c6101dc8921e8fa2c29cbc989d6b5222892c0b22d0a5dfb9044399b55f58f142

Analysis

max time kernel
143s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
27/01/2024, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7b1aa0d5bc23aabaf2cf783e63962a74.exe
Size

1.4MB
MD5

7b1aa0d5bc23aabaf2cf783e63962a74
SHA1

0b61c20c0c0fccdf907e9cb00917333b2942d1fe
SHA256

c6101dc8921e8fa2c29cbc989d6b5222892c0b22d0a5dfb9044399b55f58f142
SHA512

1d9f1c3a8b037bc00750dbab15336ef3a61efea787ac6196e45c904d7608a7529aac307fad28a443867800284888fcf87f967d1d03c16d58d56cbc4093bf4032
SSDEEP

24576:jJpz4Yttj8MhRf0R4f5LRb7+P1uSQgiG5y2ny48f30RHFJm6dff++ee0sJZDH:jYYzHxLRb7+P/zdysy9/4FJNQuDH

Score

7^/10

persistence upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	Forextrading.exe

Executes dropped EXE 9 IoCs

pid	Process
1972	Setup_01.exe
568	Setup_00.exe
4904	LinkOpener.exe
4044	Forextrading.exe
3240	eToroSetup.exe
3712	WinZix.exe
440	WinZixAutoInstaller.exe
3480	Install.exe
3664	WinZix-2.3.0.0-setup.exe

Loads dropped DLL 4 IoCs

pid	Process
3664	WinZix-2.3.0.0-setup.exe
3664	WinZix-2.3.0.0-setup.exe
3664	WinZix-2.3.0.0-setup.exe
3664	WinZix-2.3.0.0-setup.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000023222-40.dat	upx
behavioral2/memory/440-39-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral2/memory/440-154-0x0000000000400000-0x00000000004A2000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	7b1aa0d5bc23aabaf2cf783e63962a74.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Setup_01.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	Setup_00.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/440-154-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1080	3240	WerFault.exe	100

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral2/files/0x000600000002321f-34.dat	nsis_installer_1
behavioral2/files/0x000600000002321f-34.dat	nsis_installer_2
behavioral2/files/0x000600000002321f-33.dat	nsis_installer_1
behavioral2/files/0x000600000002321f-33.dat	nsis_installer_2
behavioral2/files/0x0007000000023223-46.dat	nsis_installer_1
behavioral2/files/0x0007000000023223-46.dat	nsis_installer_2
behavioral2/files/0x0007000000023223-45.dat	nsis_installer_1
behavioral2/files/0x0007000000023223-45.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
440	WinZixAutoInstaller.exe
440	WinZixAutoInstaller.exe
3664	WinZix-2.3.0.0-setup.exe
3664	WinZix-2.3.0.0-setup.exe
3664	WinZix-2.3.0.0-setup.exe
3664	WinZix-2.3.0.0-setup.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
440	WinZixAutoInstaller.exe
440	WinZixAutoInstaller.exe
440	WinZixAutoInstaller.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
440	WinZixAutoInstaller.exe
440	WinZixAutoInstaller.exe
440	WinZixAutoInstaller.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4340 wrote to memory of 1972	4340	7b1aa0d5bc23aabaf2cf783e63962a74.exe	87
PID 4340 wrote to memory of 1972	4340	7b1aa0d5bc23aabaf2cf783e63962a74.exe	87
PID 4340 wrote to memory of 1972	4340	7b1aa0d5bc23aabaf2cf783e63962a74.exe	87
PID 1972 wrote to memory of 568	1972	Setup_01.exe	88
PID 1972 wrote to memory of 568	1972	Setup_01.exe	88
PID 1972 wrote to memory of 568	1972	Setup_01.exe	88
PID 568 wrote to memory of 4904	568	Setup_00.exe	90
PID 568 wrote to memory of 4904	568	Setup_00.exe	90
PID 568 wrote to memory of 4904	568	Setup_00.exe	90
PID 568 wrote to memory of 4044	568	Setup_00.exe	99
PID 568 wrote to memory of 4044	568	Setup_00.exe	99
PID 568 wrote to memory of 4044	568	Setup_00.exe	99
PID 4044 wrote to memory of 3240	4044	Forextrading.exe	100
PID 4044 wrote to memory of 3240	4044	Forextrading.exe	100
PID 4044 wrote to memory of 3240	4044	Forextrading.exe	100
PID 1972 wrote to memory of 3712	1972	Setup_01.exe	101
PID 1972 wrote to memory of 3712	1972	Setup_01.exe	101
PID 1972 wrote to memory of 3712	1972	Setup_01.exe	101
PID 3712 wrote to memory of 440	3712	WinZix.exe	104
PID 3712 wrote to memory of 440	3712	WinZix.exe	104
PID 3712 wrote to memory of 440	3712	WinZix.exe	104
PID 4340 wrote to memory of 3480	4340	7b1aa0d5bc23aabaf2cf783e63962a74.exe	102
PID 4340 wrote to memory of 3480	4340	7b1aa0d5bc23aabaf2cf783e63962a74.exe	102
PID 4340 wrote to memory of 3480	4340	7b1aa0d5bc23aabaf2cf783e63962a74.exe	102
PID 440 wrote to memory of 3664	440	WinZixAutoInstaller.exe	103
PID 440 wrote to memory of 3664	440	WinZixAutoInstaller.exe	103
PID 440 wrote to memory of 3664	440	WinZixAutoInstaller.exe	103

