2c1df59ebd55dc370d83f9c92a4955a5663ef5a37de54a85590c4d4becb20611

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
17-11-2023 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

14.6MB
MD5

ec532dfa96de08e5fe1f421be8b6ec0a
SHA1

1d92b7e97e99de60a329ea39704df120771bcc0a
SHA256

2c1df59ebd55dc370d83f9c92a4955a5663ef5a37de54a85590c4d4becb20611
SHA512

c3ae23c7b8c5db96de1adea684ac2ce02eea24479b8e1f769ffb55fd6ce36b6ccf983c83f50da3998f923e14e557a2aae840ed12d9efc8c337fd8e5e7f5d1304
SSDEEP

393216:Grb+11Q3QnZkajhqHx9L/WSzH9S0tjaOvTkJnBqNdX:S0qQekhc7b9LQqNF

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\Control Panel\International\Geo\Nation	Update.exe

Executes dropped EXE 2 IoCs

pid	Process
3780	Update.exe
1488	EclitZeroVPN.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3780	Update.exe
3780	Update.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3780	Update.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 3780	2072	Setup.exe	91
PID 2072 wrote to memory of 3780	2072	Setup.exe	91
PID 3780 wrote to memory of 1488	3780	Update.exe	92
PID 3780 wrote to memory of 1488	3780	Update.exe	92

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Users\Admin\AppData\Local\EclitZeroVPN\app-1.0.8\EclitZeroVPN.exe
    "C:\Users\Admin\AppData\Local\EclitZeroVPN\app-1.0.8\EclitZeroVPN.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    PID:1488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\EclitZeroVPN\EclitZeroVPN.exe

Filesize
211KB

MD5
bda08a5d83d740cc57106e786c893932

SHA1
8eb85a841b4fde2eba7e7c42af781274c103b2b0

SHA256
7654538939e4764bf51e871af4726fe0148ce5e7b5c2e6fdbcf1bdd422e0e60d

SHA512
c8ed7ee6f78c0f636509ba30c4f1de87877b4d0fd402ff82571ddf419a51291ce962ce38695ebf886604b58da8ef5fdb709f98a51302b926b4ecd2660b7f3644

Download Submit
C:\Users\Admin\AppData\Local\EclitZeroVPN\app-1.0.8\EclitZeroVPN.exe

Filesize
15.0MB

MD5
9b028932c29cfa85cae7562ce85555da

SHA1
4c9a10b09ae3a9c0fe7c3e00d4b5b03cfeef96ed

SHA256
72c62155242ffcab3d2ac9de17f6655e4aaedd7177e0ea64c72628e5abab67bf

SHA512
8263d08667d8e4163ae09c77117a9631e4cadae28eefc3f38c86b7907c608bc6689b34b81b3659ed4a655c502ea263779539bd18530d0d3394c67af7824f8372

Download Submit
C:\Users\Admin\AppData\Local\EclitZeroVPN\app-1.0.8\EclitZeroVPN.exe

Filesize
15.0MB

MD5
9b028932c29cfa85cae7562ce85555da

SHA1
4c9a10b09ae3a9c0fe7c3e00d4b5b03cfeef96ed

SHA256
72c62155242ffcab3d2ac9de17f6655e4aaedd7177e0ea64c72628e5abab67bf

SHA512
8263d08667d8e4163ae09c77117a9631e4cadae28eefc3f38c86b7907c608bc6689b34b81b3659ed4a655c502ea263779539bd18530d0d3394c67af7824f8372

Download Submit
C:\Users\Admin\AppData\Local\EclitZeroVPN\app-1.0.8\EclitZeroVPN.exe

Filesize
15.0MB

MD5
9b028932c29cfa85cae7562ce85555da

SHA1
4c9a10b09ae3a9c0fe7c3e00d4b5b03cfeef96ed

SHA256
72c62155242ffcab3d2ac9de17f6655e4aaedd7177e0ea64c72628e5abab67bf

SHA512
8263d08667d8e4163ae09c77117a9631e4cadae28eefc3f38c86b7907c608bc6689b34b81b3659ed4a655c502ea263779539bd18530d0d3394c67af7824f8372

Download Submit
C:\Users\Admin\AppData\Local\EclitZeroVPN\app-1.0.8\EclitZeroVPN.exe.config

Filesize
972B

MD5
42ab902a0fa809e8bda75e54a984f030

SHA1
628e6954d83bc04122e8c9fac4a0c638cff5fa8f

SHA256
7bfcb21cbddc64527be364afca060764f9f86a8a6748c88565d3f4ea562892b7

SHA512
e3f18d101fecac2f51b8a0d04def2481113cec96cf26b35debe8864b4a031c0ac458e9a42cbff0c862f5eb73b54527d0fa0e0a67b8e958418250a6566d5bac53

Download Submit
C:\Users\Admin\AppData\Local\EclitZeroVPN\packages\EclitZeroVPN-1.0.8-full.nupkg

Filesize
13.8MB

MD5
3dbd91128a9ef128e557974afab1816b

SHA1
1c245d11779bdab9bf2feecce6cb8be7e99d94ac

SHA256
20da9b5a8de927565b481e0fa37474df91bdb74d224c693c8ae643072957033c

SHA512
89c1f7267881b3b48773e2904927c8f8be71a803c9d6a3c877d5adc76688887ef20969a1a0b143768c7a31c7f43d2d6b4f712d287da64b79000e5a8ea4a588cd

