PID 3648 wrote to memory of 2316	3648	cmd.exe	85
PID 3648 wrote to memory of 2316	3648	cmd.exe	85
PID 3648 wrote to memory of 2024	3648	cmd.exe	86
PID 3648 wrote to memory of 2024	3648	cmd.exe	86
PID 3648 wrote to memory of 2024	3648	cmd.exe	86
PID 3648 wrote to memory of 4080	3648	cmd.exe	87
PID 3648 wrote to memory of 4080	3648	cmd.exe	87
PID 3648 wrote to memory of 4080	3648	cmd.exe	87
PID 3648 wrote to memory of 2664	3648	cmd.exe	88
PID 3648 wrote to memory of 2664	3648	cmd.exe	88
PID 3648 wrote to memory of 2664	3648	cmd.exe	88
PID 3648 wrote to memory of 4832	3648	cmd.exe	89
PID 3648 wrote to memory of 4832	3648	cmd.exe	89
PID 3648 wrote to memory of 4832	3648	cmd.exe	89
PID 3648 wrote to memory of 4876	3648	cmd.exe	90
PID 3648 wrote to memory of 4876	3648	cmd.exe	90
PID 3648 wrote to memory of 4876	3648	cmd.exe	90

C:\Users\Admin\AppData\Local\Temp\Set-up.exe
"C:\Users\Admin\AppData\Local\Temp\Set-up.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Ati Ati.cmd & Ati.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3652
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1084
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2220
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 225549
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1656
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Edt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2316
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "bibliography" Sec
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 225549\Talent.com + Announces + Daddy + Nearby + Quilt + Blink + Dakota + Standards + Converted + Remains + Creating 225549\Talent.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Predict + ..\Buffer + ..\Picnic + ..\Drink + ..\Bathrooms + ..\Beast + ..\Hundred V
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2664
- - C:\Users\Admin\AppData\Local\Temp\225549\Talent.com
    Talent.com V
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4832
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\225549\Talent.com

Filesize
640B

MD5
b84a46c4a7eb32ada3bb8b38bce23bcd

SHA1
3ee0fb7b80071a44385bbd62afba9620661e2fe8

SHA256
91ee2e4fbeaa78bd378ba96fd80484971f7560cfe2327faec7942f38a51c0942

SHA512
429130788571a01ea7dc09fa58b35489bcfea751b759d4ca563f0f2345958c641b42504af267f2782ab38960b56082440fc50d9741dfac4991c21b2f1805b15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\225549\Talent.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\225549\V

Filesize
483KB

MD5
036a89ea5e8a238be1a714858c9e5809

SHA1
5a934f48570382ea4cf3f68be56de314630c6ef5

SHA256
fed68ea46c8cf56498879d13fc957ebd0d9ed098f0c0f60419befd30b919c304

SHA512
f984f3b7ee279b08e5393b4fa90a279b331a2109174d0abecafab94d09ff23475709efc754fc636e20df1ca153669f311c043972fbb6449e5f0041548b68c5fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Announces

Filesize
98KB

MD5
3547ff8d072840d33cbf9a5f17f3093e

SHA1
130b9fcb593e261ce65c8a728333b630626e8b1d

SHA256
7305918d5fc2effb6815d6b2bd539878047df372854d7a856b472cc5e449c96f

SHA512
aa1ffc01d913fbbb590ef1d868f37793205b9362caa0a2c4838fac14292388a1e0b957f561bfa0e53b26d90cc2b9c46e560381e97a2b5226ffa5f43e6bb3d026

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ati

Filesize
29KB

MD5
0f9770521173507d73672bee100bec9a

SHA1
2cbd74d230e06be857e5535bb9727acbba50ae9a

SHA256
cffb71f2789331b6c14b2b014f0b78740e1b69329593cfb659badb0aa8b2d774

SHA512
583857d2dcf64928223a09229b7873e4986e555afee2be1aa82e62e27cb99b44fd0b8fc54029550743c92a9a65b2443c3436ac76490b8fb4d7d2e88e3676a4a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bathrooms

Filesize
75KB

MD5
212561b45580e8fce5fd107cf85f1127

SHA1
ca48ea2d763f26a781967944ac189e688ba846fc

SHA256
6752f5bb41a57134d021a39cba532cf463fbaf49dbf0788860e84a9d813e0d1e

SHA512
c17682b09dd2c42e8f7303d5c8995c4cfbc3cb07ab693a97e4e703c8dee1ae34e76c790becd9ac06873bfad0e1add77d0ed070db1ffb3212f63ae6f6ac05d6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Beast

