Overview

overview

7

Static

static

1

WinSCP-5.2...up.exe

windows7-x64

7

WinSCP-5.2...up.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    60s
  • max time network
    65s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-04-2023 12:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WinSCP-5.21.7-Setup.exe

  • Size

    10.9MB

  • MD5

    4b6dcc18e7ea50caab02f11d9abb3dee

  • SHA1

    fd36c8ff64d2cabb7c35bb2e9100f5245544ecf2

  • SHA256

    6f8ba50c67083504a4dbc064f0d7e172ee9205db65557a12fd3193749fb8651b

  • SHA512

    ef9c0dbfb52919c3d420320406e3487892a5be30aa275d32981e799cb4711abe54e11085c3c9131073a0e012763db994acd0039c36475b0c35ebe54fe84a8a63

  • SSDEEP

    196608:wCIA4//b/VVVLXx1is5RFZ06uhRrvh311cJGB/NP9AhXxtJUyT5:rO/r5fltZBQN5l1lB18X/JUy

Score
7/10
discoverypersistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 2 IoCs
  • Registers COM server for autorun 1 TTPs 3 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 61 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.7-Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.7-Setup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:628
    • C:\Users\Admin\AppData\Local\Temp\is-RS46F.tmp\WinSCP-5.21.7-Setup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-RS46F.tmp\WinSCP-5.21.7-Setup.tmp" /SL5="$801CE,10341314,864768,C:\Users\Admin\AppData\Local\Temp\WinSCP-5.21.7-Setup.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:1268
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\WinSCP\DragExt64.dll"
        3⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Windows\system32\regsvr32.exe
          /s "C:\Program Files (x86)\WinSCP\DragExt64.dll"
          4⤵
          • Loads dropped DLL
          • Registers COM server for autorun
          • Modifies registry class
          PID:2004
      • C:\Program Files (x86)\WinSCP\WinSCP.exe
        "C:\Program Files (x86)\WinSCP\WinSCP.exe" /RegisterForDefaultProtocols
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:1584
      • C:\Program Files (x86)\WinSCP\WinSCP.exe
        "C:\Program Files (x86)\WinSCP\WinSCP.exe" /ImportSitesIfAny
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:968
      • C:\Program Files (x86)\WinSCP\WinSCP.exe
        "C:\Program Files (x86)\WinSCP\WinSCP.exe" /Usage=TypicalInstallation:1,InstallationsUser+,InstallationParentProcess@,InstallationsFirstTypical+,LastInstallationAutomaticUpgrade:0,
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2492
  • C:\Program Files (x86)\WinSCP\WinSCP.exe
    "C:\Program Files (x86)\WinSCP\WinSCP.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Enumerates connected drives
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of SetWindowsHookEx
    PID:772

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\WinSCP\DragExt64.dll
    Filesize

    479KB

    MD5

    5aa9eb658328c2a51dade7dae59aecf7

    SHA1

    f6718e0fc2abd4bcbf4dc248aacd4a1b383aaaf0

    SHA256

    86361a2499566dd1b06a713a790e32c59876bebcec6b0ece7b54fe871f43d4f5

    SHA512

    78f421fbe84e641d3f787cf4b17221aa45a714c33abe4b4177c13b0acd9f8d057e49852adb79d6573b11dd1ca276b966cb2266fe410de6a00e657d45493c79fd

    Download Submit
  • C:\Program Files (x86)\WinSCP\DragExt64.dll
    Filesize

    479KB

    MD5

    5aa9eb658328c2a51dade7dae59aecf7

    SHA1

    f6718e0fc2abd4bcbf4dc248aacd4a1b383aaaf0

    SHA256

    86361a2499566dd1b06a713a790e32c59876bebcec6b0ece7b54fe871f43d4f5

    SHA512

    78f421fbe84e641d3f787cf4b17221aa45a714c33abe4b4177c13b0acd9f8d057e49852adb79d6573b11dd1ca276b966cb2266fe410de6a00e657d45493c79fd

    Download Submit
  • C:\Program Files (x86)\WinSCP\DragExt64.dll
    Filesize

    479KB

    MD5

    5aa9eb658328c2a51dade7dae59aecf7

    SHA1

    f6718e0fc2abd4bcbf4dc248aacd4a1b383aaaf0

    SHA256

    86361a2499566dd1b06a713a790e32c59876bebcec6b0ece7b54fe871f43d4f5

    SHA512

    78f421fbe84e641d3f787cf4b17221aa45a714c33abe4b4177c13b0acd9f8d057e49852adb79d6573b11dd1ca276b966cb2266fe410de6a00e657d45493c79fd

    Download Submit
  • C:\Program Files (x86)\WinSCP\Extensions\ArchiveDownload.WinSCPextension.ps1
    Filesize

    6KB

    MD5

    b16082ceeb34da39af1d52adc88be7db

    SHA1

    b7719fec4c89fe09904ae5fecf96aa364914e57e

    SHA256

    beee09ea768f58f29f03025984e0ce8fe4f8fd8c9cc454d9fa3869ba679f5356

    SHA512

    bb6509a92048f4a8219ec91c9b7e75d0453ee026f91e38daab33ff7af8022f690f2e31c6b6767010ae3ae0530c854ed92a458e2c1f42d11905bb1231e32fcdf5

    Download Submit
  • C:\Program Files (x86)\WinSCP\Extensions\BatchRename.WinSCPextension.ps1
    Filesize

    4KB

    MD5

    2ed11efbb12a1e8de4197b5432321958

    SHA1

    ed6add9f956866895ed2d55115f74061d8dd9b39

    SHA256

    7e605503bc77f9fec8f5b10ee6fd1e5da273ca8b8c213985e75069a66deee649

    SHA512

    acfbcad5dfa662f336f57db7d6975df53194faf985d1c8e874936885926fe846665c1e654026a91e6a6bec2f0ace2efc1680a17212f4278136009c5a721230c0

    Download Submit
  • C:\Program Files (x86)\WinSCP\Extensions\CompareFiles.WinSCPextension.ps1
    Filesize

    2KB

    MD5

    5658e87d86c7e1f4a375e65075c73f27

    SHA1

    1928b74fa34e139051bf8a8414a45ca84e6dc070

    SHA256

    71e5fb801d2132f44cda67c65fba980347b891b138a43d2e8ded6a1825a9a510

    SHA512

    b564a2588727762a34cedb5d0b39df6477da95784bfa1dd4b97f3603c3bff0261e10409c7caad10ca364dfe76e3236c839e61213c230d4e8b4864fdcb1f0a061

    Download Submit
  • C:\Program Files (x86)\WinSCP\Extensions\GenerateHttpUrl.WinSCPextension.ps1
    Filesize

    3KB

    MD5

    7b02c62423d08d7c340a530f85261534

    SHA1

    f57fc70cac8655e1ac75abfcd83d623f83778b89

    SHA256

    737c824e719e9e5cc43048383f8d7c7717bcb35ba37e07624c855e258d3753cf

    SHA512

    1cee9e7ac2eea1e47dfa6d8a81b5d6ed0540db83d5280b9a4983f4dd23fba8de79a5833afba413f1bfa0189aae860079a671e18f37716b48b4d1a4f39038f663

    Download Submit
  • C:\Program Files (x86)\WinSCP\Extensions\KeepLocalUpToDate.WinSCPextension.ps1
    Filesize

    5KB

    MD5

    6f10dd9ca31373018e319ba80abb5532

    SHA1

    1325eab389ec9961120e0cd569b37f566a764fe7

    SHA256

    79c87ff4a8cd2a2613a22f1e0dd4c3708b652e42fc92200b50e6d4adf91e561d

    SHA512

    8f272cf4de55bd6e3d563ae5c87df035b3684c008bf64152bca1480f411413ff0999dd14dc802fcc72372313d19aff8159ccd4be48528c54963c59deba49c726

    Download Submit
  • C:\Program Files (x86)\WinSCP\Extensions\SearchText.WinSCPextension.ps1
    Filesize

    3KB

    MD5

    d26c1a56f63d3682da6e676b606894af

    SHA1

    e18ed1d358dc0026ecf64f49cc5f7b4c687523c3

    SHA256

    6b9f82c04625443346c74b907fb96d8319d22bc5a6d946fcc7a7c19c67b0757c

    SHA512

    dffbba900e510deca45f24af1786a0cd4d5f97b6c6bd6a219bdaf74d773ed42fdbbc9490dcb457063e879d46eba047225ebf40f1110e18195d53de607b4baf07

    Download Submit
  • C:\Program Files (x86)\WinSCP\Extensions\SynchronizeAnotherServer.WinSCPextension.ps1
    Filesize