Download Submit
C:\Users\Admin\AppData\Local\EclitZeroVPN\packages\RELEASES

Filesize
82B

MD5
1bcfa31cbc076ceca25c0e2032d1cdd9

SHA1
61babb42e9abc519a1d0710fafdfc7611f407d8e

SHA256
2191032b528f14d485b12a1385cbcd35d9f5d53fbcfc559965f97dfdc0fd8668

SHA512
0b3d837b2bfa9cd45a3975a48f97e3a93ea5b5f120d9eda7c5eba523d811a39c868be4311f83abdba6978ad764a68c1b1f5ebd806aee016bc60597725fd4a9cd

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\EclitZeroVPN-1.0.8-full.nupkg

Filesize
13.8MB

MD5
3dbd91128a9ef128e557974afab1816b

SHA1
1c245d11779bdab9bf2feecce6cb8be7e99d94ac

SHA256
20da9b5a8de927565b481e0fa37474df91bdb74d224c693c8ae643072957033c

SHA512
89c1f7267881b3b48773e2904927c8f8be71a803c9d6a3c877d5adc76688887ef20969a1a0b143768c7a31c7f43d2d6b4f712d287da64b79000e5a8ea4a588cd

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
82B

MD5
1bcfa31cbc076ceca25c0e2032d1cdd9

SHA1
61babb42e9abc519a1d0710fafdfc7611f407d8e

SHA256
2191032b528f14d485b12a1385cbcd35d9f5d53fbcfc559965f97dfdc0fd8668

SHA512
0b3d837b2bfa9cd45a3975a48f97e3a93ea5b5f120d9eda7c5eba523d811a39c868be4311f83abdba6978ad764a68c1b1f5ebd806aee016bc60597725fd4a9cd

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
38ce2a3dfbd888e323af1136b9165964

SHA1
d829c6f922d03103d0e915c9f36fc4e4db86de07

SHA256
d9473eaec28fe48147fad7a2b9b6d45f04156d9f80b336e7fa280b0c920527fd

SHA512
764b44d6d71f896400de1403e6611f46e356993997623dd78a8096bb01358ae8fc9d2ac15f57485b52d01e5acbce19222bac2ba9fe14a3c29255b31e92c20120

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.8MB

MD5
38ce2a3dfbd888e323af1136b9165964

SHA1
d829c6f922d03103d0e915c9f36fc4e4db86de07

SHA256
d9473eaec28fe48147fad7a2b9b6d45f04156d9f80b336e7fa280b0c920527fd

SHA512
764b44d6d71f896400de1403e6611f46e356993997623dd78a8096bb01358ae8fc9d2ac15f57485b52d01e5acbce19222bac2ba9fe14a3c29255b31e92c20120

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
83KB

MD5
f1d82923d8b371b65e15537c62349143

SHA1
06f521bc134e19d0c519309c2f66973175263ae3

SHA256
01061d6ae3e2de73d22f4fde6ce27d40a1b9f79f87c89707f2db2552f4faba82

SHA512
fc79b60393494e285dfdf043bfeb728476f8ca6117b83d72b48b0454668a9bc268b27efb77d63b31d697c758b875d2316b772fb49c129211485b8dd776fe274f

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
10KB

MD5
769c7f84e914f7bbc28fb081ccf96387

SHA1
a82734c89e5e6b7cb2b4e4be98a353ce5e9e0bef

SHA256
42689c2425a13e21b904e4418f6375be1786e37689a8fcde6b6ba4ba28b2dd58

SHA512
12ab3eb242eb5f3b98366c49b5143d5d82d81b981e2be4428c6b931f16f333ab9c764be745f39ddde003e314a3c3d676179b806f39fe88a60527b9fd800b21e3

Download Submit
memory/1488-92-0x00007FF8E90B0000-0x00007FF8E9B71000-memory.dmp

Filesize
10.8MB

Download
memory/1488-95-0x000001A0CF790000-0x000001A0D0686000-memory.dmp

Filesize
15.0MB

Download
memory/1488-105-0x00007FF8E90B0000-0x00007FF8E9B71000-memory.dmp

Filesize
10.8MB

Download
memory/3780-8-0x0000000000230000-0x0000000000406000-memory.dmp

Filesize
1.8MB

Download
memory/3780-70-0x0000000002620000-0x0000000002640000-memory.dmp

Filesize
128KB

Download
memory/3780-9-0x00007FF8E90B0000-0x00007FF8E9B71000-memory.dmp

Filesize
10.8MB

Download
memory/3780-10-0x000000001AFC0000-0x000000001AFD0000-memory.dmp

Filesize
64KB

Download
memory/3780-103-0x00000000214B0000-0x00000000214E8000-memory.dmp

Filesize
224KB

Download
memory/3780-104-0x000000001C9A0000-0x000000001C9AE000-memory.dmp

Filesize
56KB

Download
memory/3780-107-0x00007FF8E90B0000-0x00007FF8E9B71000-memory.dmp

Filesize
10.8MB

Download