2c56cc6fab26984a12f794ed5a8c9de6122c3b1a92bb7e00d763c78caf58d169

General

Target

tmp.exe
Size

26.2MB
MD5

421d6a237c728a82dd2ba79f1e0c3cc0
SHA1

7a0e2e2afdaf2dbca48827ae660ca65bfdbe5141
SHA256

2c56cc6fab26984a12f794ed5a8c9de6122c3b1a92bb7e00d763c78caf58d169
SHA512

b5efbcc35acde2e1380e9e614e1d5e933c3b10a3f586b39ec7dcdd10571ee64b16b7303d13e1938d5b6e1573d65b81b80ad2ecea30b669701a2e6c04fbc92332
SSDEEP

786432:OMA/NUxnkvZbfocYDotqxE80Z5eQfjI7y4gpgN/i65e9:Ciubo7dxE8icQb+yw49

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ECPrivacyStatementEn.rtf	EasyConnectInstallerRaw.exe
File created	C:\Windows\SysWOW64\ECPrivacyStatementCn.rtf	EasyConnectInstallerRaw.exe
File created	C:\Windows\SysWOW64\SangforInstallHelper.dll	EasyConnectInstallerRaw.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\install.log	EasyConnectInstallerRaw.exe

Executes dropped EXE 1 IoCs

pid	Process
2740	EasyConnectInstallerRaw.exe

Loads dropped DLL 7 IoCs

pid	Process
2240	tmp.exe
2740	EasyConnectInstallerRaw.exe
2740	EasyConnectInstallerRaw.exe
2740	EasyConnectInstallerRaw.exe
2740	EasyConnectInstallerRaw.exe
2740	EasyConnectInstallerRaw.exe
2740	EasyConnectInstallerRaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 8 IoCs

installer

resource	yara_rule
behavioral1/files/0x000d0000000122e8-1.dat	nsis_installer_1
behavioral1/files/0x000d0000000122e8-1.dat	nsis_installer_2
behavioral1/files/0x000d0000000122e8-5.dat	nsis_installer_1
behavioral1/files/0x000d0000000122e8-5.dat	nsis_installer_2
behavioral1/files/0x000d0000000122e8-8.dat	nsis_installer_1
behavioral1/files/0x000d0000000122e8-8.dat	nsis_installer_2
behavioral1/files/0x000d0000000122e8-6.dat	nsis_installer_1
behavioral1/files/0x000d0000000122e8-6.dat	nsis_installer_2

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2740	EasyConnectInstallerRaw.exe
2740	EasyConnectInstallerRaw.exe
2740	EasyConnectInstallerRaw.exe
2740	EasyConnectInstallerRaw.exe
2740	EasyConnectInstallerRaw.exe
2740	EasyConnectInstallerRaw.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2740	2240	tmp.exe	28
PID 2240 wrote to memory of 2740	2240	tmp.exe	28
PID 2240 wrote to memory of 2740	2240	tmp.exe	28
PID 2240 wrote to memory of 2740	2240	tmp.exe	28
PID 2240 wrote to memory of 2740	2240	tmp.exe	28
PID 2240 wrote to memory of 2740	2240	tmp.exe	28
PID 2240 wrote to memory of 2740	2240	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Users\Admin\AppData\Roaming\EasyConnect_8650\EasyConnectInstallerRaw.exe
  "C:\Users\Admin\AppData\Roaming\EasyConnect_8650\EasyConnectInstallerRaw.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\EasyConnect_8650\EasyConnectInstallerRaw.exe

Filesize
5.2MB

MD5
54091357950b82ec782e6de9bf2fa935

SHA1
97f77e1a42b1ab7d3bc51fb0ee977f8f476e24d3

SHA256
504931c38a3bc81b66739597164a588374884cd416b96ae7e1e3a94e83fc6ecf

SHA512
b20ef12be01e56614f6c8d57cac652636e8f85825877884d0dc2635a01e2d5336a0817a30a39ed8fa19d06ba597900005d2a862d5bde4a3cade50b66061374bd