Filesize
78KB

MD5
5f64fc070bff77e09d5f16842ad78a92

SHA1
0662db10b5ba4ea4b20e1732d7126b9b39a2d767

SHA256
6affa56625ebd28792e68faec397d9209077a5a29e3667c3bcc1bfb87e206ec0

SHA512
d20f93ed9d8332f4fcb54140c8afcb94366fff268e0f3f2bb2eafe43796f488e25d285b7eb2b5344657998ba45382c6258532fd33f567c0caf46a769dca02e8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Blink

Filesize
95KB

MD5
f9e28138ff29de2f2052cb7ed4e8aacd

SHA1
ae4a8389ddf9a275b84f960dfb81dc88c9ff0e5a

SHA256
25c52344f2cdcf3f4261ac50e4f88966d4e5b17289092b556085659d6c8d7b37

SHA512
9998e71d2d4b81448c6ae48ca724b44ee08d7c432e584f5f9a5a42832db85433cf09c7baf78557c68448312de2876aa1cc4e6410fc560b021e4fb1d34d31144e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Buffer

Filesize
57KB

MD5
1dbcad45460f18307b90f296de4a5f61

SHA1
5f50c6167fea2a1d53d15cba44690b86f8ce5b93

SHA256
41a1afa677e51dc4597334ed40750157995f5c18a1c60dff75f8170674548b26

SHA512
19cc24c2ad066647d0840098a9e5833bf784f8ea73459f6a374c2557c0a93c4ccdfb1370b2a08f9bed53f4618192399005bd1a81518acf3f3d0c239e39a570be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Converted

Filesize
53KB

MD5
9f27dfe3f3e68e75369580d0c3c81935

SHA1
c9b6f910a8ac35f66b6fba1e37790fe9e45ae128

SHA256
ffbd7f593afbc92cde0393ad39d3e8f470711bfc80f22c8d07ee9d6ddc22f3e3

SHA512
24e1f3e12ed179361fd41e2a1b56d8d80d5e1f8366226822c7d67b2e38f4f1f437707e9b9ad03a8157bc36d050ce4615ce3b304b3212f2b9e15b9f148f5f8dad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Creating

Filesize
12KB

MD5
453e312b460a5f66372d07e101831f82

SHA1
9b1fb50fa518a5cd82f44c6b50186f3a827ffd31

SHA256
f2cfa75c9dde9d8c57f106b9b576507ad17a63971eaebf575d2d01560362e5c2

SHA512
5f124163db15e45b19e7185c3abcdd39f69fc297e9c96041f9826fe1363479b8105960e81f5e3f983ad2e9e07ddb0e8264a20dac44026a45ae9df26014925951

Download Submit
C:\Users\Admin\AppData\Local\Temp\Daddy

Filesize
142KB

MD5
900900b3009af992ff9a17b24590f4c8

SHA1
8a9db14a1c6d7dbd86403d9af422c30c793b2794

SHA256
29f52fdcf1c56302f87cde70e7e01b40427cb858f4ed0ba9160db28d229f2510

SHA512
24086623da6c53940fed3680fef6881ce21dc6f00e098ae7f4171a02b7cb289627144c8ec57f11169521fea79d9661e0ccd8478acea6cb884b9ad5fe690675b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dakota

Filesize
74KB

MD5
95133df0b24a0d79def5f0a48eecb801

SHA1
fd1f7592cedbacc81e0254f7b354e190f5acd9c3

SHA256
0265efb974cb5a4c670924818608fb231302a062249282be10b9f1e66b4c1f40

SHA512
18ca8d45a88f8b9480fbf5d9854bd0f8ea347aec4b30f4e9529bcd547d7081b583bc8daca987f2be59e37b3f6d703dcba244b16fcba7e220a490a1458930e881

Download Submit
C:\Users\Admin\AppData\Local\Temp\Drink

Filesize
73KB

MD5
64c658ed7728aebe85f260ae269b7492

SHA1
13f504019964be1a9ded7ee11223d08aea806963

SHA256
59d922552ce2d6942f212abcb406f297b2da436979e372adc8c89d9e63edbb72

SHA512
3b1d647d877f5b446b236ec1a3eec107b1c6d6f3f19f373131aaf3433ab05c54a259499a5321ee518b8bbe92f304319c1a6d965787ef65d3f3a45af50654cd91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Edt

Filesize
476KB

MD5
bfb945a254100ad8cebb80377752355a

SHA1
32ceb4e4ec9cc7f84b1d76e4ebce3eaf2875741a

SHA256
e44871ff385d1dc248c98f5d280241494168e639e2b995dcc410857dd0c4d087

SHA512
b666493d8ca8d81e07af4968cd29cddbce7d10ab4fedc8bc596a5fce7d655fcbf983a29c2066558c6e082b3c2f363093d5a1cb40966a634b7633b62cd8ae590d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hundred