    10KB

    MD5

    680bbba778a319ba57ccc5c5c9f50c03

    SHA1

    12705a80f1be125f12a5c6e8511deccdba8bbec6

    SHA256

    e73b3b68425691605d643e53ac729426b52168585d4b06234cfd8d592828b019

    SHA512

    94983f38ecbc271b5452dee0777d0b669a106a0f8a9f23bfe528412ec0c75f2d249e2fb964f71d21d5bebf0f79952bf4bdc3af18f2678a2dbb32511d1259c84b

    Download Submit
  • C:\Program Files (x86)\WinSCP\Extensions\VerifyFileChecksum.WinSCPextension.ps1
    Filesize

    2KB

    MD5

    e4eb33335b663fc23aa03ab6ef80cb8d

    SHA1

    0db1095d82e27ef352d96a8f36ac022f035ce90d

    SHA256

    dbdf82b86dd366dcc71edbae46f7008910e2be3f420b79e34159a81df1b39534

    SHA512

    4f9df209721f293896c59a4db390ca2875d705625a1151f0b1481e37db6537480cf29ea1e8311dcea0643ae8e4f130efcda27d9246f8058b2765ef1b3a98138b

    Download Submit
  • C:\Program Files (x86)\WinSCP\Extensions\ZipUpload.WinSCPextension.ps1
    Filesize

    5KB

    MD5

    3963399fcb03e28453f38d93755795a0

    SHA1

    384abd9957a9ac16805c36a44bc49de9bf757644

    SHA256

    a62d0af7080942304a27883fb986d3a3f2fa9fcefc73108a1142f968649cc872

    SHA512

    5944a51ac0bc1e6cb8e041853b2720e2790f6b0f3a69ede16eba499645b62f703fd4145ef7107ef4b64b818bc44349e3af71c0e9d8586693dacde2042c527051

    Download Submit
  • C:\Program Files (x86)\WinSCP\WinSCP.exe
    Filesize

    25.9MB

    MD5

    f787cf4c084f5143c7de0dec3505af58

    SHA1

    72a19bea7ac2937497738cdf46b76827a1ec11c8

    SHA256

    366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

    SHA512

    16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

    Download Submit
  • C:\Program Files (x86)\WinSCP\WinSCP.exe
    Filesize

    25.9MB

    MD5

    f787cf4c084f5143c7de0dec3505af58

    SHA1

    72a19bea7ac2937497738cdf46b76827a1ec11c8

    SHA256

    366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

    SHA512

    16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

    Download Submit
  • C:\Program Files (x86)\WinSCP\WinSCP.exe
    Filesize

    25.9MB

    MD5

    f787cf4c084f5143c7de0dec3505af58

    SHA1

    72a19bea7ac2937497738cdf46b76827a1ec11c8

    SHA256

    366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

    SHA512

    16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

    Download Submit
  • C:\Program Files (x86)\WinSCP\WinSCP.exe
    Filesize

    25.9MB

    MD5

    f787cf4c084f5143c7de0dec3505af58

    SHA1

    72a19bea7ac2937497738cdf46b76827a1ec11c8

    SHA256

    366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

    SHA512

    16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

    Download Submit
  • C:\Program Files (x86)\WinSCP\WinSCP.exe
    Filesize

    25.9MB

    MD5

    f787cf4c084f5143c7de0dec3505af58

    SHA1

    72a19bea7ac2937497738cdf46b76827a1ec11c8

    SHA256

    366f5d5281f53f06fffe72f82588f1591191684b6283fb04102e2685e5d8e95c

    SHA512

    16111a45ab2afe50279097d8ac654eb8651374165c0663d9e589656df509dcc85ab474799cb36ee4bb43e54611472211e310268551b06bfc3e81b01fd6b4028e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-RS46F.tmp\WinSCP-5.21.7-Setup.tmp
    Filesize

    3.1MB

    MD5

    cbc9e059de252e52ad2f1d6c3b215e78

    SHA1

    4111f1543d22077afa12376e3b358c14b6a4ed36

    SHA256

    5cf4783828639fd8f11310c5afcdec98566b7b041bc1ee18c554dd78faf03c96

    SHA512

    e9c306bd563e848ed9d5030e480fb992a677212883a857e7575f5fa490f98a210eae3516306e11b51e2c3931cd4105cadac8194045a299aa35cad16a17851117

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\is-RS46F.tmp\WinSCP-5.21.7-Setup.tmp
    Filesize