C:\Users\Admin\AppData\Local\Temp\7b1aa0d5bc23aabaf2cf783e63962a74.exe
"C:\Users\Admin\AppData\Local\Temp\7b1aa0d5bc23aabaf2cf783e63962a74.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_01.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_01.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Setup_00.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Setup_00.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:568
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LinkOpener.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LinkOpener.exe
      4⤵
      Executes dropped EXE
      PID:4904
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Forextrading.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Forextrading.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4044
    - - C:\Users\Admin\AppData\Local\Temp\eToroSetup.exe
        
        "C:\Users\Admin\AppData\Local\Temp\eToroSetup.exe"
        5⤵
        Executes dropped EXE
        
        PID:3240
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 1988
        6⤵
        Program crash
        
        PID:1080
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WinZix.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WinZix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Users\Admin\AppData\Local\Temp\WinZixAutoInstaller.exe
      C:\Users\Admin\AppData\Local\Temp\WinZixAutoInstaller.exe
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:440
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe
  2⤵
  - Executes dropped EXE
  PID:3480

C:\Users\Admin\AppData\Local\Temp\WinZix-2.3.0.0-setup.exe
C:\Users\Admin\AppData\Local\Temp\WinZix-2.3.0.0-setup.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3240 -ip 3240
1⤵
PID:4216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
128KB

MD5
ce75aa39603be93139073970f76b4078

SHA1
941ba786fa654b764a03f924b4be09a46336515f

SHA256
5f3909c7cf92e1d2dd1ce9ecc7f8a6d179993363a35acb3bac606b1bb5601919

SHA512
2e989261e0d8ad9834f697f66a555ba9ce4878ef34289d762357a6b64fd3d36b76e4d1b2cd827931c3107782a6f2b371c1f03841d7e9943959842fc206db497d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Install.exe

Filesize
257KB

MD5
3d66cc379fbae530094591d1094c634f

SHA1
f6cc59fad90105b3cd00a2660adf33cf1fc7e875

SHA256
bd0ad6a9c88405ac17227853858350435b71832cdd37766ff3a29cc89d47e8bd

SHA512
5cb44422dfd3b93511527ef227ba078728f1c5682c14a72de661c7d1877efa4db5018a5a3111c9f2b582ccdca5da64ba8c28b39272192c3b1c728e31781cb900

