29e588787f19805bc18b789200e7647b9be5e744c552acc6770e38cf2bea599e

Analysis

max time kernel
140s
max time network
118s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
20-02-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eTransBatchToolSetup-win-1.0.5.1208.exe
Size

12.2MB
MD5

66b7b4cbf962b802055ee82b82734468
SHA1

6105d3d611f72f7040282f253d59d90f99abf17c
SHA256

5a1e3bc0e83570b96ca70b86b1f46010bd6eb37abccef990284b9b0c2d533fb0
SHA512

e62b6ae93946206231efc7647092841056576080cec15c50adedc3bb2444c44d7d14c8b0c4304796720b5df06078587263c84651ec39c2586835b70e1798be9d
SSDEEP

393216:qmOV12zfrojGZB/vtJdjfU6n1dMmt9DJ85Jr:iVwoj+FVnfUQrZt9DJar

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1700	eTransBatchToolSetup-win-1.0.5.1208.tmp
2880	PreInstall.exe

Loads dropped DLL 4 IoCs

pid	Process
2212	eTransBatchToolSetup-win-1.0.5.1208.exe
1700	eTransBatchToolSetup-win-1.0.5.1208.tmp
1700	eTransBatchToolSetup-win-1.0.5.1208.tmp
1700	eTransBatchToolSetup-win-1.0.5.1208.tmp

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2880	PreInstall.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1700	eTransBatchToolSetup-win-1.0.5.1208.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	PreInstall.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 1700	2212	eTransBatchToolSetup-win-1.0.5.1208.exe	28
PID 2212 wrote to memory of 1700	2212	eTransBatchToolSetup-win-1.0.5.1208.exe	28
PID 2212 wrote to memory of 1700	2212	eTransBatchToolSetup-win-1.0.5.1208.exe	28
PID 2212 wrote to memory of 1700	2212	eTransBatchToolSetup-win-1.0.5.1208.exe	28
PID 2212 wrote to memory of 1700	2212	eTransBatchToolSetup-win-1.0.5.1208.exe	28
PID 2212 wrote to memory of 1700	2212	eTransBatchToolSetup-win-1.0.5.1208.exe	28
PID 2212 wrote to memory of 1700	2212	eTransBatchToolSetup-win-1.0.5.1208.exe	28
PID 1700 wrote to memory of 2880	1700	eTransBatchToolSetup-win-1.0.5.1208.tmp	29
PID 1700 wrote to memory of 2880	1700	eTransBatchToolSetup-win-1.0.5.1208.tmp	29
PID 1700 wrote to memory of 2880	1700	eTransBatchToolSetup-win-1.0.5.1208.tmp	29
PID 1700 wrote to memory of 2880	1700	eTransBatchToolSetup-win-1.0.5.1208.tmp	29
PID 1700 wrote to memory of 2880	1700	eTransBatchToolSetup-win-1.0.5.1208.tmp	29
PID 1700 wrote to memory of 2880	1700	eTransBatchToolSetup-win-1.0.5.1208.tmp	29
PID 1700 wrote to memory of 2880	1700	eTransBatchToolSetup-win-1.0.5.1208.tmp	29

C:\Users\Admin\AppData\Local\Temp\eTransBatchToolSetup-win-1.0.5.1208.exe
"C:\Users\Admin\AppData\Local\Temp\eTransBatchToolSetup-win-1.0.5.1208.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Users\Admin\AppData\Local\Temp\is-FJ0B7.tmp\eTransBatchToolSetup-win-1.0.5.1208.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-FJ0B7.tmp\eTransBatchToolSetup-win-1.0.5.1208.tmp" /SL5="$400F4,12549826,54272,C:\Users\Admin\AppData\Local\Temp\eTransBatchToolSetup-win-1.0.5.1208.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\is-S5KED.tmp\PreInstall.exe
    "C:\Users\Admin\AppData\Local\Temp\is-S5KED.tmp\PreInstall.exe" -install
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-FJ0B7.tmp\eTransBatchToolSetup-win-1.0.5.1208.tmp

Filesize
692KB

MD5
4004a08b31830602e97978f3d260b5d5

SHA1
a0f4df00c517c114ba9de09681d9bee7851dd602

SHA256
97108defbfb4a6ffe7a98209a1ea69b400dc8903524b16594649ce819eb82d8e

SHA512
008c337392868231aeeedfe99fedd63f19ccb2a5b441081d0b918608d8c693b5d466675b5780a344df53e0e00cda1420b7c021163d746bee37e369944967bb46

Download Submit
\Users\Admin\AppData\Local\Temp\is-S5KED.tmp\PreInstall.exe

Filesize
111KB

MD5
c27eeb3b9a7c8a9a19b60f9626cec95a

SHA1
8bc2fc65238950d9e7e79c26a2cfe3066b0b7da3

SHA256
8004f9423177deef6244b4a6da159d3ec1a119199d910ad841853e4f2a3adbb6

SHA512
770937fb80acf4a9eabb7a62910adbfce1ded3a09ea831d6a809e979fe784f970efa907b567245e273f53480eb43ab504e647d684322537f8a0722c09d6a3df0

Download Submit
\Users\Admin\AppData\Local\Temp\is-S5KED.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1700-8-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1700-22-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1700-25-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2212-1-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2212-21-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download