79af1f9153b8ff988baffaa164fc70799950078f887e2c93dc3fa7efed674b21

Analysis

max time kernel
303s
max time network
319s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
12/03/2024, 22:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tesseract-ocr-w64-setup-5.3.3.20231005.exe
Size

47.8MB
MD5

6e11fbca5a293bf79bbb544fa35dd67c
SHA1

e7a4de76b0da06ed1857728ac9c16083d8b79c90
SHA256

79af1f9153b8ff988baffaa164fc70799950078f887e2c93dc3fa7efed674b21
SHA512

37f3f1cc0ee84709b9fdc6d4242fe23a7109d164a008461e80d4b40092ca19bbc053779205b26692abb98798c28d6d18fa39628c60441112c7eaadb519f53837
SSDEEP

786432:yWCoFFSzeTjaz7i05m+VvfftWUlmbirs5KoNArCCszNJHqYFBMbwPyp:yWCOF0eTgp5xv0virsUoNFJHdSwyp

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Tesseract-OCR\tessdata\tessconfigs\batch	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libbrotlicommon.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libgobject-2.0-0.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\configs\rebox	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\eng.user-patterns	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\shapeclustering.1.html	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\text2image.1.html	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\dawg2wordlist.exe	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File opened for modification	C:\Program Files\Tesseract-OCR\tesseract.exe	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\wordlist2dawg.exe	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\dawg2wordlist.1.html	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\merge_unicharsets.1.html	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libssh2-1.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\configs\kannada	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\configs\logfile	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\combine_tessdata.exe	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\eng.user-words	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libcairo-2.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libleptonica-6.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\configs\box.train	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libicudt73.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\wordlist2dawg.1.html	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libglib-2.0-0.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libgmodule-2.0-0.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\cntraining.1.html	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\configs\lstm.train	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\doc\LICENSE	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\set_unicharset_properties.exe	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libarchive-13.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libcrypto-3-x64.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tesseract-uninstall.exe	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libtiff-6.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\tessconfigs\batch.nochop	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libLerc.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libpsl-5.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libffi-8.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\mftraining.1.html	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\configs\txt	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libb2-1.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libdeflate.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libsharpyuv-0.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libunistring-5.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\set_unicharset_properties.1.html	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\configs\get.images	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\configs\lstmbox	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\doc\README.md	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libicuuc73.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libpangowin32-1.0-0.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\mftraining.exe	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\shapeclustering.exe	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\ambiguous_words.exe	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\classifier_tester.exe	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\cntraining.exe	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libgcc_s_seh-1.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\liblz4.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\configs\makebox	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libopenjp2-7.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libwebpmux-3.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\libstdc++-6.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\ambiguous_words.1.html	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\tessdata\configs\inter	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\doc\AUTHORS	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\merge_unicharsets.exe	tesseract-ocr-w64-setup-5.3.3.20231005.exe
File created	C:\Program Files\Tesseract-OCR\liblzma-5.dll	tesseract-ocr-w64-setup-5.3.3.20231005.exe

Executes dropped EXE 2 IoCs

pid	Process
1248	Process not Found
1908	winpath.exe

Loads dropped DLL 14 IoCs

pid	Process
2100	tesseract-ocr-w64-setup-5.3.3.20231005.exe
2100	tesseract-ocr-w64-setup-5.3.3.20231005.exe
2100	tesseract-ocr-w64-setup-5.3.3.20231005.exe
2100	tesseract-ocr-w64-setup-5.3.3.20231005.exe
2100	tesseract-ocr-w64-setup-5.3.3.20231005.exe
2100	tesseract-ocr-w64-setup-5.3.3.20231005.exe
2100	tesseract-ocr-w64-setup-5.3.3.20231005.exe
1248	Process not Found
1248	Process not Found
1248	Process not Found
1664	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 2788	1908	winpath.exe	31
PID 1908 wrote to memory of 2788	1908	winpath.exe	31
PID 1908 wrote to memory of 2788	1908	winpath.exe	31

C:\Users\Admin\AppData\Local\Temp\tesseract-ocr-w64-setup-5.3.3.20231005.exe
"C:\Users\Admin\AppData\Local\Temp\tesseract-ocr-w64-setup-5.3.3.20231005.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
PID:2100

C:\Program Files\Tesseract-OCR\winpath.exe
"C:\Program Files\Tesseract-OCR\winpath.exe" cmd
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\system32\cmd.exe
  cmd
  2⤵
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\Tesseract-OCR\tesseract-uninstall.exe

Filesize
147KB

MD5
f8db29c5b916cf5aa0ef41d32eb2614d

SHA1
9e118e683bca40b4908309a4acb95dc38bbfe926

SHA256
bc8d103d286bc7b7840509377dd198faf30c14013c1069e8041fd86a5d07adbf

SHA512
aee4822338bd8a94f067698d003146acafd7a81e2a9448ef6570770ee4ab639690298b84d0265601b77befae38611eab07be550b2b715213300472709a5c740b

Download Submit
\Program Files\Tesseract-OCR\winpath.exe

Filesize
18KB

MD5
52f45fc0b75900060f63b68149709e06

SHA1
1e0d6b4c9b14de7d1b8e3cecee2c3306b1d9dd3f

SHA256
5223e97b220215cc3ec12acb8979a6f41f5344737af63a90f47879051567777d

SHA512
77d6d030f03e81917bee018fc94e884d951d1d124988263155df169b4fc1932dfeaf706bc02b288f6a3539cacce7f05c53ef4b408161cb090dd46239baf13f28

Download Submit
\Users\Admin\AppData\Local\Temp\nsoBA5C.tmp\LangDLL.dll

Filesize
8KB

MD5
2ac83ff9f2eb44ee250e2007423f7784

SHA1
d7fe9e3db03a24b603a4a61ec287fa2c1073d364

SHA256
1f9ef3943d58dd80a774a5a81578b48bc90f494025e71f6e40ef7def3a06ddf2

SHA512
0aebd903e1a77bec0fac7a1f2ad88e57b9bcb07b351907164f4e674150f1c02807b7667b6fc04fd1e5b27607bbfa87cc179b03f10762b4bb781a3dfbed6c97bf

Download Submit
\Users\Admin\AppData\Local\Temp\nsoBA5C.tmp\StartMenu.dll

Filesize
12KB

MD5
fb106f9e525281c3a443ceef2d6e210f

SHA1
8321054b611787d2dacbcb1495c2b627dac04629

SHA256
fe48faafeb1d3bf312d66d60d2207648d0959c7b9263356c81d0d7f626333aa3

SHA512
d9fd571b0a27fd055a21b539dfda994d2b8f8a40872d98a1a61bcf671a94fb550ea58a20c677b3eb52be37853d860ed93a5d96b47b36be71dcad6d85d754eb66

Download Submit
\Users\Admin\AppData\Local\Temp\nsoBA5C.tmp\System.dll

Filesize
31KB

MD5
dab726bff7cb0f079d232b2c4d0efd8d

SHA1
4d0ebe0facbb66c9c03e3f6b5beb411cb75d9ec9

SHA256
9d46463e1925bf29cd86c7a56ccf540f1eeef3cb50064a222b84703436cd7e8c

SHA512
6aa6097777afdcb073b8fc8ace1a244ac9215ec152720d8b4a32f6196181b135a900491c7fea72bf1df9ed69e51b90cd21eca4ed902d8503d0b1b04c162a2162

Download Submit
\Users\Admin\AppData\Local\Temp\nsoBA5C.tmp\UserInfo.dll

Filesize
7KB

MD5
d45e6d34a3db2f350fa56b066962c8fe

SHA1
354987e974561a9ee397877432cbb35363ac4e67

SHA256
67ae64f52d6d84407820d09304fb12f5808e8caf332f6092bd0a722ec5977894

SHA512
e0bf5810a74f447a04c16625e21e6aae1cf65886d26cef0ed747c8ec4b107229573ad58ee5fbc2c034c6d16d7cb71ce4534515ff843457cb37b7490f44657b8b

Download Submit
\Users\Admin\AppData\Local\Temp\nsoBA5C.tmp\nsDialogs.dll

Filesize
14KB

MD5
494c8f9c6a5fc302e8b50f05ef9aeb8c

SHA1
75fe258210f0989a7afaecd42e45841d076dc8b8

SHA256
e9ab864697d454cd4a85abf38ec4236ee56ddd0c59f9422ae1e774b9487f132d

SHA512
363780eeded89bd720addb11ef42893d13852fe1c446305cbda73cf994da6848338458f2da4eafa42857533e6fc30e24f6db3b36df5f7cc51b9307010ddfa401

Download Submit
memory/1908-233-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1908-228-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2100-27-0x00000000744D0000-0x00000000744E0000-memory.dmp

Filesize
64KB

Download
memory/2100-32-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2100-40-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2100-43-0x00000000744B0000-0x00000000744BC000-memory.dmp

Filesize
48KB

Download
memory/2100-31-0x00000000744C0000-0x00000000744CC000-memory.dmp

Filesize
48KB

Download
memory/2100-30-0x00000000744D0000-0x00000000744E0000-memory.dmp

Filesize
64KB

Download
memory/2100-194-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2100-199-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2100-201-0x00000000744C0000-0x00000000744CC000-memory.dmp

Filesize
48KB

Download
memory/2100-200-0x00000000744D0000-0x00000000744E0000-memory.dmp

Filesize
64KB

Download
memory/2100-218-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/2100-28-0x00000000744C0000-0x00000000744CC000-memory.dmp

Filesize
48KB

Download
memory/2100-26-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download