2c56cc6fab26984a12f794ed5a8c9de6122c3b1a92bb7e00d763c78caf58d169

Analysis

max time kernel
137s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/02/2024, 03:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

26.2MB
MD5

421d6a237c728a82dd2ba79f1e0c3cc0
SHA1

7a0e2e2afdaf2dbca48827ae660ca65bfdbe5141
SHA256

2c56cc6fab26984a12f794ed5a8c9de6122c3b1a92bb7e00d763c78caf58d169
SHA512

b5efbcc35acde2e1380e9e614e1d5e933c3b10a3f586b39ec7dcdd10571ee64b16b7303d13e1938d5b6e1573d65b81b80ad2ecea30b669701a2e6c04fbc92332
SSDEEP

786432:OMA/NUxnkvZbfocYDotqxE80Z5eQfjI7y4gpgN/i65e9:Ciubo7dxE8icQb+yw49

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SangforInstallHelper.dll	EasyConnectInstallerRaw.exe
File created	C:\Windows\SysWOW64\ECPrivacyStatementEn.rtf	EasyConnectInstallerRaw.exe
File created	C:\Windows\SysWOW64\ECPrivacyStatementCn.rtf	EasyConnectInstallerRaw.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Sangfor\SSL\ClientComponent\install.log	EasyConnectInstallerRaw.exe

Executes dropped EXE 1 IoCs

pid	Process
4800	EasyConnectInstallerRaw.exe

Loads dropped DLL 4 IoCs

pid	Process
4800	EasyConnectInstallerRaw.exe
4800	EasyConnectInstallerRaw.exe
4800	EasyConnectInstallerRaw.exe
4800	EasyConnectInstallerRaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023142-2.dat	nsis_installer_1
behavioral2/files/0x0006000000023142-2.dat	nsis_installer_2

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4800	EasyConnectInstallerRaw.exe
4800	EasyConnectInstallerRaw.exe
4800	EasyConnectInstallerRaw.exe
4800	EasyConnectInstallerRaw.exe
4800	EasyConnectInstallerRaw.exe
4800	EasyConnectInstallerRaw.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 4800	4928	tmp.exe	84
PID 4928 wrote to memory of 4800	4928	tmp.exe	84
PID 4928 wrote to memory of 4800	4928	tmp.exe	84

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Roaming\EasyConnect_8685\EasyConnectInstallerRaw.exe
  "C:\Users\Admin\AppData\Roaming\EasyConnect_8685\EasyConnectInstallerRaw.exe"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:4800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nspF752.tmp\SkinBtn.dll

Filesize
4KB

MD5
e4ec95271ff1bcebab49bdfed6817a22

SHA1
2c03e97f4773aea80ecdb98a1482e5896fe4677b

SHA256
ee1c06692a757473737b0ebdef16f77b63afac864d0890022d905e4873737dd6

SHA512
771a527133806307a1b17b7e956d6a3c16e9bc675bf084b43204ae784a057dac2726dbf90645692876043a4e7365ba8825c167621fde4760c79cd84679e2aa3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nspF752.tmp\System.dll

Filesize
11KB

MD5
6f5257c0b8c0ef4d440f4f4fce85fb1b

SHA1
b6ac111dfb0d1fc75ad09c56bde7830232395785

SHA256
b7ccb923387cc346731471b20fc3df1ead13ec8c2e3147353c71bb0bd59bc8b1

SHA512
a3cc27f1efb52fb8ecda54a7c36ada39cefeabb7b16f2112303ea463b0e1a4d745198d413eebb3551e012c84a20dcdf4359e511e51bc3f1a60b13f1e3bad1aa8

Download Submit
C:\Users\Admin\AppData\Roaming\EasyConnect_8685\EasyConnectInstallerRaw.exe

Filesize
26.0MB

MD5
ec2f65b0b6ba96814fae89077ee6c44e

SHA1
42c80a325a5c21499a401568ac0d23029ab3003f

SHA256
505c2f036419be29844c763540e6d045bdd3906df5abeb148828faa860e1c9df

SHA512
023554ee99a637ee31a810d5e0bf5ebb7b3d449c964e2046f78e35a371502ff40a50149bb11d2337d8174f86951e0f353917266c1a73769b1036f7889408ed0e

Download Submit
C:\Windows\SysWOW64\SangforInstallHelper.dll

Filesize
2.5MB

MD5
a6ae600d1811271726b876628f979f6f

SHA1
6eb855b5185b6a8bc860e1c3b9562132de549d43

SHA256
04636e58d1eb5f135e755c14d992b8ea4537d05553cdcc757a0aa52a5d33ae11

SHA512
2f07d39c61fc36cae2a4659cbeab984ade430a60b9b2b1b7c29f792a75c931c9efd98804f8459bfc53a7c094636da806ea7007aee37336fd07c6a40c9e69d78d

Download Submit