0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6

Analysis

max time kernel
144s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$1/1337/ExLoader_Installer.exe
Size

19.8MB
MD5

afcb0e5c7c35c05970a74a1aab5fe12e
SHA1

42eacb7a9594ee0a6242d3bc3c33b6c60b3fc319
SHA256

f1e92828ebf9e2443f36c03a5a66a4fba4bd8744ecf5bbf59fc69c84d7a95d18
SHA512

fe62d4b1ec93a21a7b1f80e5f42b17c0c43d794b99e7e87fb6fea86d82ac080d76dcf9a3e96516303ccaf88b8101523a23f5b7f560bd3f4bb2745ac1f71b4dfb
SSDEEP

393216:QuTOvTuAnHmMgEMSb6qLdTcmtgt+BDMncawXAKaVnayxZtFDtq:dUTPGMzpbpT8+BInf46VnvHrJq

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation	ExLoader_Installer.exe

Executes dropped EXE 1 IoCs

pid	Process
840	ExLoader_Installer.exe

Loads dropped DLL 5 IoCs

pid	Process
840	ExLoader_Installer.exe
840	ExLoader_Installer.exe
840	ExLoader_Installer.exe
840	ExLoader_Installer.exe
840	ExLoader_Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
840	ExLoader_Installer.exe
840	ExLoader_Installer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 840	2748	ExLoader_Installer.exe	85
PID 2748 wrote to memory of 840	2748	ExLoader_Installer.exe	85
PID 840 wrote to memory of 2772	840	ExLoader_Installer.exe	86
PID 840 wrote to memory of 2772	840	ExLoader_Installer.exe	86
PID 2772 wrote to memory of 3288	2772	cmd.exe	88
PID 2772 wrote to memory of 3288	2772	cmd.exe	88
PID 840 wrote to memory of 1212	840	ExLoader_Installer.exe	89
PID 840 wrote to memory of 1212	840	ExLoader_Installer.exe	89
PID 1212 wrote to memory of 880	1212	cmd.exe	91
PID 1212 wrote to memory of 880	1212	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\$1\1337\ExLoader_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\$1\1337\ExLoader_Installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
      4⤵
      PID:3288
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
      4⤵
      PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
160KB

MD5
2ead84d84868efb13f8ef2cc9899905a

SHA1
5b044f580c052eef4c2ab9e3f772446b2280ecde

SHA256
03377f1e71e58a58646b9443fa86c8d5e27d5457b08976b07c44a192b210f93b

SHA512
2065f2a79afac4fca286550a59cf98fd723e590591fc2272e26d9d1aa83cb21b5bf85cf2e55860d4dd7b313daac094049ab52f04e1fd6be309f17cb4bb7b2e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll

Filesize
554KB

MD5
9aeacfd60c19fdb1af926ecf7e6eab87

SHA1
e18684b140af095c25628fcc599b600b2ef999a9

SHA256
7bb664a486e941d0f6004ef1eb48773c7c5f1be5f1cbf1aa5f9819a215863d5d

SHA512
8a9654018313ab79af95a92745b4faaa87b62210506bfd788919769878a43efaf6e48494b8b2c7ad6155adebb8b07cae0f06ef734e9042c858478e95e911c656

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

Filesize
94KB

MD5
c8e5574247f5a2468f71b53fc0279594

SHA1
c28d7c9cad48882beaeed0fba15cbc11fc2f949c

SHA256
0373c0cd6856950dee1b1a9e3ddb896099c6c823f6e46dc00802fed19dbd58d0

SHA512
d244d3879cbdfd22bd94eb7d4950916b5999d6c012b0287a8807a110f1bc80266049f4d0563b97bb0154bcde7480ffcba07e9f7e66fc2ac20020e3c77792df81

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140_1.dll

Filesize
36KB

MD5
35628f1d136c003699382ea7d489cb16

SHA1
30dfd392927161182224f0e6b8aace235a00fbea

SHA256
0d6f93c5d19530a1623798f936468bc0934c1795545dd000b8812539b3e308cf

SHA512
558e6d729d39f25584191804e3b60f8fe8e9e950d58cd8f82eeaecb45c5bc86f2b9e9ac499ddabbee7dfe6a6ac6cb44cf63ced6e8105405ab9b314b5005d9cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

Filesize
3.4MB

MD5
bce6a4d57d3c9fff70925ff27d63c549

SHA1
85fdd41e6de31a7fd0e74977e7f8fb433083a1c3

SHA256
91950a08aa1cc9e1e4653d25a6421036f032e70795194d4011e247ded536f6fe

SHA512
95ae344cf2bff2eac7d41d552e0adff69cb862225f79b3471267b4e08a0c63e0f56a3314ea78e1ee01d1d5d642f2763a3901e6f0c950ea9ed74fd12585ccb2b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

Filesize
3.6MB

MD5
fa78a79dc451ac1ffd45671d7be505b7

SHA1
c6eb7395b693bafafd4604b3270933cd7c57e4d5

SHA256
d741f91da154d87eb9308371a5a5caedbc5e831015ca38da4a561a108a73bc89

SHA512
6413d51d79d6932b5be0031042070649cfd4ab1809ccf011f5b60548988d86bad667a44a7b15d02f5a9c2074ee69e76622bc2b3734dcbd75c334d84605f9ea14

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so

Filesize
2.5MB

MD5
e068cc82524e5464644ac9148c6d0cf1

SHA1
b97bfd3f50adfa021da3a7a4dee7b5d31b09448c

SHA256
ddd4a09a16eaca924f12f00f9184184c7e42e4243ebe0e5f3bb0180409ac9e96

SHA512
c7ed6d862c885727e1b872027ef8f9d5894c0a25052737c3ef7914725014834f714da81968c77999fee866bf1f6fbc20dfd6058d0618f0fb7bbfcb07e6c685a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.bin

Filesize
36KB

MD5
37319e9e5131c88c5169e044dfd432fb

SHA1
f8207003744b2cf6d6ebd6080c9afe5925904a0d

SHA256
f50d907a3487cfbff2fe04f6eca8f38c968d52c971c8044a9e9d39286becf735

SHA512
3e8750f329f936622e55162003b73a57a808db1a3c408fcabb0a3653c5126b0848e1df1b84bac54406b5c365b8a89cf4c29d41774c97b8c393457e308f994b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json

Filesize
687B

MD5
08916680285af6ddf4adbd1dd265487d

SHA1
e5fa77912a69248aab08714c5b605df62c469f33

SHA256
ef252f80a090c0ae1499c34148c27f3e982100b25c8daa9921d102343383f751

SHA512
68c9858777147a6a1c4932c13149aba4bb97453a3aface4c80077a5746ed493c811e36cd89b838e34429e91b1833b1866177b4bfc216129d555f310fe71a108f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Warcraft.jpg

Filesize
52KB

MD5
a48a77f8b3f8f7e6a9661776472b14c0

SHA1
7118461b780b558939a325a319e8515edbbedef1

SHA256
2e58bd1444d8452ba963e877601e8942a1560abdd44c16ed33580148322234ba

SHA512
f6a8a2844d872b650fc6342f809198bf078cf2d472c1b43f18529a0216393f6494202ab3b95ffef560fdba4bee7a4c6a85be49d9151cbd52c0c870d65c6e47fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\RE.png

Filesize
2KB

MD5
23f2c7dc04bfe492598bc440f57114af

SHA1
c30b386b7138a1d89b90f0e679ef58f4c545ba42

SHA256
94a0c4bc3aa825e44d36b0a463f9bfb012c2156392594a8ac6d76b389776e3a9

SHA512
edbc28f9f61ad48ac02e1bcb0f862249b5baf352289e068cb5df5552b5e9752a205e7b093b7caedccf4230186659d4b12579433ae8141b5129a5a6cf4c6bc5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\SJ.png

Filesize
2KB

MD5
bf25a4249d34f915ec1a246a468290cc

SHA1
5cc47373c11ff0488929124e18e280c7eb36b232

SHA256
0dd0e0a0d72ff4179b11afd5367a72b000de4a5c5ea0362f1f1723f80a3a2d22

SHA512
982fbc34c0c0ccad148b6745185af317bbe12215e08c879c6a06a7073d2afbcbc70c4fed9e028cc91a6a1eaa1fece064dbddf415a4b97a799dbfb1debcc02337

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Black.ttf

Filesize
57KB

MD5
8d3ca95402937eeab00997c11e25c1e2

SHA1
79263e88fd1dbe43cca9b2037d595e495e173b86

SHA256
7e7cb8715d4f7c9f6df315f11dac5db3a955d07e7131c5bb853e249ce8902af1

SHA512
fa148fe88d402486bad007f24c0fe3c485e3601435d820e3d8eeb09d22ec42d48566d8793a1231287c966823d3a86f55cfc26273623bd0bef1e9ba2148a1aa4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Bold.ttf

Filesize
159KB

MD5
88079335418f389bfb2d86bc4f1ced64

SHA1
fd799b6fb4aff1a9402e071ab02d1ddea731b868

SHA256
85c6a818e33ae8b62d15672522c0b12f2e602680f75c4414ee815a73596ad365

SHA512
5105d0f432cda4de9749e4e0dd09f9687d06ad17b7e02f98dc9d0b2ffc3d959c386302f8882c3a3f1021c39ecf88e60f5e630b929fb905eec48bead923b47e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-ExtraBold.ttf

Filesize
159KB

MD5
27f7ef17de3691b5cdb9f1ee1ee5cc6a

SHA1
1c92715c134738f2956bf758181522243c7586dd

SHA256
118e237edf796dd76c453e912a4f445816e918bc3ff1d3941b2548c0a8fdfe29

SHA512
6d5c68056a37d989f64528c092680416c1300c95471be43ebddff7b579bcae9dfa7f402ab422406bf3a4a3df728b4af1e68e15e385b49221847f48e0bc59f228

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Medium.ttf

Filesize
159KB

MD5
b952c3c81ba34b54c66c748ea1e828a7

SHA1
9d35f805e98f95e72f5d0a4ced7397584d7349be

SHA256
f5a6dcd3227d1a75db47a6770e617d8077cba42c146d1d6479ae394431c7d40e

SHA512
30ddc9f9fd2916b3ac846cac60c93b5f89057a1369ffd38ccf569a6eba3dff6be10408ad7413257e794e94a46e68e67105fae28f1ce95544485edbe85842a420

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-SemiBold.ttf

Filesize
159KB

MD5
87641f9900d717d6bfbf108b8755868e

SHA1
75f4fca0d4d80e2b9a62d3283261e933786fb8c1

SHA256
564368e49d2d7d65005649278c3e042d6954df5e5dee3874a3b548ad067db0cc

SHA512
a319660d6457efd705c291aa5445146f77e2d099ac26be3f48963b9846cb0f3cfaaee1fbd1e9acb5a7ebb74d39b541d00c76fd50932b388cee7ff54da2ef40ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg

Filesize
201B

MD5
7f8d672a2849987b498734dcb90f0c51

SHA1
e53b9319bf964c15099080ac5497ee39f8bab362

SHA256
4a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4

SHA512
b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\collapse.svg

Filesize
195B

MD5
ad6092934dc48be9d00331e6f21eb235

SHA1
29cd8e5478e432b386382caf6ac7b3537b108c33

SHA256
2e0eb48ef144b771903a2ee5096ac4305ef43c830d2905f46b0384a07f5f4090

SHA512
38254a977c1a74515ed6184b5ebb3b1b3125db4b713a2de69aee9dc54912a9e869fede36423548e9ebf8cfc66e6711738789ee2c33f6f3af74def779eb7e5afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\grain.png

Filesize
79KB

MD5
3577f702479e7f31a32a96f38a36e752

SHA1
e407b9ac4cfe3270cdd640a5018bec2178d49bb1

SHA256
cc453dfe977598a839a52037ef947388e008e5cdfe91b1f1a4e85afb5509bee2

SHA512
1a4a03931ab56c8352382414f55eb25b324e11890d51ba95597dbd867b35db45db5adcefb47d95b3763f413a66e3228e59531bdbd5ba5541469196adb5eb3d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat

Filesize
688KB

MD5
0e235c20fa10aa82ef7b3042dff6b281

SHA1
e7e7c97acc35139cbcbbc18eac4a4d64b07a7b98

SHA256
20c7fbf7aa9e331922cf268d1d02225c2b0e572b8e5aea086ff687f85aad277c

SHA512
9c9d84efba209af5f3c5ce92226dc61ccf50f5d060452d99f1b822d4e87db088c0ce8f7f936762cac5bdbfe2ebe2b35db80921d73f4a5caa9d3afffccde01916

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
2.6MB

MD5
0b39ef2f7906620e57a14f88e3d6ac26

SHA1
a3ba1482c4c90bf5df2dcb8f7141d64e48675024

SHA256
b9f4c140716edd943b0978132e441ace40f585a616c7f54326aeb139bcb3f432

SHA512
7517a1036642543a78943f2d2f3e5a8c4adb911946f97c1ad7acc2de194be1d279065272eb1353ae571d0debb3dd9fa22194256acd4f526480ad55bc324041b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
3.9MB

MD5
ef1a049dc119862eb002308ce351137c

SHA1
f9fab919a7309216d39e5f66f788c75833c76616

SHA256
642c3bc7108d521428ba7310f099bce282338caafa1fe00f1d72bf365f3eb6e6

SHA512
ac4d00a994783dcfb576e2ad93f749c24ab7165b1edbe72acbd999e7e28f959b7d9d66eb600aa9fedb8ef9b9b3da6384e12e9ce2d599781171812ab8abff2c5c

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
246B

MD5
3b6d748680f6d74884c2dc7be68d1c34

SHA1
bddd52dfbb7d261319e7cdf1aa0e654252865115

SHA256
119f81b327e0eac92d8b381bf1ef2b8b6ef5861bb6cc30ab64b487dd70d244af

SHA512
bdabd93552d23829a70a772d74642e2e3a42f126e9a7193b0d33bc59eeb1c657f041f97c5936de0644fdd4010a9e842736d2a8fffac140e448ff203de0198465

Download Submit
memory/840-1101-0x0000020DDC490000-0x0000020DDC491000-memory.dmp

Filesize
4KB

Download
memory/840-1100-0x0000020DDC500000-0x0000020DDD2FD000-memory.dmp

Filesize
14.0MB

Download
memory/840-1099-0x0000020DDC500000-0x0000020DDD2FD000-memory.dmp

Filesize
14.0MB

Download
memory/840-1098-0x0000020DDC500000-0x0000020DDD2FD000-memory.dmp

Filesize
14.0MB

Download
memory/840-1097-0x0000020DDC480000-0x0000020DDC481000-memory.dmp

Filesize
4KB

Download