c68acde54d602e9acf20b3e5148e6b0d933a2353201337a0b97828ab1b7de340

General

Target

EAappInstaller.exe
Size

2.4MB
MD5

f1110a1901aaedae7e072440d8b49e18
SHA1

ebc8448a611d3dcd7ba79fb5441eae1dfd09d409
SHA256

c68acde54d602e9acf20b3e5148e6b0d933a2353201337a0b97828ab1b7de340
SHA512

d67f2350684e044131cb370722750eaad8acba047f550c5c738daf279cc93e53b7e55a6af5829e4bd1e26cb7039a0b9600d45f5f14e42860bc7f367b39546be1
SSDEEP

49152:vT2pZ1kX9GzOcAxgjXE5AcjPqVA9RF2qs/4:vT0cXYKPxY05AcjPhRF274

Score

7^/10

discovery evasion trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Control Panel\International\Geo\Nation	EAappInstaller.exe

Executes dropped EXE 1 IoCs

pid	Process
1420	EAappInstaller.exe

Loads dropped DLL 2 IoCs

pid	Process
1380	EAappInstaller.exe
1420	EAappInstaller.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EAappInstaller.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	EAappInstaller.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	EAappInstaller.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1420	EAappInstaller.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1420	1380	EAappInstaller.exe	28
PID 1380 wrote to memory of 1420	1380	EAappInstaller.exe	28
PID 1380 wrote to memory of 1420	1380	EAappInstaller.exe	28
PID 1380 wrote to memory of 1420	1380	EAappInstaller.exe	28
PID 1380 wrote to memory of 1420	1380	EAappInstaller.exe	28
PID 1380 wrote to memory of 1420	1380	EAappInstaller.exe	28
PID 1380 wrote to memory of 1420	1380	EAappInstaller.exe	28

C:\Users\Admin\AppData\Local\Temp\EAappInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\EAappInstaller.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Windows\Temp\{ACF3C812-A838-4EB5-AC00-58A6093AE45E}\.cr\EAappInstaller.exe
  "C:\Windows\Temp\{ACF3C812-A838-4EB5-AC00-58A6093AE45E}\.cr\EAappInstaller.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\EAappInstaller.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1420

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab1B41.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Windows\Temp\{ACF3C812-A838-4EB5-AC00-58A6093AE45E}\.cr\EAappInstaller.exe

Filesize
2.4MB

MD5
f1110a1901aaedae7e072440d8b49e18

SHA1
ebc8448a611d3dcd7ba79fb5441eae1dfd09d409

SHA256
c68acde54d602e9acf20b3e5148e6b0d933a2353201337a0b97828ab1b7de340

SHA512
d67f2350684e044131cb370722750eaad8acba047f550c5c738daf279cc93e53b7e55a6af5829e4bd1e26cb7039a0b9600d45f5f14e42860bc7f367b39546be1

Download Submit
C:\Windows\Temp\{ACF3C812-A838-4EB5-AC00-58A6093AE45E}\.cr\EAappInstaller.exe

Filesize
2.4MB

MD5
f1110a1901aaedae7e072440d8b49e18

SHA1
ebc8448a611d3dcd7ba79fb5441eae1dfd09d409

SHA256
c68acde54d602e9acf20b3e5148e6b0d933a2353201337a0b97828ab1b7de340

SHA512
d67f2350684e044131cb370722750eaad8acba047f550c5c738daf279cc93e53b7e55a6af5829e4bd1e26cb7039a0b9600d45f5f14e42860bc7f367b39546be1

Download Submit
\Windows\Temp\{7912F5E6-049C-43AC-BB28-E4EAC0122927}\.ba\juno-bootstrapper-application.dll

Filesize
3.1MB

MD5
8785b794b2bb04e565a2693ebec4a3e8

SHA1
58accc1e18e95596cf7049c2424acb2fbd5a6ffc

SHA256
874b69fa848e33c9e5fd809c3e21e41627a9bbc0448984498d1ae8c99e14d2cf

SHA512
e167bda94ffc0395e1c248fc537017c8bb1215985c0873e57a1a676295ff5d3b729cf19ea7527dcd2b8d91089f5103a0740378d3d1c363f80f6934bb7aeb698b

Download Submit
\Windows\Temp\{ACF3C812-A838-4EB5-AC00-58A6093AE45E}\.cr\EAappInstaller.exe

Filesize
2.4MB

MD5
f1110a1901aaedae7e072440d8b49e18

SHA1
ebc8448a611d3dcd7ba79fb5441eae1dfd09d409

SHA256
c68acde54d602e9acf20b3e5148e6b0d933a2353201337a0b97828ab1b7de340

SHA512
d67f2350684e044131cb370722750eaad8acba047f550c5c738daf279cc93e53b7e55a6af5829e4bd1e26cb7039a0b9600d45f5f14e42860bc7f367b39546be1

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads