a1341bb371ef7a98f3185d2525471c10c598ef0a1a4634da248f8c1320da199b

Analysis

max time kernel
85s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2023 02:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winbin.exe
Size

10.4MB
MD5

268aa1421775fe7f6e40ac91425f20e2
SHA1

0137a4aec5c3917736cba9da6f0e7813ae6a4fd4
SHA256

dbbe5b77d489f07ea45f6144dceb48762e40f371b03ded94ce5b3ae3f6b14aed
SHA512

c969fe63da4b4a196af8536bc3461b89e7170b6d19ac8b9f6a4c28627c37ecc77624cdea008fe0d9a35673dffcc3e26fe4cdf78aaec7daaa298f07dea16a0094
SSDEEP

196608:nKVGZbn0FBOStqOPoo+/7KpBSgQdPLiY8L0jzw7Z0yG4hTcsoSoP2jvWLSlAHOeX:nUGJ0F45zLjKKVJLionG0yG4hTcsjoyQ

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

winbin.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation winbin.exe
Executes dropped EXE 4 IoCs

Processes:

UninstallTool.exeucrt_x64.exeut_x64.exeinstaller.exe

pid process

1416 UninstallTool.exe
2964 ucrt_x64.exe
3248 ut_x64.exe
5048 installer.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	winbin.exe

pid	process
1416	UninstallTool.exe
2964	ucrt_x64.exe
3248	ut_x64.exe
5048	installer.exe

Loads dropped DLL 9 IoCs

Processes:

installer.exe

pid	process
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe
5048	installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

installer.exe

pid process

5048 installer.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

winbin.exeUninstallTool.exe

description	pid	process	target process
PID 380 wrote to memory of 1416	380	winbin.exe	UninstallTool.exe
PID 380 wrote to memory of 1416	380	winbin.exe	UninstallTool.exe
PID 380 wrote to memory of 1416	380	winbin.exe	UninstallTool.exe
PID 1416 wrote to memory of 2964	1416	UninstallTool.exe	ucrt_x64.exe
PID 1416 wrote to memory of 2964	1416	UninstallTool.exe	ucrt_x64.exe
PID 1416 wrote to memory of 2964	1416	UninstallTool.exe	ucrt_x64.exe
PID 1416 wrote to memory of 3248	1416	UninstallTool.exe	ut_x64.exe
PID 1416 wrote to memory of 3248	1416	UninstallTool.exe	ut_x64.exe
PID 1416 wrote to memory of 3248	1416	UninstallTool.exe	ut_x64.exe
PID 1416 wrote to memory of 5048	1416	UninstallTool.exe	installer.exe
PID 1416 wrote to memory of 5048	1416	UninstallTool.exe	installer.exe

C:\Users\Admin\AppData\Local\Temp\winbin.exe
"C:\Users\Admin\AppData\Local\Temp\winbin.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:380

C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1416

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ucrt_x64.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe"
3⤵
- Executes dropped EXE
PID:2964

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ut_x64.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe"
3⤵
- Executes dropped EXE
PID:3248

C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll
Filesize
620KB

MD5
ab15feb56d735f4589217d02464b1a06

SHA1
1362b65006aad34031e51ab005ea54b7337c734a

SHA256
76c9060fd749d837c92b716a91a190b038f2c03e46da124a36f88075361a9be5

SHA512
031a85e5f6973d473641cb84668a3923682b9ab92958a23b3a68f2fb2ccfc79ae0982c7cdef1a28bdfad486c0b411c9eee40188cec6724099e68fa3a2a2543bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe
Filesize
406KB

MD5
224a57d46b68de6085d90606a99caa06

SHA1
365844370a9e46e5012d5733df15ad8a3e37229f

SHA256
978a682522203387672c2898c68edd22c3ca4a8358957c7557ca76792cd85355

SHA512
c3881a9c794ce1978e1141171583277db1356f70c763d6e3ae8a31717d7d15c60304200cebf7970953f05e3af3e5464dc0dbc2fe65d6c1d74469dabdcdad3d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe
Filesize
406KB