    3.1MB

    MD5

    cbc9e059de252e52ad2f1d6c3b215e78

    SHA1

    4111f1543d22077afa12376e3b358c14b6a4ed36

    SHA256

    5cf4783828639fd8f11310c5afcdec98566b7b041bc1ee18c554dd78faf03c96

    SHA512

    e9c306bd563e848ed9d5030e480fb992a677212883a857e7575f5fa490f98a210eae3516306e11b51e2c3931cd4105cadac8194045a299aa35cad16a17851117

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms
    Filesize

    12B

    MD5

    e4a1661c2c886ebb688dec494532431c

    SHA1

    a2ae2a7db83b33dc95396607258f553114c9183c

    SHA256

    b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

    SHA512

    efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms
    Filesize

    12B

    MD5

    e4a1661c2c886ebb688dec494532431c

    SHA1

    a2ae2a7db83b33dc95396607258f553114c9183c

    SHA256

    b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

    SHA512

    efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6bb54d82fa42128d.customDestinations-ms
    Filesize

    12B

    MD5

    e4a1661c2c886ebb688dec494532431c

    SHA1

    a2ae2a7db83b33dc95396607258f553114c9183c

    SHA256

    b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

    SHA512

    efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J9MALKIGXSNIIJD871VF.temp
    Filesize

    12B

    MD5

    e4a1661c2c886ebb688dec494532431c

    SHA1

    a2ae2a7db83b33dc95396607258f553114c9183c

    SHA256

    b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

    SHA512

    efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

    Download Submit
  • C:\Users\Public\Desktop\WinSCP.lnk
    Filesize

    1KB

    MD5

    6174d429eb8a116749022dc3ef957c4f

    SHA1

    9bd1fdf53e9eb53d7856dab858fb41e8da2f00b3

    SHA256

    0a5a0b821c36b4ee7576f6c45d4c6ffe3118d21dcd4fe4c73108408e801d2e1f

    SHA512

    b2718969683ed27441067dfa1189a6ab3de6a308a9f50fb5a161838983d2acab7c5d17c3b6fd1c239daaf76509c7fdc4af34b37998b9dbd68e2e1cbce9fc9119

    Download Submit
  • memory/628-133-0x0000000000400000-0x00000000004E0000-memory.dmp
    Filesize

    896KB

    Download
  • memory/628-336-0x0000000000400000-0x00000000004E0000-memory.dmp
    Filesize

    896KB

    Download
  • memory/628-152-0x0000000000400000-0x00000000004E0000-memory.dmp
    Filesize

    896KB

    Download
  • memory/772-349-0x0000000001FB0000-0x0000000001FB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/772-339-0x0000000001FB0000-0x0000000001FB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/772-351-0x0000000000040000-0x0000000001ACC000-memory.dmp
    Filesize

    26.5MB

    Download
  • memory/772-348-0x0000000000040000-0x0000000001ACC000-memory.dmp
    Filesize

    26.5MB

    Download
  • memory/772-338-0x0000000000040000-0x0000000001ACC000-memory.dmp
    Filesize

    26.5MB

    Download
  • memory/968-307-0x0000000000040000-0x0000000001ACC000-memory.dmp
    Filesize

    26.5MB

    Download
  • memory/968-310-0x0000000002380000-0x0000000002381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/968-318-0x0000000000040000-0x0000000001ACC000-memory.dmp
    Filesize

    26.5MB

    Download
  • memory/1268-138-0x0000000000CD0000-0x0000000000CD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1268-320-0x0000000000400000-0x000000000071B000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/1268-335-0x0000000000400000-0x000000000071B000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/1268-309-0x0000000000400000-0x000000000071B000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/1268-153-0x0000000000400000-0x000000000071B000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/1268-154-0x0000000000CD0000-0x0000000000CD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1584-302-0x00000000024E0000-0x00000000024E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1584-303-0x0000000000040000-0x0000000001ACC000-memory.dmp
    Filesize

    26.5MB

    Download
  • memory/1584-288-0x0000000000040000-0x0000000001ACC000-memory.dmp
    Filesize

    26.5MB

    Download
  • memory/2492-333-0x0000000000040000-0x0000000001ACC000-memory.dmp
    Filesize

    26.5MB

    Download
  • memory/2492-326-0x0000000003C70000-0x0000000003C71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2492-323-0x0000000000040000-0x0000000001ACC000-memory.dmp
    Filesize

    26.5MB

    Download