Filesize
37KB

MD5
8163a2e64f7ff7f83f8b13e6528aaeaf

SHA1
4170ab66d3a0622051e1cf9fb966d47597c8c94a

SHA256
8db96b70ffa1ea32422ff04455b874317802b84db9f9e8947d43c6ea471e9e07

SHA512
4a45c5924e5fa94f265ea0418fee0c14076801d9c5c2432c7ff154636cac32f1d53a22331d36cfe36aa9ded1a903798c3dc59d94639fe4fc7405ace8544eb3c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nearby

Filesize
81KB

MD5
9bf5dee3202ae5711b95a17aeb426e7c

SHA1
33d2d7c8023d43b975799306a1e25587e4aed690

SHA256
18dafbbfab9131fd76c620aad3b9204e6caa220cec12a69e36355c52f8e78ae2

SHA512
18ccaec96ceb32482acf65cb0816aa1c3f8be645f4dda83f9fc81aeab66859cb928346feb3d91aa8b5f3a05eb72ffc660c3e854b03c8ee9326a2befc513147a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Picnic

Filesize
84KB

MD5
001afa91507b62ed17f6b7346cc5ab04

SHA1
dc051f381e9fa6286339c9b038261a82da1c07ef

SHA256
2f31436f0357468b7dea02e4f6aa713163fa617022c5d7d38a8e193f029a2c77

SHA512
0d3460dabadd07b428b955addece348a6ac7facff57eb570016fab15e0d0432a01d09c350a41b1b16c164497c6f46cf5bd6bdea43f661214475534f3ec264a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Predict

Filesize
79KB

MD5
8fea9137ab52e84cbfe9369902f96be5

SHA1
0cab8cc4aea578b239b36f61b993d89208a5e56d

SHA256
4a434e062769eb5f5ed8846843a0544380269a62cd1ee1b4008b93de16e1e74c

SHA512
820b50a0e3c2c952d55ab336def49dd6138c31546e26eb963eca81e2826305a4386f98f62d765dd098fd6030a8209ab8a7451e05d84a8d4fd58fca4ff2208f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Quilt

Filesize
135KB

MD5
35dddcbec1ebf6cc68b1fc220d8989f3

SHA1
551b809a64b03e33a654de4b9d46c96ee672c982

SHA256
c6de15ac7e48bdf4c6bc9907b612908ff658040e8b0116556bbf6c23042817c3

SHA512
40e6637e5ee8088af4575269bdf425d92e76d8d237da338f263b0e70a78e60ec115f4e725fa79343c8d665fddb1be73323c8d1da34c20fa00a4e4ed525c6cdb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Remains

Filesize
140KB

MD5
ff28e76b58555313c6066bb67a8064af

SHA1
d4776b427d32851d63bde563a8a40c2addd0cead

SHA256
092bd8cba38046614340fb7d3ba379412d86c5ce11fde582d613943f4ec3007c

SHA512
f957eaf1dad198e883e4fa0b434d18f62d8769a36e6bcd686f1f50d78981bd57319c7b418994560341a029bebcb8c22ff317f45784c2451c665fa471026a0cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Sec

Filesize
652B

MD5
0ad09fb4e8557ec8c6172d809f185029

SHA1
c03453eb535830a51a5263e514e0935f5ea85114

SHA256
ac541b0d5d868dd0451806fc61274de4fc62a4ca5a13fb3852e38e588c2bdef3

SHA512
72d68ceda9931d3f0b349a79f6dd8a74c87bcbf6cfd60806268663ededa3d07b103a74a1a760a06268d3bca1cf6a4b19248b8a1f432dadbd37b4533d3033175d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Standards

Filesize
94KB

MD5
7f7f7aedd52f108988bb05c80b8e5c79

SHA1
086b8ecba23bfc847c00e3e750b8607680b37629

SHA256
934f1a92de521d91cc2b3cf2f76d12dad160cee4d34b0b4dd528f9e53372e097

SHA512
37a800028326a10ec84b84b2ad1f305e739dd6294138f9e00b9b594318ae74c18f5dd640dbf0d313294cafbd95bdcc2e4c22ed47a193629dd15feeb1224e0ffd

Download Submit
memory/4832-708-0x0000000003CF0000-0x0000000003D4D000-memory.dmp

Filesize
372KB

Download
memory/4832-710-0x0000000003CF0000-0x0000000003D4D000-memory.dmp

Filesize
372KB

Download
memory/4832-709-0x0000000003CF0000-0x0000000003D4D000-memory.dmp

Filesize
372KB

Download
memory/4832-712-0x0000000003CF0000-0x0000000003D4D000-memory.dmp

Filesize
372KB

Download
memory/4832-711-0x0000000003CF0000-0x0000000003D4D000-memory.dmp

Filesize
372KB

Download