MD5
224a57d46b68de6085d90606a99caa06

SHA1
365844370a9e46e5012d5733df15ad8a3e37229f

SHA256
978a682522203387672c2898c68edd22c3ca4a8358957c7557ca76792cd85355

SHA512
c3881a9c794ce1978e1141171583277db1356f70c763d6e3ae8a31717d7d15c60304200cebf7970953f05e3af3e5464dc0dbc2fe65d6c1d74469dabdcdad3d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\UninstallTool.exe
Filesize
406KB

MD5
224a57d46b68de6085d90606a99caa06

SHA1
365844370a9e46e5012d5733df15ad8a3e37229f

SHA256
978a682522203387672c2898c68edd22c3ca4a8358957c7557ca76792cd85355

SHA512
c3881a9c794ce1978e1141171583277db1356f70c763d6e3ae8a31717d7d15c60304200cebf7970953f05e3af3e5464dc0dbc2fe65d6c1d74469dabdcdad3d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll
Filesize
86KB

MD5
6c2c88ff1b3da84b44d23a253a06c01b

SHA1
488c95acda13dce2f099774ee506e47869e9284e

SHA256
acf65e565021f2017815fc5ec8a3145cf6c15e75c132cf23a378cc943e68327c

SHA512
e104d5d69327abc510e0ef38aae2427a87ed0f76dd5bacb20080f40dd98c9048504ec20baabc5ecf69759e3ff485d4f2bb591b6c9e391271dd11e2dcc05933f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\additional.dll
Filesize
835KB

MD5
11aa730d5b2e7485414ddaacd1a23974

SHA1
e73377d5150584b4af8106c1ad8a7382233bbb1a

SHA256
310a56fcfab6f7c27260aa27e8a8e3eab71ed33c6ca8a6525fd1d965f96cf9f3

SHA512
82060997c52e0ce9ba7056c62417cc9b53bfb95cea5a2e2b8f568af4d3c0849a17a3b1a374539a3cb0c5703241b148ac035c100000294fe852fab80b1616f76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\additional.dll
Filesize
835KB

MD5
11aa730d5b2e7485414ddaacd1a23974

SHA1
e73377d5150584b4af8106c1ad8a7382233bbb1a

SHA256
310a56fcfab6f7c27260aa27e8a8e3eab71ed33c6ca8a6525fd1d965f96cf9f3

SHA512
82060997c52e0ce9ba7056c62417cc9b53bfb95cea5a2e2b8f568af4d3c0849a17a3b1a374539a3cb0c5703241b148ac035c100000294fe852fab80b1616f76a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe
Filesize
753KB

MD5
943675fd33f8e796b88514c2769574ac

SHA1
e8b29d98890a68884789f75d6f2fd429d0ca5fcd

SHA256
bcdc1668ceac219763e52a9d134e3fc2e4174921566061ddef6992030164ca77

SHA512
83209dabc1e006bfc26520df6083adbf1341d67c66d73e4b1521f5bf705883bcbae99dedf1347c999640a195c97eddcb37a9d2bd178e78df4aa02142e433616c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\installer.exe
Filesize
753KB

MD5
943675fd33f8e796b88514c2769574ac

SHA1
e8b29d98890a68884789f75d6f2fd429d0ca5fcd

SHA256
bcdc1668ceac219763e52a9d134e3fc2e4174921566061ddef6992030164ca77

SHA512
83209dabc1e006bfc26520df6083adbf1341d67c66d73e4b1521f5bf705883bcbae99dedf1347c999640a195c97eddcb37a9d2bd178e78df4aa02142e433616c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lang\en-US.dll
Filesize
22KB

