7ad99c1905e0c0ca46bd97650a50645592a6006f05062aa4580198c41c6491a1

Analysis

max time kernel
131s
max time network
142s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
14/03/2024, 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExLoader_Installer (1).exe
Size

20.2MB
MD5

06d4e995805a2afd7496f4f4f0000fd2
SHA1

db80fb0f047f5754aa33781268421407fd07d29e
SHA256

7ad99c1905e0c0ca46bd97650a50645592a6006f05062aa4580198c41c6491a1
SHA512

fd4d245e28e6584f7fe3489bccb35341f5957933de442c259a507e04bf07f018bbb1bd769d638a07a42ce7a1677c6bf1aa237f4b22b3a5dcf9ccbc5af43150d7
SSDEEP

393216:QVZarTJXmFjzqREtDlwcPUTc9t37DMncawXAKaVnayxZtFDb:SZ4TJXmFjzqa5lYTiInf46VnvHr/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1903027113-674645041-2759338396-1000\Control Panel\International\Geo\Nation	ExLoader_Installer.exe

Executes dropped EXE 1 IoCs

pid	Process
1572	ExLoader_Installer.exe

Loads dropped DLL 5 IoCs

pid	Process
1572	ExLoader_Installer.exe
1572	ExLoader_Installer.exe
1572	ExLoader_Installer.exe
1572	ExLoader_Installer.exe
1572	ExLoader_Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1572	ExLoader_Installer.exe
1572	ExLoader_Installer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1572	4092	ExLoader_Installer (1).exe	72
PID 4092 wrote to memory of 1572	4092	ExLoader_Installer (1).exe	72
PID 1572 wrote to memory of 3372	1572	ExLoader_Installer.exe	73
PID 1572 wrote to memory of 3372	1572	ExLoader_Installer.exe	73
PID 3372 wrote to memory of 212	3372	cmd.exe	75
PID 3372 wrote to memory of 212	3372	cmd.exe	75
PID 1572 wrote to memory of 2928	1572	ExLoader_Installer.exe	76
PID 1572 wrote to memory of 2928	1572	ExLoader_Installer.exe	76
PID 2928 wrote to memory of 2540	2928	cmd.exe	78
PID 2928 wrote to memory of 2540	2928	cmd.exe	78

C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer (1).exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
      4⤵
      PID:212
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
      4⤵
      PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
161KB

MD5
89a6ed1e786dd059f598c852e5dad5d6

SHA1
8bfe891b475b3503acabfde158e58856ae17f367

SHA256
227d42f778e3476633d3711ea07973cb969ae151471e3579f63601dfd01d8e80

SHA512
6b47894d4e6352edeed02e66e76402fc4c50c70221d29353c7791974dc9e7322f97e347041cfbfdababd867b3d3e67cb9af860bac1c700740982701ec68d3591

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so

Filesize
1.9MB

MD5
3eabc83792107578ce3180ef3f1ba4a1

SHA1
6de0965042ba539747c8d5b91eb8f09919105e61

SHA256
2dd374d3ca99020380ccf9f8e9fc056eb5b878513e80d6b1e291c286240b99ef

SHA512
072939c6fbe8352c6259e010b09e24d42a8f3afec48031e71ee1d755c119b2f71a83f17fda4aad2a82aebcbec024e10c5f94374efa3a0d4026cb7fa110a965fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.bin

Filesize
36KB

MD5
37319e9e5131c88c5169e044dfd432fb

SHA1
f8207003744b2cf6d6ebd6080c9afe5925904a0d

SHA256
f50d907a3487cfbff2fe04f6eca8f38c968d52c971c8044a9e9d39286becf735

SHA512
3e8750f329f936622e55162003b73a57a808db1a3c408fcabb0a3653c5126b0848e1df1b84bac54406b5c365b8a89cf4c29d41774c97b8c393457e308f994b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json

Filesize
687B

MD5
08916680285af6ddf4adbd1dd265487d

SHA1
e5fa77912a69248aab08714c5b605df62c469f33

SHA256
ef252f80a090c0ae1499c34148c27f3e982100b25c8daa9921d102343383f751

SHA512
68c9858777147a6a1c4932c13149aba4bb97453a3aface4c80077a5746ed493c811e36cd89b838e34429e91b1833b1866177b4bfc216129d555f310fe71a108f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Ori%20and%20the%20Blind%20Forest.jpg

Filesize
93KB

MD5
babd1b019be8944f7ef6c64c8194bc8d

SHA1
702a50d3e3a0933db4dc1f37423bca3b5c52acde

SHA256
71ea07c900e7993072f4896c0ab621303feaf4d13b7c9a4b2993e06122b10f76

SHA512
6a854fc0db7206dd182f6ebc594d763b62a75f64663d3e58029cfa2586048838fe8878b043d174923e05f4e3cd2f3e9d96a6dcf5ba8bbd7322bbc3540bbb8b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\RE.png

Filesize
2KB

MD5
23f2c7dc04bfe492598bc440f57114af

SHA1
c30b386b7138a1d89b90f0e679ef58f4c545ba42

SHA256
94a0c4bc3aa825e44d36b0a463f9bfb012c2156392594a8ac6d76b389776e3a9

SHA512
edbc28f9f61ad48ac02e1bcb0f862249b5baf352289e068cb5df5552b5e9752a205e7b093b7caedccf4230186659d4b12579433ae8141b5129a5a6cf4c6bc5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\SJ.png

Filesize
2KB

MD5
bf25a4249d34f915ec1a246a468290cc

SHA1
5cc47373c11ff0488929124e18e280c7eb36b232

SHA256
0dd0e0a0d72ff4179b11afd5367a72b000de4a5c5ea0362f1f1723f80a3a2d22

SHA512
982fbc34c0c0ccad148b6745185af317bbe12215e08c879c6a06a7073d2afbcbc70c4fed9e028cc91a6a1eaa1fece064dbddf415a4b97a799dbfb1debcc02337

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Black.ttf

Filesize
159KB

MD5
35e0e2e7a5b03275ba569a214edbab77

SHA1
b341b185db9c7231884558dcdab0124d2f5ed1d0

SHA256
2d1149ca6075e3559fa4234107474b3b500bc479baa0bdaa8a99563a587c62f5

SHA512
e3d752d8fd5a7306dcf8fc428b72df1668991b7152b66fba41e365cc61626f8ddfc8092dbcbc2b2ef3acea5c09496e83af2a2208cdd5b66e7ff3267b2bf2f0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Bold.ttf

Filesize
159KB

MD5
88079335418f389bfb2d86bc4f1ced64

SHA1
fd799b6fb4aff1a9402e071ab02d1ddea731b868

SHA256
85c6a818e33ae8b62d15672522c0b12f2e602680f75c4414ee815a73596ad365

SHA512
5105d0f432cda4de9749e4e0dd09f9687d06ad17b7e02f98dc9d0b2ffc3d959c386302f8882c3a3f1021c39ecf88e60f5e630b929fb905eec48bead923b47e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-ExtraBold.ttf

Filesize
128KB

MD5
ea3c423dde751e8da9fd982f773afd3a

SHA1
5202117bfd55b189b50c4e2dceaeb551765c2f76

SHA256
34b2d2795b02cac034a174f54e4357aaf35598ecc5a2099a667803e03fa639ab

SHA512
e38464dbb95f150da7947c3131ec700d25ae5375a749fda5a135425de5113d77ed431641f81d7031a92b70fc652461afb4ba9f23dad480b8c4b1d5224739bd8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Medium.ttf

Filesize
159KB

MD5
b952c3c81ba34b54c66c748ea1e828a7

SHA1
9d35f805e98f95e72f5d0a4ced7397584d7349be

SHA256
f5a6dcd3227d1a75db47a6770e617d8077cba42c146d1d6479ae394431c7d40e

SHA512
30ddc9f9fd2916b3ac846cac60c93b5f89057a1369ffd38ccf569a6eba3dff6be10408ad7413257e794e94a46e68e67105fae28f1ce95544485edbe85842a420

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-SemiBold.ttf

Filesize
159KB

MD5
87641f9900d717d6bfbf108b8755868e

SHA1
75f4fca0d4d80e2b9a62d3283261e933786fb8c1

SHA256
564368e49d2d7d65005649278c3e042d6954df5e5dee3874a3b548ad067db0cc

SHA512
a319660d6457efd705c291aa5445146f77e2d099ac26be3f48963b9846cb0f3cfaaee1fbd1e9acb5a7ebb74d39b541d00c76fd50932b388cee7ff54da2ef40ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg

Filesize
201B

MD5
7f8d672a2849987b498734dcb90f0c51

SHA1
e53b9319bf964c15099080ac5497ee39f8bab362

SHA256
4a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4

SHA512
b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\collapse.svg

Filesize
195B

MD5
ad6092934dc48be9d00331e6f21eb235

SHA1
29cd8e5478e432b386382caf6ac7b3537b108c33

SHA256
2e0eb48ef144b771903a2ee5096ac4305ef43c830d2905f46b0384a07f5f4090

SHA512
38254a977c1a74515ed6184b5ebb3b1b3125db4b713a2de69aee9dc54912a9e869fede36423548e9ebf8cfc66e6711738789ee2c33f6f3af74def779eb7e5afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat

Filesize
798KB

MD5
cf772cf9f6ca67f592fe47da2a15adb1

SHA1
9cc4d99249bdba8a030daf00d98252c8aef7a0ff

SHA256
ac44ccc3f61bf630bb20fb8043d86cfe4c8995d06b460084400db45d70497b30

SHA512
0bec0d3a34a4ac1cc2ed81dba3bc52981c5dd391a68fe21132dfadb70e42ffbe8f3ba798185733d64a900fd2bb2403f9a8558e6666f2c1e2c0e818d8e3f154fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
17.0MB

MD5
d652806d678b05dabfc7ee978d712e43

SHA1
5728bd87c626d5c23231f9ebfda6e41dabbbf4bd

SHA256
37384b7f718bd7be000e8bdd2628b568ab6db5096ca2ca931fc087f878e74c7b

SHA512
b47b8a5d24c98c0fc4f63fbf173bd1417a12c02547141c296db528029571cd3f8abaf23e55db679ba60e204123c6c0974ec02e36ea0192a53895bfd49787ff4e

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
262B

MD5
f9c1b988031ef12afbbb9852b047f14c

SHA1
835f775c1af9e3eeafa5703889ce2c2f8bfe0081

SHA256
e154b7e3d92350cc53fd44157a6b244de2a79462b36d3b0dda610db37cb03753

SHA512
c1e0cee386a8cba21ae33ec248e44540ac960f677115e5e803842a50a66a9ad2251dd9e274778c3a2df0719deb4692e619bf30a1e9d663982f19729df164bb97

Download Submit
memory/1572-1095-0x0000010E56770000-0x0000010E56771000-memory.dmp

Filesize
4KB

Download
memory/1572-1094-0x0000010E5A1E0000-0x0000010E5B10D000-memory.dmp

Filesize
15.2MB

Download
memory/1572-1093-0x0000010E5A1E0000-0x0000010E5B10D000-memory.dmp

Filesize
15.2MB

Download
memory/1572-1092-0x0000010E5A1E0000-0x0000010E5B10D000-memory.dmp

Filesize
15.2MB

Download
memory/1572-1091-0x0000010E56760000-0x0000010E56761000-memory.dmp

Filesize
4KB

Download