Download Submit
C:\Windows\SysWOW64\SangforInstallHelper.dll

Filesize
512KB

MD5
6e2dd2ebfdb4b2793c7f115b03e7cdc6

SHA1
fb85696af0e6a0d29cac29b2712960a1dce38650

SHA256
029d04989f239008603f45c28a4cb6cdee0eefbd9fb7a4fbbef62697e27c9cae

SHA512
bd56525911cc5548226fef4432ae9db946bbc2848657d6e6abe0a7d9e9d9921d0d6ba5e3ffbc93f0de596a55eee2df1b56f8575e71844d04a6d9b00ffe09d9de

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8DEF.tmp\SkinBtn.dll

Filesize
4KB

MD5
e4ec95271ff1bcebab49bdfed6817a22

SHA1
2c03e97f4773aea80ecdb98a1482e5896fe4677b

SHA256
ee1c06692a757473737b0ebdef16f77b63afac864d0890022d905e4873737dd6

SHA512
771a527133806307a1b17b7e956d6a3c16e9bc675bf084b43204ae784a057dac2726dbf90645692876043a4e7365ba8825c167621fde4760c79cd84679e2aa3d

Download Submit
\Users\Admin\AppData\Local\Temp\nsd8DEF.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
\Users\Admin\AppData\Roaming\EasyConnect_8650\EasyConnectInstallerRaw.exe

Filesize
4.9MB

MD5
f3438816f0ceaaefad000be4cbc4b025

SHA1
faaf9d04dc8ce26d4a26e9689ec9a38e90a37cf3

SHA256
e208f258a1733383f61c286b3d9e1b5c3c91b56d2ab09fbe33e07fa8ad4314ca

SHA512
c56b0251515f5311dca4207182c1e84334e6e79ae73fc0abbbd8bc32e1d0f616aa92755b51ec71074df009e74523c9875db79138bc82752bf59de661ba8c0750

Download Submit
\Users\Admin\AppData\Roaming\EasyConnect_8650\EasyConnectInstallerRaw.exe

Filesize
4.9MB

MD5
72ddec314256274f674085f4891e5cb9

SHA1
84eec3cd8ae8473c05ae998df6f64ee708e9dc81

SHA256
07091dc13d96dc408faae956489b6136a64a9a3b715bc4c7e4b85ad07478eb9d

SHA512
4cc0a69f66eff5bf20f9db537ec38e21609e1babf92908beaa11c9da232b9057acb21193e0b1df11ac3a5a8534f92aa346a9d671368d49d64997e9bdcebba459

Download Submit
\Users\Admin\AppData\Roaming\EasyConnect_8650\EasyConnectInstallerRaw.exe

Filesize
4.4MB

MD5
29a8f731b129f92768bcc29b30d02da2

SHA1
1694549358467d25aace70d671f95ae1a31772cf

SHA256
a2985674223db665faa6a9349a7b8ac69a979c56744e076076c50006f8bf31bb

SHA512
a37dee9326f931f5da81441769d744c5bcab561ba16ea8d24493c216c9158e110f1c57ef4a4fe415730c8ef645b579fb79c826f5df107dd2aeb1d95363c751ca

Download Submit
\Windows\SysWOW64\SangforInstallHelper.dll

Filesize
640KB

MD5
35249e255b76f783d4542944e49a25bd

SHA1
5217b842c895f3f42af4f25255421ebf2dd4d826

SHA256
39a706330d25b73652aa58eb11fc3a68e06fbc21c9051c6cea8eceaee81bbc9a

SHA512
1bd2c5ffc5a280b16e69535f7de1c558acfcde8909745e8712cbba416b450ab9c6a06ba443f60b91871fcea3cb8c4aa51121275cc53772b8f2a607e63e4b7349

Download Submit

Analysis

Sharing