MD5
f04cc34568208408ceb33964f2562409

SHA1
916d7ffaf51ab8841f862ae4fea5875ed7d58dd9

SHA256
0497734035f806009779ed3c86985d57aec9707c9d4270c891cc0598799f1c3c

SHA512
f7693def91848cc2c9bef8b6d1eeee911422208d77aea93df6eb4a66835575c8b78dc2fb1c7f9ff1ab03c2b9e29a2675ed369f250fa666942b2a60ca7ffb9bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lang\en-us.dll
Filesize
22KB

MD5
f04cc34568208408ceb33964f2562409

SHA1
916d7ffaf51ab8841f862ae4fea5875ed7d58dd9

SHA256
0497734035f806009779ed3c86985d57aec9707c9d4270c891cc0598799f1c3c

SHA512
f7693def91848cc2c9bef8b6d1eeee911422208d77aea93df6eb4a66835575c8b78dc2fb1c7f9ff1ab03c2b9e29a2675ed369f250fa666942b2a60ca7ffb9bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lang\en-us.dll
Filesize
22KB

MD5
f04cc34568208408ceb33964f2562409

SHA1
916d7ffaf51ab8841f862ae4fea5875ed7d58dd9

SHA256
0497734035f806009779ed3c86985d57aec9707c9d4270c891cc0598799f1c3c

SHA512
f7693def91848cc2c9bef8b6d1eeee911422208d77aea93df6eb4a66835575c8b78dc2fb1c7f9ff1ab03c2b9e29a2675ed369f250fa666942b2a60ca7ffb9bde

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lang\ltr\resources.dll
Filesize
518KB

MD5
5aaa0aa6d47d5eb28c666deb9155bb1a

SHA1
c9cc9ad3dbb5f04d434280c7edb0a583eabc352c

SHA256
e8ddf9e853eee3c53ac75183694da7edb6c853906bda5332361393ecc5028028

SHA512
12981885538e6e40f8d3db5f8dac1e1ebd3a636bdc0a5e919f99c81e0ae59dc035a484210eff2fb35351251d9ccbee48ea828cb53c0f11a89cb10cfb52f3f8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lang\ltr\resources.dll
Filesize
518KB

MD5
5aaa0aa6d47d5eb28c666deb9155bb1a

SHA1
c9cc9ad3dbb5f04d434280c7edb0a583eabc352c

SHA256
e8ddf9e853eee3c53ac75183694da7edb6c853906bda5332361393ecc5028028

SHA512
12981885538e6e40f8d3db5f8dac1e1ebd3a636bdc0a5e919f99c81e0ae59dc035a484210eff2fb35351251d9ccbee48ea828cb53c0f11a89cb10cfb52f3f8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\lang\ltr\resources.dll
Filesize
518KB

MD5
5aaa0aa6d47d5eb28c666deb9155bb1a

SHA1
c9cc9ad3dbb5f04d434280c7edb0a583eabc352c

SHA256
e8ddf9e853eee3c53ac75183694da7edb6c853906bda5332361393ecc5028028

SHA512
12981885538e6e40f8d3db5f8dac1e1ebd3a636bdc0a5e919f99c81e0ae59dc035a484210eff2fb35351251d9ccbee48ea828cb53c0f11a89cb10cfb52f3f8b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msvcp140.dll
Filesize
620KB

MD5
ab15feb56d735f4589217d02464b1a06

SHA1
1362b65006aad34031e51ab005ea54b7337c734a

SHA256
76c9060fd749d837c92b716a91a190b038f2c03e46da124a36f88075361a9be5

SHA512
031a85e5f6973d473641cb84668a3923682b9ab92958a23b3a68f2fb2ccfc79ae0982c7cdef1a28bdfad486c0b411c9eee40188cec6724099e68fa3a2a2543bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sciter.dll
Filesize
5.6MB

MD5
c6604878baf6e4a7e9a09f0730f0f318

SHA1
a0d3e7b506452a5d21ef605ac83bef67fc219d05

SHA256
842e6aaccbfcd47138810a154f03a0d3162d75cacddf687cf2800a0f9b36a4cb

SHA512
f3f8cd6e459bb27831a2047640d6baf32f2798cf172fa8c40eb9d8efd6832f19d02c7eacee84f4b5c20959ba0b02b2792b3a4790e5004249b243f9d2dbed8a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\sciter.dll
Filesize
5.6MB

