243ebcabe490740d6a757ab65397509ecfb639337afdffcf8b5a44d88efa0633

General

Target

windowsinstaller.exe
Size

13.1MB
MD5

8608a5b84a36e7682bf779bcd0f61a8d
SHA1

828665caa819e34815910efe2f81d6f74ae577c2
SHA256

243ebcabe490740d6a757ab65397509ecfb639337afdffcf8b5a44d88efa0633
SHA512

a4c4b96afec88a04fd58b1273b2780e0f47c406cc0ca3781ae6e2dff1f5f60c1186b679ecf7431f480e5dab59e31ee7075cecacaa32ffc67a73f604128600d5a
SSDEEP

393216:kuFxqNc1fBCzbaxAfXvIUvn4/76kLZ98FFb8iA2Nx+3y09s9:vt1cb/IUvn4ek8FFbTNxuLs9

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000\Control Panel\International\Geo\Nation	windowsinstaller.exe

Executes dropped EXE 2 IoCs

pid	Process
4400	windowsinstaller.exe
2824	BootHelper.exe

Loads dropped DLL 2 IoCs

pid	Process
4400	windowsinstaller.exe
4400	windowsinstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 4400	3528	windowsinstaller.exe	84
PID 3528 wrote to memory of 4400	3528	windowsinstaller.exe	84
PID 3528 wrote to memory of 4400	3528	windowsinstaller.exe	84
PID 4400 wrote to memory of 2824	4400	windowsinstaller.exe	90
PID 4400 wrote to memory of 2824	4400	windowsinstaller.exe	90
PID 4400 wrote to memory of 2824	4400	windowsinstaller.exe	90

C:\Users\Admin\AppData\Local\Temp\windowsinstaller.exe
"C:\Users\Admin\AppData\Local\Temp\windowsinstaller.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\eset\bts.session\5f56e913-cf88-4912-b16e-84576b44cf63\windowsinstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\eset\bts.session\5f56e913-cf88-4912-b16e-84576b44cf63\windowsinstaller.exe" --bts-container 3528 "C:\Users\Admin\AppData\Local\Temp\windowsinstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Users\Admin\AppData\Local\Temp\eset\bts.session\5f56e913-cf88-4912-b16e-84576b44cf63\BootHelper.exe
    BootHelper.exe --watchdog 4400 --product "ESET Package Installer" 4.2.4.0 1033
    3⤵
    - Executes dropped EXE
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eset\bts.session\5f56e913-cf88-4912-b16e-84576b44cf63\BootHelper.exe

Filesize
499KB

MD5
154228a89dc475849b5917671986a3f5

SHA1
6ecdfebba25ab5ece5061e96d29c8f9b2ca99f96

SHA256
a3fba54f4b747e556f158c06bf061be352afa0a91404ad652508c97da5ea5e71

SHA512
9a85a2537d5a2e1cfd3d6465c1ef3c38b599497c6895705deec04615c3274688d9731020a19ec5dadd2cfcda27c3c1e25e7ee4e6da30eb2a5cc7fbed674717a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\5f56e913-cf88-4912-b16e-84576b44cf63\plgInstaller.dll

Filesize
2.7MB

MD5
f679ddae2fcee99c46eebe7fbf82b566

SHA1
ecaec0f67ff36a66f939792251674c82a8973941

SHA256
183247390cf5dca2f0149135e5f20e032c846938fbb08bc6f6a66dfc1c365e92

SHA512
18f6f82053de5ff3f76432544b8f34b8432f3d470dcf9911027fd385d805f984885ac780f390827f07195420ee5dfbe8a7d717d36ebbfd36129cd0101474dc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\5f56e913-cf88-4912-b16e-84576b44cf63\plgInstaller.dll

Filesize
2.7MB

MD5
f679ddae2fcee99c46eebe7fbf82b566

SHA1
ecaec0f67ff36a66f939792251674c82a8973941

SHA256
183247390cf5dca2f0149135e5f20e032c846938fbb08bc6f6a66dfc1c365e92

SHA512
18f6f82053de5ff3f76432544b8f34b8432f3d470dcf9911027fd385d805f984885ac780f390827f07195420ee5dfbe8a7d717d36ebbfd36129cd0101474dc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\5f56e913-cf88-4912-b16e-84576b44cf63\sciter-x.dll

Filesize
3.1MB

MD5
905a20ee7f54da39948d1ee09af5512a

SHA1
483331b5012aa1b71698f4e215a0dd2c275fb25a

SHA256
c2be60788d8cdf9e401fd034d5798b9ca355c6c6d16e3fd6b0a2f1fcf7c5a554

SHA512
6326a23726602c966500d27fed5e8986201cb88cc354a64bdea002747714a92ac071475356ba39130aa02ecfdc4098d1d8245c83618be2bc08899a2e0456a306

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\5f56e913-cf88-4912-b16e-84576b44cf63\sciter-x.dll

Filesize
3.1MB

MD5
905a20ee7f54da39948d1ee09af5512a

SHA1
483331b5012aa1b71698f4e215a0dd2c275fb25a

SHA256
c2be60788d8cdf9e401fd034d5798b9ca355c6c6d16e3fd6b0a2f1fcf7c5a554

SHA512
6326a23726602c966500d27fed5e8986201cb88cc354a64bdea002747714a92ac071475356ba39130aa02ecfdc4098d1d8245c83618be2bc08899a2e0456a306

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\5f56e913-cf88-4912-b16e-84576b44cf63\windowsinstaller.exe

Filesize
2.1MB

MD5
d308d19ac043585171f650e987510477

SHA1
a11cb94b96d742c21c8227118d42d29737fa6106

SHA256
02c58c3fb9533738c2c68d838f3c7991f9f9fccd773943ee750f1f2fd3b26fdd

SHA512
39c7a0fb917001539f1d82cd519b2ada8c24b0c806b046bb253aed341c0e36f0a484d78c33f81041feab940b1988505897314f99d0974959a68a01d6cf6a477b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\5f56e913-cf88-4912-b16e-84576b44cf63\windowsinstaller.exe

Filesize
2.1MB

MD5
d308d19ac043585171f650e987510477

SHA1
a11cb94b96d742c21c8227118d42d29737fa6106

SHA256
02c58c3fb9533738c2c68d838f3c7991f9f9fccd773943ee750f1f2fd3b26fdd

SHA512
39c7a0fb917001539f1d82cd519b2ada8c24b0c806b046bb253aed341c0e36f0a484d78c33f81041feab940b1988505897314f99d0974959a68a01d6cf6a477b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eset\bts.session\5f56e913-cf88-4912-b16e-84576b44cf63\windowsinstaller.exe

Filesize
2.1MB

MD5
d308d19ac043585171f650e987510477

SHA1
a11cb94b96d742c21c8227118d42d29737fa6106

SHA256
02c58c3fb9533738c2c68d838f3c7991f9f9fccd773943ee750f1f2fd3b26fdd

SHA512
39c7a0fb917001539f1d82cd519b2ada8c24b0c806b046bb253aed341c0e36f0a484d78c33f81041feab940b1988505897314f99d0974959a68a01d6cf6a477b

Download Submit

Analysis

Sharing