7ad99c1905e0c0ca46bd97650a50645592a6006f05062aa4580198c41c6491a1

Analysis

max time kernel
151s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 19:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ExLoader_Installer (1).exe
Size

20.2MB
MD5

06d4e995805a2afd7496f4f4f0000fd2
SHA1

db80fb0f047f5754aa33781268421407fd07d29e
SHA256

7ad99c1905e0c0ca46bd97650a50645592a6006f05062aa4580198c41c6491a1
SHA512

fd4d245e28e6584f7fe3489bccb35341f5957933de442c259a507e04bf07f018bbb1bd769d638a07a42ce7a1677c6bf1aa237f4b22b3a5dcf9ccbc5af43150d7
SSDEEP

393216:QVZarTJXmFjzqREtDlwcPUTc9t37DMncawXAKaVnayxZtFDb:SZ4TJXmFjzqa5lYTiInf46VnvHr/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\Control Panel\International\Geo\Nation	ExLoader_Installer (1).exe

Executes dropped EXE 1 IoCs

pid	Process
3952	ExLoader_Installer.exe

Loads dropped DLL 5 IoCs

pid	Process
3952	ExLoader_Installer.exe
3952	ExLoader_Installer.exe
3952	ExLoader_Installer.exe
3952	ExLoader_Installer.exe
3952	ExLoader_Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3952	ExLoader_Installer.exe
3952	ExLoader_Installer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4924 wrote to memory of 3952	4924	ExLoader_Installer (1).exe	90
PID 4924 wrote to memory of 3952	4924	ExLoader_Installer (1).exe	90
PID 3952 wrote to memory of 2608	3952	ExLoader_Installer.exe	91
PID 3952 wrote to memory of 2608	3952	ExLoader_Installer.exe	91
PID 2608 wrote to memory of 1036	2608	cmd.exe	93
PID 2608 wrote to memory of 1036	2608	cmd.exe	93
PID 3952 wrote to memory of 1700	3952	ExLoader_Installer.exe	94
PID 3952 wrote to memory of 1700	3952	ExLoader_Installer.exe	94
PID 1700 wrote to memory of 64	1700	cmd.exe	96
PID 1700 wrote to memory of 64	1700	cmd.exe	96

C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer (1).exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer (1).exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
      4⤵
      PID:1036
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
      4⤵
      PID:64

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
161KB

MD5
89a6ed1e786dd059f598c852e5dad5d6

SHA1
8bfe891b475b3503acabfde158e58856ae17f367

SHA256
227d42f778e3476633d3711ea07973cb969ae151471e3579f63601dfd01d8e80

SHA512
6b47894d4e6352edeed02e66e76402fc4c50c70221d29353c7791974dc9e7322f97e347041cfbfdababd867b3d3e67cb9af860bac1c700740982701ec68d3591

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

Filesize
486KB

MD5
f978e22e2564514d3a07412e63e58765

SHA1
af797ea91c191b7a6807a189bf51a740b00e0917

SHA256
a7e08cd267a9ba79fec5dd4956ebc2d332b209a843fefd08bcb1283b10433681

SHA512
b06caa4088be3ea8c8b7a290915b520cb654ba943a6511482cc2066d63d0c05e5f6b65947812bed87efce54081270016722becbdb7441d7734a87bfc4c884c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

Filesize
608KB

MD5
38a6a337189582204ddc3683f4946096

SHA1
7c79c2ad76cb055cd09a7f52cabb01172cf056ca

SHA256
14b1acde1c55f51e0d7aa71b647d5bd656387a2028d929728ddf13629c4c158f

SHA512
921abc1759737e5f1014077dc10d92da26ee2055507d5682901dee14d30f0bf8a5631631b82f9bb693c24dbc6ecf4fc8e62e8e626e50e077ccee00ac721e9119

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so

Filesize
2.3MB

MD5
0501c506252308ebe8ec8a5a41ce6da1

SHA1
370436c3c226afe3af39e18980b9c3eb88087334

SHA256
4255ff72ea4ad4f6193d402b64f371167bc51fbd1bda888af289cfc9d65e5a69

SHA512
650be6a032e60290b512cec59f2c9d4beb491e0708d41371ae46d358a8a46d0287d2f21e87f2257fc57d88039ea233c4a4eedfdc88ad2accf053e703ccd6fc11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.bin

Filesize
36KB

MD5
37319e9e5131c88c5169e044dfd432fb

SHA1
f8207003744b2cf6d6ebd6080c9afe5925904a0d

SHA256
f50d907a3487cfbff2fe04f6eca8f38c968d52c971c8044a9e9d39286becf735

SHA512
3e8750f329f936622e55162003b73a57a808db1a3c408fcabb0a3653c5126b0848e1df1b84bac54406b5c365b8a89cf4c29d41774c97b8c393457e308f994b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json

Filesize
687B

MD5
08916680285af6ddf4adbd1dd265487d

SHA1
e5fa77912a69248aab08714c5b605df62c469f33

SHA256
ef252f80a090c0ae1499c34148c27f3e982100b25c8daa9921d102343383f751

SHA512
68c9858777147a6a1c4932c13149aba4bb97453a3aface4c80077a5746ed493c811e36cd89b838e34429e91b1833b1866177b4bfc216129d555f310fe71a108f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Ori%20and%20the%20Blind%20Forest.jpg

Filesize
93KB

MD5
babd1b019be8944f7ef6c64c8194bc8d

SHA1
702a50d3e3a0933db4dc1f37423bca3b5c52acde

SHA256
71ea07c900e7993072f4896c0ab621303feaf4d13b7c9a4b2993e06122b10f76

SHA512
6a854fc0db7206dd182f6ebc594d763b62a75f64663d3e58029cfa2586048838fe8878b043d174923e05f4e3cd2f3e9d96a6dcf5ba8bbd7322bbc3540bbb8b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\RE.png

Filesize
2KB

MD5
23f2c7dc04bfe492598bc440f57114af

SHA1
c30b386b7138a1d89b90f0e679ef58f4c545ba42

SHA256
94a0c4bc3aa825e44d36b0a463f9bfb012c2156392594a8ac6d76b389776e3a9

SHA512
edbc28f9f61ad48ac02e1bcb0f862249b5baf352289e068cb5df5552b5e9752a205e7b093b7caedccf4230186659d4b12579433ae8141b5129a5a6cf4c6bc5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\SJ.png

Filesize
2KB

MD5
bf25a4249d34f915ec1a246a468290cc

SHA1
5cc47373c11ff0488929124e18e280c7eb36b232

SHA256
0dd0e0a0d72ff4179b11afd5367a72b000de4a5c5ea0362f1f1723f80a3a2d22

SHA512
982fbc34c0c0ccad148b6745185af317bbe12215e08c879c6a06a7073d2afbcbc70c4fed9e028cc91a6a1eaa1fece064dbddf415a4b97a799dbfb1debcc02337

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Black.ttf

Filesize
159KB

MD5
35e0e2e7a5b03275ba569a214edbab77

SHA1
b341b185db9c7231884558dcdab0124d2f5ed1d0

SHA256
2d1149ca6075e3559fa4234107474b3b500bc479baa0bdaa8a99563a587c62f5

SHA512
e3d752d8fd5a7306dcf8fc428b72df1668991b7152b66fba41e365cc61626f8ddfc8092dbcbc2b2ef3acea5c09496e83af2a2208cdd5b66e7ff3267b2bf2f0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Bold.ttf

Filesize
159KB

MD5
88079335418f389bfb2d86bc4f1ced64

SHA1
fd799b6fb4aff1a9402e071ab02d1ddea731b868

SHA256
85c6a818e33ae8b62d15672522c0b12f2e602680f75c4414ee815a73596ad365

SHA512
5105d0f432cda4de9749e4e0dd09f9687d06ad17b7e02f98dc9d0b2ffc3d959c386302f8882c3a3f1021c39ecf88e60f5e630b929fb905eec48bead923b47e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-ExtraBold.ttf

Filesize
159KB

MD5
27f7ef17de3691b5cdb9f1ee1ee5cc6a

SHA1
1c92715c134738f2956bf758181522243c7586dd

SHA256
118e237edf796dd76c453e912a4f445816e918bc3ff1d3941b2548c0a8fdfe29

SHA512
6d5c68056a37d989f64528c092680416c1300c95471be43ebddff7b579bcae9dfa7f402ab422406bf3a4a3df728b4af1e68e15e385b49221847f48e0bc59f228

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Medium.ttf

Filesize
159KB

MD5
b952c3c81ba34b54c66c748ea1e828a7

SHA1
9d35f805e98f95e72f5d0a4ced7397584d7349be

SHA256
f5a6dcd3227d1a75db47a6770e617d8077cba42c146d1d6479ae394431c7d40e

SHA512
30ddc9f9fd2916b3ac846cac60c93b5f89057a1369ffd38ccf569a6eba3dff6be10408ad7413257e794e94a46e68e67105fae28f1ce95544485edbe85842a420

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-SemiBold.ttf

Filesize
159KB

MD5
87641f9900d717d6bfbf108b8755868e

SHA1
75f4fca0d4d80e2b9a62d3283261e933786fb8c1

SHA256
564368e49d2d7d65005649278c3e042d6954df5e5dee3874a3b548ad067db0cc

SHA512
a319660d6457efd705c291aa5445146f77e2d099ac26be3f48963b9846cb0f3cfaaee1fbd1e9acb5a7ebb74d39b541d00c76fd50932b388cee7ff54da2ef40ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg

Filesize
201B

MD5
7f8d672a2849987b498734dcb90f0c51

SHA1
e53b9319bf964c15099080ac5497ee39f8bab362

SHA256
4a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4

SHA512
b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\collapse.svg

Filesize
195B

MD5
ad6092934dc48be9d00331e6f21eb235

SHA1
29cd8e5478e432b386382caf6ac7b3537b108c33

SHA256
2e0eb48ef144b771903a2ee5096ac4305ef43c830d2905f46b0384a07f5f4090

SHA512
38254a977c1a74515ed6184b5ebb3b1b3125db4b713a2de69aee9dc54912a9e869fede36423548e9ebf8cfc66e6711738789ee2c33f6f3af74def779eb7e5afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\grain.png

Filesize
79KB

MD5
3577f702479e7f31a32a96f38a36e752

SHA1
e407b9ac4cfe3270cdd640a5018bec2178d49bb1

SHA256
cc453dfe977598a839a52037ef947388e008e5cdfe91b1f1a4e85afb5509bee2

SHA512
1a4a03931ab56c8352382414f55eb25b324e11890d51ba95597dbd867b35db45db5adcefb47d95b3763f413a66e3228e59531bdbd5ba5541469196adb5eb3d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat

Filesize
798KB

MD5
cf772cf9f6ca67f592fe47da2a15adb1

SHA1
9cc4d99249bdba8a030daf00d98252c8aef7a0ff

SHA256
ac44ccc3f61bf630bb20fb8043d86cfe4c8995d06b460084400db45d70497b30

SHA512
0bec0d3a34a4ac1cc2ed81dba3bc52981c5dd391a68fe21132dfadb70e42ffbe8f3ba798185733d64a900fd2bb2403f9a8558e6666f2c1e2c0e818d8e3f154fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
2.8MB

MD5
afbcb3e11a3c0d55b02f72579a16650c

SHA1
72e30032b1379a87c0b2fa74d1befad9b4cbf02d

SHA256
caa9c57ff77e835426ec09b82c3e5600204a0f2cd58db084e58cc63b75e88621

SHA512
61146dfa50660a45c66212507d698daaa0a98fe0bfdc5f7b1512c35e20a6b98c8a1194b63251d3eaa2759b36e437ffdc3d7418cdccf6c3013273d36e1a56bec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
2.5MB

MD5
ab3e02114ca03ae527324ae01093eeef

SHA1
58c25b23d39bd964ae91e7b60748d5f8e1a8e8fa

SHA256
045ebe8d81db132d546cdad10d6301ade5a363a667f7ed8ed694b7d61e095738

SHA512
365723c4b7e98f7460cf0c0ece56c8eb24c0608e79425f495f9f7fd3e46142baf8e91bb2c151c14217c95a9543ca6bdd34e8ce295fd093e746b1d3d386b9aef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
262B

MD5
5b28bece38e1f2d1f20c7f78bcf196d9

SHA1
a559c8e3a324ebc60f898efe1bd1a82d8a5e71d5

SHA256
5edc23ad43a0d72771609349e0fb5e2d33cfdd2d5120ab243cc9f9ab20057fc4

SHA512
4ff9cc8f6c59c4a62143c504cbea70516a1c1ab60ae8e47e615db539251253dac4ac0e2e28863b8963d7cbd34fe7160559938ac3841aa894ee14e67c8a8d867c

Download Submit
memory/3952-1101-0x00000243840D0000-0x00000243840D1000-memory.dmp

Filesize
4KB

Download
memory/3952-1100-0x00000243842C0000-0x00000243851ED000-memory.dmp

Filesize
15.2MB

Download
memory/3952-1099-0x00000243842C0000-0x00000243851ED000-memory.dmp

Filesize
15.2MB

Download
memory/3952-1098-0x00000243842C0000-0x00000243851ED000-memory.dmp

Filesize
15.2MB

Download
memory/3952-1097-0x00000243840C0000-0x00000243840C1000-memory.dmp

Filesize
4KB

Download