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Setup_01.exe

Filesize
834KB

MD5
c4e711ce6bbb07a2c5225b862ae66522

SHA1
0914e358d5227078e5c595a3f88f02d0d316fbbf

SHA256
fce552ba87d9b2bc40e07a6424e8e3fcd730b0c7fabff870a4823e181a39cc5e

SHA512
635e4f822a53ea8c87ef609bb2c147d4f34a772202bd62c3b78b2921f8e862d92cf30406f690058423047fa0dad98f101dccf9c3f3a4bba2673c5b9ac16c1a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\Setup_00.exe

Filesize
101KB

MD5
2ab8481ce917c377c4ddda499e5d8540

SHA1
7232f25b2fe49f91063895f02837c214c1cb8cc4

SHA256
97f56d4db9f797499ebeb58ce7b9dca4ff7a25a8e45ed790a684332c2988cd20

SHA512
fea94fabf46069778ddc9dd649d31fb8dcf5d7fb3b9b521fc1598f8c5cea372ea78fdf71af36bced9ddafa08ee3ef890e3947b03eb574bbbfbeaa11e36cd1d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WinZix.exe

Filesize
149KB

MD5
12b85ea92b615590973f0777e4e703b4

SHA1
58cbf7ac28c8d43d75e2875f5f5653243833285e

SHA256
bdf8b8078a8d7884bc50904d35a9fd359f6f5c87bb83e75d70be16ce0a703d43

SHA512
055a582302a884b9953ea4487097980ea53901cf692e726809628ae4b5f7a5867b8360979c7a4c85fe180283ae3cbc4cc2ea801249b72569d3933de63d96b693

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\WinZix.exe

Filesize
411KB

MD5
3c5651076fbe57cecb32c0d69e2b4ef2

SHA1
13e70ff2ffee7476628da129d2a98321627f5fef

SHA256
c4d3f726a11e8608017a368ff8520bc9512e9de0f1b100933ee594c74bded119

SHA512
25addfa20498a59cbbcd9fbe8129f73fcfe935d68326554b0c60dc6d371ad23eb5e77fffb131633bf447cc8ccbf5fbfb10055269a9b64c87cf8909cf3d0dc747

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\Forextrading.exe

Filesize
92KB

MD5
ae43c4e21eb3ce59abc11a05715b3ded

SHA1
71ff6401da206f316ac0763d458dd5035c74349b

SHA256
cfbb3ee7d20862277a2f64c4bd375769a3f94434d7440b3c70302e4ca204d451

SHA512
f45ca34601c36333b4842c592381677fa042ee7c8e40d83bce71758f3288c3e261ee83a65e3226416545a0506a0c1c3ca1058e2fbd7d082c45b1c5cdf3bc47a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\LinkOpener.exe

Filesize
45KB

MD5
303e42c1fbd98677042259236807cd18

SHA1
78b516bf7ab2ae1e15e75f7090972cb9c7204b3e

SHA256
0a340134d31661f3326a0078e56661767ad3c54b3615c0bb999849ca994f8202

SHA512
5e3a771e5475bc4f02d4abec2de6ac121a25b32ff8c8edcc5190b6870e1a906646b3c6227d9a149ef221202b9a0d72f281a965d0a7dd3a2417a13a20cae48161

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinZix-2.3.0.0-setup.exe

Filesize
128KB

MD5
4bf3ca0cf145e8e1c2c26cd9259d607e

SHA1
ce964bf8935d71dc826a6b6288e8ec20d1153785

SHA256
60eb054eeb06234070aa5d5f66fe25ffc9361f4a0f98b5e469c962eb0e737b9f

SHA512
dec335f90418dd4c28c689b18b086caf3c0b22d322e768ea8f096f7bee5762e34ca70fffa8e5c86ac5a58ea62b3dac2d204ac4672b833a02cbf783813f3dcfa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinZix-2.3.0.0-setup.exe

Filesize
65KB

MD5
5c796228a630e7c076f45f3ea0f9e23b

SHA1
ce1446857887ee24baf0d028dd7f1084c19b34b8

SHA256
9ea0f2e06f817c8edc2a9d5540a11b6c62f21f4323fcae3f23910613ba70a300

SHA512
7cae8fd7d0683083d70e7c4f8c4e9e441bc562145f1ba78518b948b76237a8b41962c60262ae2513cb8d54782907f37e776562ab82985a9f350345588539fce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WinZixAutoInstaller.exe