MD5
c6604878baf6e4a7e9a09f0730f0f318

SHA1
a0d3e7b506452a5d21ef605ac83bef67fc219d05

SHA256
842e6aaccbfcd47138810a154f03a0d3162d75cacddf687cf2800a0f9b36a4cb

SHA512
f3f8cd6e459bb27831a2047640d6baf32f2798cf172fa8c40eb9d8efd6832f19d02c7eacee84f4b5c20959ba0b02b2792b3a4790e5004249b243f9d2dbed8a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ucrt_x64.exe
Filesize
1.9MB

MD5
c4a5cd8e63908265629abcda6383c857

SHA1
83455cd7ae2bf86e204f18ea355bb0002d0fdfde

SHA256
b7d6108d5ba04a880d331ac9cecb8168355df694471948218ab4df6a7ab0b828

SHA512
d636834c1b0726816ec16735e2801e86550109d954528d2723996ee77f2363658e63d10e9321dd90727484201a198f4b98e0fffd85f717e626f67e39e4b1b484

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ucrt_x64.exe
Filesize
1.9MB

MD5
c4a5cd8e63908265629abcda6383c857

SHA1
83455cd7ae2bf86e204f18ea355bb0002d0fdfde

SHA256
b7d6108d5ba04a880d331ac9cecb8168355df694471948218ab4df6a7ab0b828

SHA512
d636834c1b0726816ec16735e2801e86550109d954528d2723996ee77f2363658e63d10e9321dd90727484201a198f4b98e0fffd85f717e626f67e39e4b1b484

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ut_x64.exe
Filesize
4.0MB

MD5
8e7c2d3e33faf415624d46b023961807

SHA1
07aebaebbd726c3fa57f51aca4d0d861858803b8

SHA256
ad334a767990e8731e4084bf23cf040641d6c3fa34b2980f6c95a2af335efe4a

SHA512
ee70dcc5434818b3ab53dd07f27872a8d2ebe462d55fd84769c4a85e2b01f8eee5f4a0a779a27a25e03f0cde79062fb8832631ba485a649d7945540cc4fb5c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ut_x64.exe
Filesize
4.0MB

MD5
8e7c2d3e33faf415624d46b023961807

SHA1
07aebaebbd726c3fa57f51aca4d0d861858803b8

SHA256
ad334a767990e8731e4084bf23cf040641d6c3fa34b2980f6c95a2af335efe4a

SHA512
ee70dcc5434818b3ab53dd07f27872a8d2ebe462d55fd84769c4a85e2b01f8eee5f4a0a779a27a25e03f0cde79062fb8832631ba485a649d7945540cc4fb5c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll
Filesize
86KB

MD5
6c2c88ff1b3da84b44d23a253a06c01b

SHA1
488c95acda13dce2f099774ee506e47869e9284e

SHA256
acf65e565021f2017815fc5ec8a3145cf6c15e75c132cf23a378cc943e68327c

SHA512
e104d5d69327abc510e0ef38aae2427a87ed0f76dd5bacb20080f40dd98c9048504ec20baabc5ecf69759e3ff485d4f2bb591b6c9e391271dd11e2dcc05933f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll
Filesize
86KB

MD5
6c2c88ff1b3da84b44d23a253a06c01b

SHA1
488c95acda13dce2f099774ee506e47869e9284e

SHA256
acf65e565021f2017815fc5ec8a3145cf6c15e75c132cf23a378cc943e68327c

SHA512
e104d5d69327abc510e0ef38aae2427a87ed0f76dd5bacb20080f40dd98c9048504ec20baabc5ecf69759e3ff485d4f2bb591b6c9e391271dd11e2dcc05933f2

Download Submit