805224152e3498356300d6b536c2052aee8a31150a0f4481e10fb0bd1f55e9bc

General

Target

Advanced SystemCare Ultimate 16.1.0.16 Multilingual/asc-ultimate-setup.exe
Size

113.4MB
MD5

c7b9560dddfa8436769c5162770ef870
SHA1

7b2ff2731e3966c66b9c5625e67f0aa0a3432fd7
SHA256

8d908e4a84c02e78b5a686d23495911dc8890a1390fa53257d1c086cc1f73586
SHA512

8d704012508116bbee90aff7d7573fcecd0daad48bd06531f258ecc90d2569fec475bbcc670ba5a2e8aab6fc683e57619d98b9a091891b3dcc8883e52df62ad6
SSDEEP

3145728:bpcxWk8OLHSygLsWURNbzy6TLf4T0OttvrWA0p:Db54WUPbzRD4TlSA0p

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

asc-ultimate-setup.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	asc-ultimate-setup.tmp

Executes dropped EXE 2 IoCs

Processes:

asc-ultimate-setup.tmpSetup.exe

pid process

1412 asc-ultimate-setup.tmp
1532 Setup.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Setup.exe

pid process

1532 Setup.exe
1532 Setup.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Setup.exe

pid process

1532 Setup.exe
1532 Setup.exe
1532 Setup.exe
1532 Setup.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Setup.exe

pid process

1532 Setup.exe
1532 Setup.exe
1532 Setup.exe
1532 Setup.exe

pid	process
1412	asc-ultimate-setup.tmp
1532	Setup.exe

pid	process
1532	Setup.exe
1532	Setup.exe

pid	process
1532	Setup.exe
1532	Setup.exe
1532	Setup.exe
1532	Setup.exe

pid	process
1532	Setup.exe
1532	Setup.exe
1532	Setup.exe
1532	Setup.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

asc-ultimate-setup.exeasc-ultimate-setup.tmp

description	pid	process	target process
PID 1916 wrote to memory of 1412	1916	asc-ultimate-setup.exe	asc-ultimate-setup.tmp
PID 1916 wrote to memory of 1412	1916	asc-ultimate-setup.exe	asc-ultimate-setup.tmp
PID 1916 wrote to memory of 1412	1916	asc-ultimate-setup.exe	asc-ultimate-setup.tmp
PID 1412 wrote to memory of 1532	1412	asc-ultimate-setup.tmp	Setup.exe
PID 1412 wrote to memory of 1532	1412	asc-ultimate-setup.tmp	Setup.exe
PID 1412 wrote to memory of 1532	1412	asc-ultimate-setup.tmp	Setup.exe

C:\Users\Admin\AppData\Local\Temp\Advanced SystemCare Ultimate 16.1.0.16 Multilingual\asc-ultimate-setup.exe
"C:\Users\Admin\AppData\Local\Temp\Advanced SystemCare Ultimate 16.1.0.16 Multilingual\asc-ultimate-setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1916

C:\Users\Admin\AppData\Local\Temp\is-4VS2O.tmp\asc-ultimate-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-4VS2O.tmp\asc-ultimate-setup.tmp" /SL5="$90054,118347133,137216,C:\Users\Admin\AppData\Local\Temp\Advanced SystemCare Ultimate 16.1.0.16 Multilingual\asc-ultimate-setup.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\is-QQM28.tmp\Installer\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-QQM28.tmp\Installer\Setup.exe" /InnoSetup "C:\Users\Admin\AppData\Local\Temp\Advanced SystemCare Ultimate 16.1.0.16 Multilingual\asc-ultimate-setup.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\IObit\iobitpromotion.ini
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4VS2O.tmp\asc-ultimate-setup.tmp
Filesize
1.2MB

