80db8be3a65030d614e9b01c1bab3e568bfdef5c367e51b0292a7d57338cbf4c

Analysis

max time kernel
134s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/01/2024, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6544eb01ffa6fdac7678a21893d5b672.exe
Size

1.9MB
MD5

6544eb01ffa6fdac7678a21893d5b672
SHA1

b1557bff478b9961c390c0c38abf54b8236fb237
SHA256

80db8be3a65030d614e9b01c1bab3e568bfdef5c367e51b0292a7d57338cbf4c
SHA512

3bc8db13c30787dc55ae7625c5406ff464eb3c6b637ca120b49e6d21eca2cfd832f7fd62932edd4676e77ea18f74e4e9065172c915d74e06c50c142689af3c84
SSDEEP

49152:/YdNpL8fTRc/qadSqx5OiXLDZaYZYKm8981BqeFRX:KLD/qadSqx3LNRbmgyTX

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation	6544eb01ffa6fdac7678a21893d5b672.exe

Executes dropped EXE 2 IoCs

pid	Process
4512	ALUpProduct.exe
920	eausvc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\ESTsoft\ALUpdate\eausvc.exe	6544eb01ffa6fdac7678a21893d5b672.exe
File created	C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe	6544eb01ffa6fdac7678a21893d5b672.exe
File opened for modification	C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe	6544eb01ffa6fdac7678a21893d5b672.exe
File created	C:\Program Files\ESTsoft\ALUpdate\eausvc.exe	6544eb01ffa6fdac7678a21893d5b672.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 4512	4424	6544eb01ffa6fdac7678a21893d5b672.exe	91
PID 4424 wrote to memory of 4512	4424	6544eb01ffa6fdac7678a21893d5b672.exe	91
PID 4512 wrote to memory of 920	4512	ALUpProduct.exe	93
PID 4512 wrote to memory of 920	4512	ALUpProduct.exe	93

C:\Users\Admin\AppData\Local\Temp\6544eb01ffa6fdac7678a21893d5b672.exe
"C:\Users\Admin\AppData\Local\Temp\6544eb01ffa6fdac7678a21893d5b672.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe
  "C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Program Files\ESTsoft\ALUpdate\eausvc.exe
    eausvc.exe
    3⤵
    - Executes dropped EXE
    PID:920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\ESTsoft\ALUpdate\ALUpProduct.exe

Filesize
1.9MB

MD5
f19fdc7371eedbfe64a7c4609bb3b522

SHA1
b91b88d109c6e0ddd976094de7bbf5dcf030892e

SHA256
695d4bf95c830fd5b385a663ae4390f37d2df923eddff8e754c4a2f96817812f

SHA512
c84943ac2504310d9ea5d2d35c89e2cb1b27fc1d77d8e8d625ca09423d692c6644d80c743fe706592d9bff8371154139cf59517da80eb7a8ee92cc406c58887f

Download Submit
C:\Program Files\ESTsoft\ALUpdate\eausvc.exe

Filesize
3.0MB

MD5
3671a0f937e4655ea864f1b533279837

SHA1
2e314a0b0bce66bfa29f2a24022b406e419e2226

SHA256
51b6b98ba33a6033e1d8d52602a6fe430cea04bba0168cd20e262aa39359157f

SHA512
99cdf34eb214005c23e30dc5efac920de5e9b558d6649d246e6f9f4e18ddb39268cafb0a1e0f8c830fb4e17f8397ee77cc1a5282436d6d1f01ba48b368bc8a82

Download Submit
memory/920-22-0x00007FF67A230000-0x00007FF67A3A7000-memory.dmp

Filesize
1.5MB

Download
memory/4424-0-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4512-17-0x0000000000400000-0x0000000000512000-memory.dmp

Filesize
1.1MB

Download