7f937955f17bd5a00f7eb89f2d6613f93cd28773fd17c57bb73f380e8077414d

General

Target

Element Installer.exe
Size

294.8MB
MD5

411446b3177a243a1e5587e06bcbbe57
SHA1

0b03a7f9057cd03a48dc05a165ba3c29cd6dd5aa
SHA256

7f937955f17bd5a00f7eb89f2d6613f93cd28773fd17c57bb73f380e8077414d
SHA512

c68cd3672c44326e70877dd0b04bf3c54ed95416b11b66e43877aba39895c4689ce3a98e7b80b3be8fcaefff5a25f41ec9cadb6d613d1c454c93af59350e44ed
SSDEEP

6291456:/uTHeNh2KPcm20VCbCssKaYn+mGoMaZDVoxM6Xwurp14n5Csrtx5ZYm:qHeNUYVwNsKaYnqoLDVoxSUpK51zz

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	Element Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation	Element Installer.exe

Executes dropped EXE 1 IoCs

pid	Process
680	ECA28F0.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Element Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Element Installer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4296	Element Installer.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4296	Element Installer.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1368 wrote to memory of 4296	1368	Element Installer.exe	88
PID 1368 wrote to memory of 4296	1368	Element Installer.exe	88
PID 1368 wrote to memory of 4296	1368	Element Installer.exe	88
PID 4296 wrote to memory of 680	4296	Element Installer.exe	93
PID 4296 wrote to memory of 680	4296	Element Installer.exe	93
PID 4296 wrote to memory of 680	4296	Element Installer.exe	93

C:\Users\Admin\AppData\Local\Temp\Element Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Element Installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1368
- C:\Users\Admin\AppData\Local\Temp\Element Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\Element Installer.exe" /UAC
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4296
- - C:\Users\Admin\AppData\Local\Temp\ECA28F0.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\ECA28F0.tmp.exe" -u "C:\Users\Admin\AppData\Local\Temp\ECA1E51.tmp.vcpack" "C:\Users\Admin\Documents"
    3⤵
    - Executes dropped EXE
    PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ECA1E51.tmp.vcpack

Filesize
285.4MB

MD5
7d24c54f6ce384874819279a4aac32be

SHA1
f9661140bcebd1caeefc7a05037925b7056830b0

SHA256
63f2cbc6d2d372bcc95fced3dd4b2dd6d7c3b31415e77255454cdfe0872858b6

SHA512
c9420f66e317bdea235d250fe8018e54f56c3537d70f5894835ecdfc658d58604aefd8ed8ecf600affdcd748ff3c760ff8b392f1156cd407665c393ac677079e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECA28F0.tmp.exe

Filesize
257KB

MD5
e32c5049f44f89c1627cb5ee575d7028

SHA1
9c82034ca14b646acfd348352585ca3ec5c5f155

SHA256
eef53268641befd16021e4f535915de763c7a1416a5e239fed35623221d6e4ef

SHA512
44e99a343f9d10cbb4d229f739e97105ef0d29e6f14822e73b72cb050db690aec7147fef8c93a81b13e893f9fc56eaef7ea264be5b374c1704ff713589b6bd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECA28F0.tmp.exe

Filesize
257KB

MD5
e32c5049f44f89c1627cb5ee575d7028

SHA1
9c82034ca14b646acfd348352585ca3ec5c5f155

SHA256
eef53268641befd16021e4f535915de763c7a1416a5e239fed35623221d6e4ef

SHA512
44e99a343f9d10cbb4d229f739e97105ef0d29e6f14822e73b72cb050db690aec7147fef8c93a81b13e893f9fc56eaef7ea264be5b374c1704ff713589b6bd6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ECA28F0.tmp.exe

Filesize
257KB

MD5
e32c5049f44f89c1627cb5ee575d7028

SHA1
9c82034ca14b646acfd348352585ca3ec5c5f155

SHA256
eef53268641befd16021e4f535915de763c7a1416a5e239fed35623221d6e4ef

SHA512
44e99a343f9d10cbb4d229f739e97105ef0d29e6f14822e73b72cb050db690aec7147fef8c93a81b13e893f9fc56eaef7ea264be5b374c1704ff713589b6bd6e

Download Submit
C:\Users\Admin\Documents\VideoCopilot\Models\Starter_Pack_Physical\maps\paint_can_diffuse.dds

Filesize
2.7MB

MD5
7831453a351d0b578bdd19d93055a5bc

SHA1
fe3cfb9d94cec592a4e2fdb55077d2b56a0e778d

SHA256
1b043f7d20eb449e98d3ce0aea04f5e921917410386fec00f918e51fb506076c

SHA512
9c656498ac9224d013036b2b434475b101cbfd158c364837f8b91934d6e0ff7b8d68ae9620a5f85cd9e4acc38c2b21fd6a722f633b9a9778a6ab5fe5ab1622a2

Download Submit
C:\Users\Admin\Documents\VideoCopilot\Models\Starter_Pack_Physical\maps\telephone_pole_normal.dds

Filesize
5.3MB

MD5
232124e535c852a11e14f31e98ce2cd2

SHA1
58f2d4a5d1a1d022b7f6451b900cd497576001b7

SHA256
d3f114729a0de26c1c334e5439c8dffbe386b4160df1012644210311dea3a594

SHA512
ec3ad6d3d4573a34bb8748b57a64302bbfa41723a5a5fca472793b7b7aabba50d650cfd5179ba7d65b0bc20d9633d6fe5288254d399829917de15bd47756a864

Download Submit
C:\Users\Admin\Documents\VideoCopilot\Models\Starter_Pack_Physical\maps\truck_tire_diffuse.dds

Filesize
10.7MB

MD5
d02511db630092111895ffe844a60700

SHA1
16e178ac00a20e2a5479d58de67514b17bfadd93

SHA256
5afc14c3bfa3b95e43988a22dc4f5234a3dc308bbc138a035be70ee04ff48e8e

SHA512
75fa9953f315c591817bc69a12c5d649143786af94ea44957f3e188537a7310013e5f279601ecbc4cd04e22556bf7988ae54bb332fff80828c3ddeeab0087b78

Download Submit

Analysis

Sharing