Analysis

  • max time kernel
    133s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-05-2024 01:18

General

  • Target

    $TEMP/FileUnlocker_Installer.exe

  • Size

    886KB

  • MD5

    68bdb2da97b513a6f5a7461b2086ae93

  • SHA1

    706735e2d3b2714013670d7113cd66949e236c39

  • SHA256

    88d9cde0fb6dbd9447bab7da5e5c1179d504da54d4f7605e2ddf22d64bb07820

  • SHA512

    7a2355eaef00523d4fc14fd56da6efde1bfc4beaa37ecbea342bab86621c1413bb243fde3310d3bd08690efe575e98c624befd676c511f21728a8015f98cfa93

  • SSDEEP

    12288:iYETKD+2Otvj+Iv2fyx3QP0MxvS6MxlnoP189Bh86+u1+4kS12cVrm:idA+2zfyxQPh2lnoPWCQ+Vs

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3732
    • C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
      "C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe" /silent /ignorebrowsercheck /forcedefaultsearch /launchie
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:452
    • C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
      "C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe" /silent /ignorebrowsercheck /forcedefaultsearch /launchie
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2372

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ae0fecb16efd8cc4e62a978d47949200_4d0966de-9ba4-4ee9-b282-eaf9cf9c9160

    Filesize

    1KB

    MD5

    e5fe89e70c78bc4e160a52bacbb97363

    SHA1

    645362dc00e20a791cccbbe5643be33e7873500a

    SHA256

    675a2d0bc3b56ae96f9666f8d0850365049e897614e516d9ff6396874dc8a13c

    SHA512

    68235a3b3a9ccab577f9b71412f40123806cd27a3e802376983832aaa594c9f8e85ccc52b2e67ba295390e4c32d0103a2b959e94ddcb50c00e0bfb6fb06f301c

  • C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe

    Filesize

    329KB

    MD5

    ecec9204d3a794306cc4af1d260932e3

    SHA1

    3269a4724e61d9d97d807c1f4224e77f98333cd6

    SHA256

    0e3123bce0fcf8c1d37ecc7b52bd8b5dacb9954b15d7f84d19d64e44a2e92fa6

    SHA512

    d94b48c0e633d920c8f1745f63ef983556af10df0208eb88ca0e51c91c7b3f0f629245143b7d0cc64ff9e47d9b2e39f860a6eebcc98c186a1dccdf742d42b321