5cffec4f2b71685e91340901d20770d850c162e27a4909be9925bc47c2fa5937

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 16:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

R5070_FW_TU30MB.exe
Size

35.1MB
MD5

330935560cc5e9440c951afe71077811
SHA1

06e20470696e1cc0c06dc9e0c73d0a770a1fb277
SHA256

5cffec4f2b71685e91340901d20770d850c162e27a4909be9925bc47c2fa5937
SHA512

32c1fd1e56e269348f866b627332e65e7c55af86d44802fc2656a87a5342339195224b84c8da5280ee21974d27e2cd388f52ec99200e307cafb855f3443c37d1
SSDEEP

786432:5kh2r+AGoenFh0kc97L2Wt5rcYG2aoLtOw0h6oq5sEDR5k:82rbG7Fe9X2WvrcYpaoL8FqCEDRC

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\International\Geo\Nation	EPFWUPD.exe

Executes dropped EXE 1 IoCs

pid	Process
2076	EPFWUPD.exe

Loads dropped DLL 5 IoCs

pid	Process
2940	R5070_FW_TU30MB.exe
2076	EPFWUPD.exe
2076	EPFWUPD.exe
2076	EPFWUPD.exe
2076	EPFWUPD.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main	EPFWUPD.exe
Key created	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	EPFWUPD.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	EPFWUPD.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2076	EPFWUPD.exe
2940	R5070_FW_TU30MB.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2076	EPFWUPD.exe
2076	EPFWUPD.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2076	2940	R5070_FW_TU30MB.exe	28
PID 2940 wrote to memory of 2076	2940	R5070_FW_TU30MB.exe	28
PID 2940 wrote to memory of 2076	2940	R5070_FW_TU30MB.exe	28
PID 2940 wrote to memory of 2076	2940	R5070_FW_TU30MB.exe	28
PID 2940 wrote to memory of 2076	2940	R5070_FW_TU30MB.exe	28
PID 2940 wrote to memory of 2076	2940	R5070_FW_TU30MB.exe	28
PID 2940 wrote to memory of 2076	2940	R5070_FW_TU30MB.exe	28

C:\Users\Admin\AppData\Local\Temp\R5070_FW_TU30MB.exe
"C:\Users\Admin\AppData\Local\Temp\R5070_FW_TU30MB.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\EPFWUPD.exe
  ./EPFWUPD.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Firmware Updater0\.copy.efu

Filesize
5.1MB

MD5
fdfdce741f9ce96b98f84c920e6973a0

SHA1
a4f4c63bf8b3a9b3ba2bbc6768f4ad14a0a24a82

SHA256
c2856901cafff117cd6e647bb23150a43633381ca7abc455a3d5a7e9caecf49e

SHA512
116208aa775c81965507712133eec01409030b2e41aa0393a24c896a5620678c99aca19675e55471da447ffe7050b9765ad898a2e907f3fd178d82a515382674

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\ENBoost.DLL

Filesize
163KB

MD5
f9c8e0cdb5744587be60d2183d5a0d1c

SHA1
c68ac4e9e2c425aa870b6b57585abc95a26c7fee

SHA256
254c4c68323ca433a8a579fddd046dcbb3381863c5b0316cae282052d4cb6ec7

SHA512
c9c662a7d086c659855286c06ad0c21ef0969268a9aa71d4c87f1e7af6e345da97a6d470a0a293f62250f1d1f13c265b0b00fd4082077f4316c54950728f509e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\FW4828TL_TU30MB.efu

Filesize
5.6MB

MD5
0352130e78e47487723dcb32a9dc454e

SHA1
66bb8b87542cf387ae66209fa26530340d504048

SHA256
560a6d0f359447b4e375be73375195720bd9aedbefa5c4ca1bf90f4744d9048f

SHA512
d38c1c9089483c8c1f25739801327d53b7fe2c56255b995d4e35544ad733a2dd5a1756e91cbb21f2142e6b9e5cb8c8c5dba6aa252866a57274682070fb3ba2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Resources\Default\CP.txt

Filesize
7KB

MD5
13e9a07bf867d45384c132b2acba62ce

SHA1
66d821cd3086d08d1902c9927bd7c1f5b236e0ba

SHA256
6272e6551983d5001a605772c7ea2664e78853bbd1cad0ad98b30837b6b95ef9

SHA512
ef2fb3b1efb45ca801c286fcd968beae014d58fe8d041d668947578b5ac5c05e48ee7814b7505170cf7dec22dd5eee3f5369088e2dcbee77204b5cbc30900a12

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Resources\Default\enres200.dat

Filesize
62KB

MD5
a97daced497e4e7aaf9fe94022f71594

SHA1
3ac2862d07e5096bb546d4ff9118846a6cf255be

SHA256
3f1b41691045f7dca264766ad885439738a182a7a2aa54db4aa76b44e87b70c3

SHA512
e06b88d0b970996c231e7f9b9b23a4bb8cce49ac7d1d1d674f5ff2795ef44dd6d697144739d2f3d3e5f2e69fc9274a998e183bcd5b91ce61865edfa64a841829

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Resources\Default\warning.png

Filesize
2KB

MD5
1ad39ef75f31cbfdc49f0ac68522c17b

SHA1
6e5e56182720b976b6598da7214a0e0fefb554fe

SHA256
efc28c2110e35dafb3fb631e7dd78e713eb5d36b77420045f063c7453430c7fd

SHA512
5bf39b981e57960bd8bb9c8d21bb14f84a8f5c8b5ea3f09b711429062b574189f26f71bb506443d47dcbafc5b67b635b3456dc5d4cd0e37161bbe632a7b9ac10

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Resources\en\LA.txt

Filesize
70KB

MD5
320b821e71a54aab2eb52df3fbab5f9b

SHA1
c64e7eab375e33b99253288cae0e814c2f5fbea9

SHA256
1534b09ff9c66147de1abc6fda0e40499d8d2e85c0e25b7743b2a1a2fd0ceb61

SHA512
29a80c8b28223f9d0c32cfe3a4cbb73942f94676c3bd1534d688aad2d78b1602f1efa37fb51727dcc77ddabca58aacaf13feaebfc52f37fcf6a1050071da0cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Resources\en\info11.html

Filesize
1KB

MD5
e7afaadb2ecfa831b0bdfa80ee2b97df

SHA1
d4c009ca00767a60d3397cc7870055b9f1341143

SHA256
4b576e5e886ab9fbd2ff29e2bd0c176ddb9bcbfd1a823420b96904f51ed5b69d

SHA512
41b1d20307e296a55238c76d6cbca789cb060a4c6032b6cfb077a8cdb88accbdff97688f69a4d53e1c23fc8b065b363cf7c23408abc23be309f7f75c17ba2e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Resources\en\string.dat

Filesize
44KB

MD5
5e03e75adfbdd1fd5f178b1300f5a633

SHA1
17c404926b51bc64cfb19d12f3c0320488d98e77

SHA256
122501a35964a1a89bef4e33750408e5ab4a172b0e7815020507c2bbb92737f2

SHA512
e062fee3f3c34169763602f6e07d6bfe33566ae4eeeb3b25804677ea48ae44ba729978f263bc66aeea88271717fd60afbd37c3af094894290edc24fad3a100da

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Resources\no\info01.html

Filesize
1KB

MD5
c3b49beb4f02d78120f16f1e8cfe1a18

SHA1
36d20f6573a37504700f8c1f3be9e5b10ed6797c

SHA256
d6e7e80fd8d00bf38e05c116597ba53f09b3664146fbd9bb9baa963200536ce3

SHA512
4e058d049b03304a1c4e2e839377251365b03af8d2e2750ed4fdf28c4ef697b3e264f5790b768e71fd03e67436cfb17b5b81e5740a28481b53a7550d7e0cbbc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Resources\no\info02.html

Filesize
1KB

MD5
f84f923409d09613028404b18e2cd6ff

SHA1
5fb56e219c56c5ab811f54ab1ebc569fc76a3749

SHA256
89538d2504a62a9658c2082adb3d4ebd95cd989d576814059a9188be9be844bc

SHA512
58c40c7643a3629e449f190d6df099b6018359e01a277809cb83a914c6352f6e93f7413a9d6b77dc463644de85f93f8a4f702f4cc2dc3945388798dcf378f81a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WZSE0.TMP\Unzip32.dll

Filesize
100KB

MD5
e43f51e3ebf6443aa39b3672a112bb45

SHA1
00830c204c9214a2661e15c2fa1f6c3693ab942b

SHA256
4afcccfe572c4b95dadcb3e4d50a82b049b01c40ec4c608aa287090db43eb291

SHA512
f68757e7e70dbd5be5277a7fdb2ae3f977bc41025a935886afff5480d3f2ea592cb66ebd3b99145575faf53578edbc84730d064bfdf4423bf3bfdde30b424a4d

Download Submit
\Users\Admin\AppData\Local\Temp\WZSE0.TMP\EPFWUPD.exe

Filesize
3.8MB

MD5
c8f957493671b868adf7d39f78cb9128

SHA1
558cd3a492aa796fef4fdc75f1ab863a9c5c5304

SHA256
0133b342fcdf2c5503e7203dc37d6b5016cd02f6b2d9a15cec85c729db0cdb7d

SHA512
22e760be5d5a2a17a9eae1ecdec5c67c8a2128df76dff600984cb128782f230be53bfd407bb1edb5ed3dbde9b4cdcfa44c55f954a41117395ff7c9db262b8125

Download Submit
memory/2076-1054-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2076-1059-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download