6ca21fa08dc9ddd9de16490e29bbeb3e1283a15c5e2e0b13e0a7db430dcad478

Analysis

max time kernel
145s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
31/12/2023, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup_00.exe
Size

121KB
MD5

35765acf294fb5f8294e41b78975b5fa
SHA1

6f0892ab9e7900f0838fe429b6d7077debfc1990
SHA256

782dac7005ea26f34f175c7d6230801ff18d4d786713febfb5e6eb128bfa2cf6
SHA512

5bd885b6a1b5770b5519b3d58f6c6d55da1b873ddc4946da705238fc3f4891dd9f77a86c7b0aba25908e1592b4c4c8c1854e0a6d5710b70309ab8e44580b83ea
SSDEEP

3072:MGu9BlfzWIbXWm+w0Jp5ilmb9NN0xF+LBQCdZu9i:M/0uotbnN0iL1X

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	FOREXT~1.EXE

Executes dropped EXE 3 IoCs

pid	Process
2256	LC.exe
532	FOREXT~1.EXE
4084	eToroSetup.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	Setup_00.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4880	2256	WerFault.exe	91
4356	4084	WerFault.exe	99

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2256	2224	Setup_00.exe	91
PID 2224 wrote to memory of 2256	2224	Setup_00.exe	91
PID 2224 wrote to memory of 2256	2224	Setup_00.exe	91
PID 2224 wrote to memory of 532	2224	Setup_00.exe	96
PID 2224 wrote to memory of 532	2224	Setup_00.exe	96
PID 2224 wrote to memory of 532	2224	Setup_00.exe	96
PID 532 wrote to memory of 4084	532	FOREXT~1.EXE	99
PID 532 wrote to memory of 4084	532	FOREXT~1.EXE	99
PID 532 wrote to memory of 4084	532	FOREXT~1.EXE	99

C:\Users\Admin\AppData\Local\Temp\Setup_00.exe
"C:\Users\Admin\AppData\Local\Temp\Setup_00.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 472
    3⤵
    - Program crash
    PID:4880
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FOREXT~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FOREXT~1.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:532
- - C:\Users\Admin\AppData\Local\Temp\eToroSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\eToroSetup.exe"
    3⤵
    - Executes dropped EXE
    PID:4084
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 1992
      4⤵
      Program crash
      PID:4356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2256 -ip 2256
1⤵
PID:3416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4084 -ip 4084
1⤵
PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\FOREXT~1.EXE

Filesize
92KB

MD5
ae43c4e21eb3ce59abc11a05715b3ded

SHA1
71ff6401da206f316ac0763d458dd5035c74349b

SHA256
cfbb3ee7d20862277a2f64c4bd375769a3f94434d7440b3c70302e4ca204d451

SHA512
f45ca34601c36333b4842c592381677fa042ee7c8e40d83bce71758f3288c3e261ee83a65e3226416545a0506a0c1c3ca1058e2fbd7d082c45b1c5cdf3bc47a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\LC.exe

Filesize
45KB

MD5
161f4d2404a6f41c0b354f912ad3fe9a

SHA1
e41e0bdc42a16573cac28f472cec710b5a0c351b

SHA256
24da3e109cafea575974f34f165dc077dd9f445dd1838933e62993942ae50d61

SHA512
689cbc85a976605c356f0a3f61443755648875c60e2e1375a335cbb4afdd39d6fb6a0ec7dcd659a92ab29cc32a0ceb7c17d70fec5de26d7fc86726501b28d68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\eToroSetup.exe

Filesize
72KB

MD5
5189c15387de17b627765ac3d8c9f34b

SHA1
e90de0b2158b02ef345b8bc3904a6eca1ee4a520

SHA256
a3d51693013624959c979dd4bcb6f7b84b0767294ac74463361eb47f39e125ac

SHA512
76138e0493f533f5654445a3999721935ad22613319f03b06146af609e987ba75839e663588878fcaa516e60915ff3677cdb1d8587655bcb287caff17f1a2ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\etoro.EXE

Filesize
177KB

MD5
0fec1c505325630c0a2b90c3102e6bc0

SHA1
2422a6acd3233825028b39583fa42db6549c6b0e

SHA256
68ecdddb0d786bc0a00db3da8c6fa7eb997183f8f945fb660fce0192f8e20d06

SHA512
3b31729f0ff5e9aa35a1461ab08a3023d903998b014dbf211ce05100e5c23666e5b607882bee47f2fa168fc05b06999584e496158237ec437a3b2bb60f1db322

Download Submit
memory/2256-7-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2256-8-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads