41bbdd824f01bd36bdfe0f29aecf5a3dcd88a4a20fa7fa67e40041584d0172af

Analysis

max time kernel
93s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18/04/2024, 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41bbdd824f01bd36bdfe0f29aecf5a3dcd88a4a20fa7fa67e40041584d0172af.exe
Size

8.7MB
MD5

c02240bd0f4a7bbf370c5309db1f2a7b
SHA1

9d3496ee9631396fb25f3ed2467789addac48bba
SHA256

41bbdd824f01bd36bdfe0f29aecf5a3dcd88a4a20fa7fa67e40041584d0172af
SHA512

f7bf33971e4ae4aaf9b276f2956ed9ee21f9d04fffcbfef24028d266e63b6dc32bce152f84c14d3031d67689cda0fd9d8a95766c9e37f241b8be3651e510829b
SSDEEP

196608:760lDgEyVpJ7NCbzceWSr+996LqOGMVbzz9oFAas49oELlRhWj:O0mENQ/996WTMVfxsn+EM

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Control Panel\International\Geo\Nation	41bbdd824f01bd36bdfe0f29aecf5a3dcd88a4a20fa7fa67e40041584d0172af.exe

Executes dropped EXE 1 IoCs

pid	Process
4940	InstallNavi.exe

Loads dropped DLL 1 IoCs

pid	Process
4940	InstallNavi.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\IESettingSync	InstallNavi.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	InstallNavi.exe
Key created	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	InstallNavi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355664440-2199602304-1223909400-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	InstallNavi.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4940	InstallNavi.exe
4940	InstallNavi.exe
4940	InstallNavi.exe
4940	InstallNavi.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4940	InstallNavi.exe
4940	InstallNavi.exe
4940	InstallNavi.exe
4940	InstallNavi.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4940	InstallNavi.exe
4940	InstallNavi.exe
4940	InstallNavi.exe
4940	InstallNavi.exe
4940	InstallNavi.exe
4940	InstallNavi.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 4940	2244	41bbdd824f01bd36bdfe0f29aecf5a3dcd88a4a20fa7fa67e40041584d0172af.exe	87
PID 2244 wrote to memory of 4940	2244	41bbdd824f01bd36bdfe0f29aecf5a3dcd88a4a20fa7fa67e40041584d0172af.exe	87
PID 2244 wrote to memory of 4940	2244	41bbdd824f01bd36bdfe0f29aecf5a3dcd88a4a20fa7fa67e40041584d0172af.exe	87

C:\Users\Admin\AppData\Local\Temp\41bbdd824f01bd36bdfe0f29aecf5a3dcd88a4a20fa7fa67e40041584d0172af.exe
"C:\Users\Admin\AppData\Local\Temp\41bbdd824f01bd36bdfe0f29aecf5a3dcd88a4a20fa7fa67e40041584d0172af.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\InstallNavi.exe
  "C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\InstallNavi.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\InstallNavi.exe

Filesize
2.3MB

MD5
f48307504d7c186a535234bcbada56c5

SHA1
3042f04814bc79fb1154fe49267b11ca5d2532e9

SHA256
afe07af43e7d1f5a2b22e397f5f3c54535710ba6773851353984d536c68a48f5

SHA512
b05d8821aaeb52bf2345c2151bae28b38587d26ab0cee0110da006a5f0bbfd101ef65f3a0da5dcaef5dac2ca6ebd0c19a480a2cc6576e1ddb957251e8d186906

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\Manual\SetupGuide\AR\files\bg_bull.gif

Filesize
70B

MD5
98944e8fc7cb2085a00c11b1d940d12e

SHA1
d4dc13a801c110c56c8059ee6847f99953cf2045

SHA256
0d036bd0b4c1f067cba0796e393adeb6d45526191daa01e568c5688904375702

SHA512
7b5af9a226a72c59aa17745ca5d69e7ee008e92c48a12639c3c849dd1eaaceb348a5970102483c5d09500544a9f3861ecf323464766357357aed300c35ea818a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\Manual\SetupGuide\AR\files\mark_wa.gif

Filesize
628B

MD5
2e30664efaecd7484069bb42b11842bd

SHA1
1346c2ee4e6ce38f80fee743327e9708abb918f9

SHA256
8f3a5c606f68b13225e063743f4477ef20f79931e4c5b75ecb6517b9eb8b5957

SHA512
571c13dc4d2a2dcfba33075d82c4d2c5d26d3751ab2ff5b1913e625cec1c3d20d5495558c515385e2e8e4163df34be9375219d98aaf66f5a4b901e4ee8497627

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\Manual\SetupGuide\AZ\files\mark_im.gif

Filesize
624B

MD5
4ea7649975ad26018babc9963569c30e

SHA1
f2a84438ffd66d0a8203f1dbf7eb3f8437e42d83

SHA256
c8b6c0bb5d2f7d44a86e8e7a439ff70ff534df55100ce25e93f2f13c7f43fed2

SHA512
92fcfee62f378f1de4e60b68c41dd8d75f8bebd602181cc2b7f4516e3cf9f744f2474d8e703904c2c456b373e89cc1d0b0af9ff93d135b098c38cd74493a25ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\Manual\SetupGuide\AZ\files\mark_no.gif

Filesize
169B

MD5
fe73248369fd57577eb2e449f694dc0e

SHA1
e3dad813f69d2bf385e3e2b30bac250d8d9d1c49

SHA256
fc83fb2df02272085387e37fa550dafe572678561b9ea579815f804a21d79693

SHA512
c8486524f69094475c6b03fa3e0ab1d340d0ef6da549ce50b17a44d9c2e599db323e274da302b83465a2b8cc3085b7fa255981a59a60d88e60757d77f41c9a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\Manual\SetupGuide\BE\files\_sdisc07.css

Filesize
3KB

MD5
8bed575c0b8949949f407d07ec754f46

SHA1
458a43299e3bf06a7fe318f0fe4610da07e996f4

SHA256
6823abfd7be79e2dca30e2acda2c2f0c8e7e198567708f4b4a8aac55bbcd489e

SHA512
31855f572862da0e5f58731422d6b1210bdeca58226278f577981fe483ff257884ead563c92e24c1888a501bc9d2977c46270901b8f41d624b9310218e1a4379

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\Manual\SetupGuide\FA\files\_sdisc07.css

Filesize
3KB

MD5
06e2f71c45095f67f5e636ba93bd3b98

SHA1
f8a19d51e573c030d9b217ac3aa1b6ab92d8d069

SHA256
96107a8e5c10422e6f06394d60b59fe8698c13264ff796fa840c34100c49655b

SHA512
215ca5f32349771a997aff25c82d8dca4d64dbb399715ef1b0956b01777096c8f24efd0933d503deccca30a64b9cca19458e3de75bcf2de9950b75930f7b5ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_cdres\_dll\E_PRLGR7.dll

Filesize
100KB

MD5
2ee89b932e4c0a7f503dd349d587630b

SHA1
159ecabf22e39588350ec8785dddf0936385ae8e

SHA256
ea650215af1d90d83c4bbfebe814926d8ddb4ffb9797be83b93bef35b2bbabd4

SHA512
c6113f1a991e53b6b765dd6d93a55dc51ec2d5b4f317e0bb92002240e217cac1c10afd02b9b5b561e68b822de93fe227db6b2d104967e99ba6b7e24dfd8acb70

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_cdres\_html\EN\la.htm

Filesize
10KB

MD5
845f10dee681993571197541d6e16532

SHA1
4272677dcf4bd77a280c39cbaccff8529d692818

SHA256
a7515491a39c7bd06ab53c521cc56e6927789569523236c428723330c333925b

SHA512
188274bd57ca1bb631c64c0cdc5aece726c13749f92a98f114308feccf17acbd573744931fd4b6230b40e12dc6d6a2b03d8ac60d30a12724525162660a8885f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_cdres\_html\_style.css

Filesize
5KB

MD5
3fb7d111b4ceccea32272f31c1ef5434

SHA1
4dbc5827c2515f424e2159b1cfd5bc0f0664ca9e

SHA256
3c71c92a1d75b6624f7f0c36841ea3fbd3d82af5d5323483f6cfed9a2fd841e8

SHA512
3bc6c9470ab71592a09af24c1ed4ef19dad295db29f7c40bb1bc5deef0f04517dd948c80aef7fa71acef5a83632983a73e54b89b6ba31b8bbd91d68f0f014751

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_cdres\_icon\StatusBack.png

Filesize
2KB

MD5
3e71c4c0553c52f5ef9f16e2f6e277c9

SHA1
373499844ae7119bf0963c7e486c855db82216ee

SHA256
fb3b11833143d8736d306e8aefad833243602b3044498ead166463d683149cf1

SHA512
1c691eecb429c2c5a3283d35864eccd9d603e0b2451c5bd53650ab0b7f7a0658479f5294a3d5e3f355b5614ee5795b0978d731798efedf8838e2185186f414c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_cdres\_icon\_logo.png

Filesize
3KB

MD5
500bbad62224f572ac33be0bcad7bb70

SHA1
eee8bb21232e29e2f4fb00397fd0501a286ef2d7

SHA256
61cfd674e957d507b9bbe61f702a6f239b057e948a8e53ad0d2e689ec252b29b

SHA512
abd1d687484bb7c065cab4a8677174b49a08e38348c5d532c2274dbdd84261cbc89dd58b764fe5dd45eae9f8fbc951799c8ac8b97f8646adeb0ca250b786f5bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_cdres\_icon\_main.png

Filesize
2KB

MD5
f4cef09e189088980b7d5141b7e977e0

SHA1
8f2fa0f212bf1c9c22d975ae51c423ce5177ac2f

SHA256
d22cf4ef479c73f328874e723b880018e285fd6a0d6f61a344b42e21e709eb2e

SHA512
c65d9546f74c0687ff872fa03c37038e0b935c4e3bf16f127b7ff0aa82ada47e1ff5204fa091d43b0c98f3d6583daabb0c6b9bb2c1393c09358ad3256b92939a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_cdres\_icon\_splash.png

Filesize
11KB

MD5
8c3a8239c769013f71d22d7a8ec3ed79

SHA1
605819eb1f502e7f506209d15b23ce037e400e6a

SHA256
25c6da225d7517e195fe09f0428c749a6180089d1bcde138ec1283c125d4ab8d

SHA512
920de48eee45340f348a52b2fdb59c11c72cfb7ae9a9e7fb045c83baba9fe949ac36934cf907f00803c2bf004b24942b02f9288570c5064c7a38a4bd0229af8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_cdres\_icon\usb_setting_explain.png

Filesize
15KB

MD5
59fe117eda90230ced05f4124a8c2dc0

SHA1
8f9a85bd323fe699541507e85ad59a4c0847adaf

SHA256
f7390047d1c10ee1075150f1aa9048c4cef214e8b3b9e452c247c2d7627dbf03

SHA512
f1ed1be99857041b017b9c750a72197f1f434a7692e8c63121c87033b3b02113197941957a32720a1c9acc0271c894410d2dddddb7924d206fe446bfbfe625e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_cdres\_style\LanguageInfo2.ini

Filesize
9KB

MD5
921f41ee825d752c1c18f63306c7a17a

SHA1
b189e192a2313656ff983686760838428d6f6156

SHA256
d9cb0828ac4218fe3d0da084832f45e4d6549e488788218ca5a9b87545d1cc34

SHA512
12a82cb63a831397f612dab0d38f0adda5f5e084c223497a73b562a0920243e7d7012808d52b31bd0b898bc844ba5d8911bbfea019415123e831b027e2c59cd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_cdres\_style\Language\string.h

Filesize
36KB

MD5
21e45fcdf41a92e4eff12f76baf25b7d

SHA1
df541ca7528852caf448683f9435a14370372aa8

SHA256
0a2a16672f8a4dd22fc43d0810c54d37ade39a84c2881855209a5c18d65e34cc

SHA512
28e25a2bace93e7e36fd77343f2b67fc622b10f7b66d65c82679899c0e43ceb146c0117e64badc67537e6ced4caaa36569b9984f781a169debdee06f4141fbbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_cdres\_style\style.ini

Filesize
605B

MD5
0f302c80132b5344ec3df52799f6a50d

SHA1
b0790e09ae316f8267b8fe335d94f6831efd614e

SHA256
b5c3f63ab9df3201182bf6d07ed460690a00196ff97d39aabb40ceec08990a5c

SHA512
d75ac6a4be64e101f5b6e56e6822f7aa6db086309c0f43970b931c991cb354451c09eed52b0476b46c4d7a21d3a1017f410ec54924a52ecc6f90388973025bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_cdres\default.ini

Filesize
294B

MD5
cd2a1481b05b5aaaaf45d9fc9ceb0d3c

SHA1
c70b51d5022851d54142faf91c4cb88e6296bd97

SHA256
3393e4170c8f09c9753bd0f3b88bea3a605d0c87877572ad024ef691ff350e36

SHA512
f00fee986b55f9f338723c68644141181b6fef2ac6cd89fecf1767725160394d8142ee8f2a32f16668317f9d82b6b3581d4d4918deec16293657e571d05dff5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WebIns\Epson_L382_Series_CIS_10_Web\_model\model.ini

Filesize
840B

MD5
fc555d779c84498d9ff526c51d1051a3

SHA1
641aab155c3e5951ee3de133fd6904d71cec54a5

SHA256
7d49a98bb97e609521ac05795e9112c1b9b2f41cd4b5b0f325ce3115c8d0643f

SHA512
742721dff0c7b767ef3583d30f8f242d4ae22f4603f4c4a058d23aad897a102f69ae33cc8fffb8bc2d92827b45f8d47ca426fada9106cb670ca67dd6ac3f1bc4

Download Submit