Filesize
256KB

MD5
2532460217a6de44db5a047b1e29c740

SHA1
5581d07c83cc84eb2041b614e1c515e40f92c1d0

SHA256
fae90bed04532413385c47ffa397be1a24e788083832b0a39559f25d0a37ed1c

SHA512
48b4ce246e9639af8640f4ab929bca3f100d53da910fa5ef20f472912527d2103aab93b5b0e9e1a75f53248ea1e3b0b82696f6ffc08f1aa83f02546b48b27c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eToroSetup.exe

Filesize
72KB

MD5
5189c15387de17b627765ac3d8c9f34b

SHA1
e90de0b2158b02ef345b8bc3904a6eca1ee4a520

SHA256
a3d51693013624959c979dd4bcb6f7b84b0767294ac74463361eb47f39e125ac

SHA512
76138e0493f533f5654445a3999721935ad22613319f03b06146af609e987ba75839e663588878fcaa516e60915ff3677cdb1d8587655bcb287caff17f1a2ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\etoro.EXE

Filesize
100KB

MD5
c820b5703a28fc3b7dbaa4c8dcbb4632

SHA1
82169ff36459acbe71c56e1e7221cedcb769f4ad

SHA256
f9090b01e2cacf5b787fc236f71d36b38c40eb96602791c5321eb69b8535646f

SHA512
16f0bd8efa8852fbe2134b0987ff847ac25da1dd7469148c56a2dd2e2e630da05d50f48862d4d18a8351e06366f3295f833034efc6553cbee384b3ccc361751c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBC6C.tmp\InstallOptions.dll

Filesize
1KB

MD5
3bc226d3b9433690c317c0c32e16a140

SHA1
8008c281fbc05d4e12840c440f31cde115998d80

SHA256
60f6ba540ea2972b6756e034006a9799b1626d9fa92f10f72f53fc4114428965

SHA512
0915202208d6ed95cd3df7bbd4faf353b134bac332e10924013099f421f20b3aa4b4fd4b4659248b2060b87fbe9999571ec66909907bdc6afad15e5d259c0d08

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBC6C.tmp\inetc2.dll

Filesize
23KB

MD5
7287863b419394c0c5ddc7899483589b

SHA1
70ab151623fad474aaf1d78046763ebb8e4ba7b2

SHA256
acd670369bc9a92c1a3307604d37d76375b94100438881dfa8d62529595b4f47

SHA512
45d49cba0583a0f9f0b64aa2fe13c33314dd9fde60c01eea813928b0ac8ca1dad93d8d7f2ca5bc1334f27d5961160b7db81d509dae72a3a2f20c78cbdc6705ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBC6C.tmp\ioSpecial.ini

Filesize
680B

MD5
467f63c27547c53a755d69e6b982cb0f

SHA1
a4cb725831da13c6be98d80d7663c395dbac85ad

SHA256
86769186a4ce691632e736fa5f58d081d2035d19aec13e56f319fbde471226d9

SHA512
690ef74853f655268c47de04445b6525dad2e0af160a8e0ff8743420eea95201da1cde6fa16ba807ea0b49f09ce2a017e2c3dd57a1f6f60a9e33271d653d4355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBC6C.tmp\nsProcess.dll

Filesize
4KB

MD5
14f98427ef8b8a08816bd82d4ef8d8fc

SHA1
f792d3fdb4beb85332f71f9efacc8d923d2f021b

SHA256
5c115f600421043aea4896b278f4292e15fc03e2bae320525b8af75dec6215c0

SHA512
c67e364c95ee28b8ee8924343b7a1b99350019e988e80dfd4469284b6db472d6cf3b4a2f1e1cc40c10276fc97dbe4e326aca72f783b9cb76159ccf5453aa5445

Download Submit
memory/440-39-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/440-154-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download