MD5
6ff5b536aec6f2d7a0fac8ad7582e4e9

SHA1
91fb5762d75a2f029d01cdd5a11931a708225e4b

SHA256
075530d514250142495f5f0bf0ce4cb0421817f37e838474878d4a01ccc2ce77

SHA512
555cc85d6efb8424a2b58781c9701e7018fb1507ed30331f549550cf86f89e608d335cecba1237039c943b65ae1053df4de3dc6ed118d91124a727e0d4834abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QQM28.tmp\Installer\Setup.exe
Filesize
5.8MB

MD5
031feeefd260d8bec08d5fec95e4f868

SHA1
3ec998553d49cb96a9b3d2efa3ae94e7f1b5167d

SHA256
521be3e2c30bb20ad04de81919c59d5e5a8775858695617dfe8a91b3c220d082

SHA512
2ddf3245c09cbc5d688e6d07a811296ca0462eb6ffbbaac054ccbae17d51c2a546c7e56cd0e68ec706a5b65cb0e5f73bb48283d8c5db46d6142acd45726d7971

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QQM28.tmp\Installer\Setup.exe
Filesize
5.8MB

MD5
031feeefd260d8bec08d5fec95e4f868

SHA1
3ec998553d49cb96a9b3d2efa3ae94e7f1b5167d

SHA256
521be3e2c30bb20ad04de81919c59d5e5a8775858695617dfe8a91b3c220d082

SHA512
2ddf3245c09cbc5d688e6d07a811296ca0462eb6ffbbaac054ccbae17d51c2a546c7e56cd0e68ec706a5b65cb0e5f73bb48283d8c5db46d6142acd45726d7971

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QQM28.tmp\Installer\Setup.exe
Filesize
5.8MB

MD5
031feeefd260d8bec08d5fec95e4f868

SHA1
3ec998553d49cb96a9b3d2efa3ae94e7f1b5167d

SHA256
521be3e2c30bb20ad04de81919c59d5e5a8775858695617dfe8a91b3c220d082

SHA512
2ddf3245c09cbc5d688e6d07a811296ca0462eb6ffbbaac054ccbae17d51c2a546c7e56cd0e68ec706a5b65cb0e5f73bb48283d8c5db46d6142acd45726d7971

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QQM28.tmp\libcrypto-1_1.dll
Filesize
1.7MB

MD5
bad060da916a4052776de9ca68ed0815

SHA1
8ef57a64796a757e48f4fb8e5c158a4a73da443c

SHA256
cbedd906e3ab732989ebda44dbd91923099f579fa6930319e1c5fcddd1c373a5

SHA512
3a761a7bd5d76251db33fe3482f74a75fe97b7d8b6eb1799cd7dc5f191b274b22e519aa924772244d4e78697faa8d7362e6a5fbde05328b095440a3154d2ff62

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\Advanced SystemCare\Main.ini
Filesize
67B

MD5
d443da85e200e50201f324502e0cb6ab

SHA1
45ef99f200a56ce9783341decb81be81345cf3a8

SHA256
c9e4547007e5bc455f54a2623d470fc4235d17caaad2c07efff41651ef7ae42d

SHA512
13b9638e490eb395ee9277dd30aecad9990ffb3eb4bfa6a6a3c4ea20a23e63815025728771ff3e8ec46162af32271866c0e17d2f459375a8083eff4bf451b727

Download Submit
memory/1412-142-0x00000000006E0000-0x00000000006E1000-memory.dmp

Filesize
4KB

Download
memory/1412-166-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1532-170-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/1532-173-0x0000000004280000-0x0000000004290000-memory.dmp

Filesize
64KB

Download
memory/1532-192-0x0000000000400000-0x0000000000A18000-memory.dmp

Filesize
6.1MB

Download
memory/1532-193-0x00000000041D0000-0x00000000041D1000-memory.dmp

Filesize
4KB

Download
memory/1532-194-0x0000000004280000-0x0000000004290000-memory.dmp

Filesize
64KB

Download
memory/1916-169-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1916-133-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing