7ad99c1905e0c0ca46bd97650a50645592a6006f05062aa4580198c41c6491a1

Analysis

max time kernel
1385s
max time network
1174s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23/05/2024, 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExLoader_Installer1.exe
Size

20.2MB
MD5

06d4e995805a2afd7496f4f4f0000fd2
SHA1

db80fb0f047f5754aa33781268421407fd07d29e
SHA256

7ad99c1905e0c0ca46bd97650a50645592a6006f05062aa4580198c41c6491a1
SHA512

fd4d245e28e6584f7fe3489bccb35341f5957933de442c259a507e04bf07f018bbb1bd769d638a07a42ce7a1677c6bf1aa237f4b22b3a5dcf9ccbc5af43150d7
SSDEEP

393216:QVZarTJXmFjzqREtDlwcPUTc9t37DMncawXAKaVnayxZtFDb:SZ4TJXmFjzqa5lYTiInf46VnvHr/

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	ExLoader_Installer1.exe

Executes dropped EXE 1 IoCs

pid	Process
2760	ExLoader_Installer.exe

Loads dropped DLL 5 IoCs

pid	Process
2760	ExLoader_Installer.exe
2760	ExLoader_Installer.exe
2760	ExLoader_Installer.exe
2760	ExLoader_Installer.exe
2760	ExLoader_Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2760	ExLoader_Installer.exe
2760	ExLoader_Installer.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 2760	548	ExLoader_Installer1.exe	85
PID 548 wrote to memory of 2760	548	ExLoader_Installer1.exe	85
PID 2760 wrote to memory of 4672	2760	ExLoader_Installer.exe	86
PID 2760 wrote to memory of 4672	2760	ExLoader_Installer.exe	86
PID 4672 wrote to memory of 5092	4672	cmd.exe	88
PID 4672 wrote to memory of 5092	4672	cmd.exe	88
PID 2760 wrote to memory of 4412	2760	ExLoader_Installer.exe	89
PID 2760 wrote to memory of 4412	2760	ExLoader_Installer.exe	89
PID 4412 wrote to memory of 1324	4412	cmd.exe	91
PID 4412 wrote to memory of 1324	4412	cmd.exe	91

C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer1.exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer1.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid
      4⤵
      PID:5092
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\System32\reg.exe
      C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid
      4⤵
      PID:1324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
161KB

MD5
89a6ed1e786dd059f598c852e5dad5d6

SHA1
8bfe891b475b3503acabfde158e58856ae17f367

SHA256
227d42f778e3476633d3711ea07973cb969ae151471e3579f63601dfd01d8e80

SHA512
6b47894d4e6352edeed02e66e76402fc4c50c70221d29353c7791974dc9e7322f97e347041cfbfdababd867b3d3e67cb9af860bac1c700740982701ec68d3591

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so

Filesize
15.2MB

MD5
16ff7b34b6195f13b3fbf11cc34e38a5

SHA1
94c5a497fc858c88df047ff29ea94420e5aacef0

SHA256
fef05cfaa133b04a414e7c7db4d7a3b5210a298d6403cf1a522fbf969916f25e

SHA512
69f8ff6d0986e1c2e808d49c02bef034c00aa9424a2c93512fc3f3af7c690f3d1a39cc8edfca09e175b1a81c77d1764832ca260f01fbf99127d12eb45bbe5e50

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.bin

Filesize
36KB

MD5
37319e9e5131c88c5169e044dfd432fb

SHA1
f8207003744b2cf6d6ebd6080c9afe5925904a0d

SHA256
f50d907a3487cfbff2fe04f6eca8f38c968d52c971c8044a9e9d39286becf735

SHA512
3e8750f329f936622e55162003b73a57a808db1a3c408fcabb0a3653c5126b0848e1df1b84bac54406b5c365b8a89cf4c29d41774c97b8c393457e308f994b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json

Filesize
687B

MD5
08916680285af6ddf4adbd1dd265487d

SHA1
e5fa77912a69248aab08714c5b605df62c469f33

SHA256
ef252f80a090c0ae1499c34148c27f3e982100b25c8daa9921d102343383f751

SHA512
68c9858777147a6a1c4932c13149aba4bb97453a3aface4c80077a5746ed493c811e36cd89b838e34429e91b1833b1866177b4bfc216129d555f310fe71a108f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Ori%20and%20the%20Blind%20Forest.jpg

Filesize
93KB

MD5
babd1b019be8944f7ef6c64c8194bc8d

SHA1
702a50d3e3a0933db4dc1f37423bca3b5c52acde

SHA256
71ea07c900e7993072f4896c0ab621303feaf4d13b7c9a4b2993e06122b10f76

SHA512
6a854fc0db7206dd182f6ebc594d763b62a75f64663d3e58029cfa2586048838fe8878b043d174923e05f4e3cd2f3e9d96a6dcf5ba8bbd7322bbc3540bbb8b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\RE.png

Filesize
2KB

MD5
23f2c7dc04bfe492598bc440f57114af

SHA1
c30b386b7138a1d89b90f0e679ef58f4c545ba42

SHA256
94a0c4bc3aa825e44d36b0a463f9bfb012c2156392594a8ac6d76b389776e3a9

SHA512
edbc28f9f61ad48ac02e1bcb0f862249b5baf352289e068cb5df5552b5e9752a205e7b093b7caedccf4230186659d4b12579433ae8141b5129a5a6cf4c6bc5f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\SJ.png

Filesize
2KB

MD5
bf25a4249d34f915ec1a246a468290cc

SHA1
5cc47373c11ff0488929124e18e280c7eb36b232

SHA256
0dd0e0a0d72ff4179b11afd5367a72b000de4a5c5ea0362f1f1723f80a3a2d22

SHA512
982fbc34c0c0ccad148b6745185af317bbe12215e08c879c6a06a7073d2afbcbc70c4fed9e028cc91a6a1eaa1fece064dbddf415a4b97a799dbfb1debcc02337

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Black.ttf

Filesize
159KB

MD5
35e0e2e7a5b03275ba569a214edbab77

SHA1
b341b185db9c7231884558dcdab0124d2f5ed1d0

SHA256
2d1149ca6075e3559fa4234107474b3b500bc479baa0bdaa8a99563a587c62f5

SHA512
e3d752d8fd5a7306dcf8fc428b72df1668991b7152b66fba41e365cc61626f8ddfc8092dbcbc2b2ef3acea5c09496e83af2a2208cdd5b66e7ff3267b2bf2f0d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Bold.ttf

Filesize
159KB

MD5
88079335418f389bfb2d86bc4f1ced64

SHA1
fd799b6fb4aff1a9402e071ab02d1ddea731b868

SHA256
85c6a818e33ae8b62d15672522c0b12f2e602680f75c4414ee815a73596ad365

SHA512
5105d0f432cda4de9749e4e0dd09f9687d06ad17b7e02f98dc9d0b2ffc3d959c386302f8882c3a3f1021c39ecf88e60f5e630b929fb905eec48bead923b47e11

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-ExtraBold.ttf

Filesize
159KB

MD5
27f7ef17de3691b5cdb9f1ee1ee5cc6a

SHA1
1c92715c134738f2956bf758181522243c7586dd

SHA256
118e237edf796dd76c453e912a4f445816e918bc3ff1d3941b2548c0a8fdfe29

SHA512
6d5c68056a37d989f64528c092680416c1300c95471be43ebddff7b579bcae9dfa7f402ab422406bf3a4a3df728b4af1e68e15e385b49221847f48e0bc59f228

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Medium.ttf

Filesize
159KB

MD5
b952c3c81ba34b54c66c748ea1e828a7

SHA1
9d35f805e98f95e72f5d0a4ced7397584d7349be

SHA256
f5a6dcd3227d1a75db47a6770e617d8077cba42c146d1d6479ae394431c7d40e

SHA512
30ddc9f9fd2916b3ac846cac60c93b5f89057a1369ffd38ccf569a6eba3dff6be10408ad7413257e794e94a46e68e67105fae28f1ce95544485edbe85842a420

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-SemiBold.ttf

Filesize
159KB

MD5
87641f9900d717d6bfbf108b8755868e

SHA1
75f4fca0d4d80e2b9a62d3283261e933786fb8c1

SHA256
564368e49d2d7d65005649278c3e042d6954df5e5dee3874a3b548ad067db0cc

SHA512
a319660d6457efd705c291aa5445146f77e2d099ac26be3f48963b9846cb0f3cfaaee1fbd1e9acb5a7ebb74d39b541d00c76fd50932b388cee7ff54da2ef40ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg

Filesize
201B

MD5
7f8d672a2849987b498734dcb90f0c51

SHA1
e53b9319bf964c15099080ac5497ee39f8bab362

SHA256
4a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4

SHA512
b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\collapse.svg

Filesize
195B

MD5
ad6092934dc48be9d00331e6f21eb235

SHA1
29cd8e5478e432b386382caf6ac7b3537b108c33

SHA256
2e0eb48ef144b771903a2ee5096ac4305ef43c830d2905f46b0384a07f5f4090

SHA512
38254a977c1a74515ed6184b5ebb3b1b3125db4b713a2de69aee9dc54912a9e869fede36423548e9ebf8cfc66e6711738789ee2c33f6f3af74def779eb7e5afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\grain.png

Filesize
79KB

MD5
3577f702479e7f31a32a96f38a36e752

SHA1
e407b9ac4cfe3270cdd640a5018bec2178d49bb1

SHA256
cc453dfe977598a839a52037ef947388e008e5cdfe91b1f1a4e85afb5509bee2

SHA512
1a4a03931ab56c8352382414f55eb25b324e11890d51ba95597dbd867b35db45db5adcefb47d95b3763f413a66e3228e59531bdbd5ba5541469196adb5eb3d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat

Filesize
798KB

MD5
cf772cf9f6ca67f592fe47da2a15adb1

SHA1
9cc4d99249bdba8a030daf00d98252c8aef7a0ff

SHA256
ac44ccc3f61bf630bb20fb8043d86cfe4c8995d06b460084400db45d70497b30

SHA512
0bec0d3a34a4ac1cc2ed81dba3bc52981c5dd391a68fe21132dfadb70e42ffbe8f3ba798185733d64a900fd2bb2403f9a8558e6666f2c1e2c0e818d8e3f154fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
17.0MB

MD5
d652806d678b05dabfc7ee978d712e43

SHA1
5728bd87c626d5c23231f9ebfda6e41dabbbf4bd

SHA256
37384b7f718bd7be000e8bdd2628b568ab6db5096ca2ca931fc087f878e74c7b

SHA512
b47b8a5d24c98c0fc4f63fbf173bd1417a12c02547141c296db528029571cd3f8abaf23e55db679ba60e204123c6c0974ec02e36ea0192a53895bfd49787ff4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
98B

MD5
b1088599d6e45c4885a8bd5abcd0047b

SHA1
3264aaeb2c2c0e998f52ace5f5f2ddc4fb9be2c9

SHA256
5fd604e608d24d7d7f3ba14b09288386b12001feeb66d95e7419f94714191127

SHA512
d315d84a78646700c03dd4172f2189b2cd0b6295158356740dd48a9c98585a16cda215bfb8a01b93f4b01d4e01e20d3aad9168dc2d7ae9bc42a1ceeca00a736e

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
262B

MD5
387d33872a149110561700a942a74fd6

SHA1
9d9a640ef919957232d15d30e6e8edd376da14cb

SHA256
c7fea3536c74d197ae17bd4c9055ba5173b9362790062c7f0137ba91fb1f4eda

SHA512
b3f692bc7dc8d0e2e9e7f7e36799018fa94c0ffa7fae47fc8aa3fbeb590431ea358e3629ae91433b1704f63d69c1dbf3a6bbd91d1a2647130500560aebf8ff09

Download Submit
memory/2760-1100-0x0000020BD9810000-0x0000020BDA73D000-memory.dmp

Filesize
15.2MB

Download
memory/2760-1097-0x0000020BD9740000-0x0000020BD9741000-memory.dmp

Filesize
4KB

Download
memory/2760-1099-0x0000020BD9810000-0x0000020BDA73D000-memory.dmp

Filesize
15.2MB

Download
memory/2760-1101-0x0000020BD9750000-0x0000020BD9751000-memory.dmp

Filesize
4KB

Download
memory/2760-1098-0x0000020BD9810000-0x0000020BDA73D000-memory.dmp

Filesize
15.2MB

Download