03a9b3163071ecb41e20b95eb664c3165b9fcaba89f5e5433484d65e8cfa0380

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/06/2024, 08:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows11installationassistant.exe
Size

4.0MB
MD5

9efe0c8b7f96c1a7d5bdd52bf07d009d
SHA1

dc6ff2f1c0af472cdc81b05f876c10420a6bbb78
SHA256

03a9b3163071ecb41e20b95eb664c3165b9fcaba89f5e5433484d65e8cfa0380
SHA512

b66772e1faeff8c607b6624106530945997fe2105569cbf92cf0eaa31f7bd02ed46b74bae6e9d79b6f51da76445564ed73fe9eb2a6507e3ce5d543781ba227fb
SSDEEP

98304:Fguv/rctyMh4cCE3p8fuCNCzLX/sA2uQqvAVGht5f/LyXtcH//9:SVtyMh9CVPUDk+4QjyXa

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	windows11installationassistant.exe

Executes dropped EXE 1 IoCs

pid	Process
2588	Windows10UpgraderApp.exe

Loads dropped DLL 1 IoCs

pid	Process
2588	Windows10UpgraderApp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_nb-no.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_es-mx.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_fr-fr.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktop.css	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\base.js	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\ESDHelper.dll	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_pl-pl.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ru-ru.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_tr-tr.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\eula.css	windows11installationassistant.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\Configuration.ini	Windows10UpgraderApp.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\downloader.dll	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ja-jp.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_pt-br.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sr-latn-rs.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\ui-dark.css	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentDeploy.dll	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_cs-cz.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_en-us.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_gl-es.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_th-th.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\marketing.png	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\js\ui.js	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\pass.png	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\bullet.png	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_he-il.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_pt-pt.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ar-sa.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_en-gb.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\Microsoft.WinJS\css\oobe-desktopRS2.css	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_bg-bg.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ca-es.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_eu-es.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_hr-hr.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sv-se.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_zh-cn.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\WinDlp.dll	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\block.png	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_da-dk.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_de-de.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_el-gr.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_lt-lt.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_nl-nl.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_sk-sk.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_uk-ua.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentRollback.EXE	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_fr-ca.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_germany_region.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ro-ro.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_it-it.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_es-es.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_et-ee.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_fi-fi.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_hu-hu.htm	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\GetCurrentOOBE.dll	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_ko-kr.htm	windows11installationassistant.exe
File opened for modification	C:\Program Files (x86)\WindowsInstallationAssistant\appraiserxp.dll	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css	windows11installationassistant.exe
File created	C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA\EULA_lv-lv.htm	windows11installationassistant.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
640	2588	WerFault.exe	83

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Windows10UpgraderApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Windows10UpgraderApp.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\IESettingSync	Windows10UpgraderApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Windows10UpgraderApp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2544	windows11installationassistant.exe
Token: SeRestorePrivilege	2544	windows11installationassistant.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2588	Windows10UpgraderApp.exe
2588	Windows10UpgraderApp.exe
2588	Windows10UpgraderApp.exe
2588	Windows10UpgraderApp.exe
2588	Windows10UpgraderApp.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2588	2544	windows11installationassistant.exe	83
PID 2544 wrote to memory of 2588	2544	windows11installationassistant.exe	83
PID 2544 wrote to memory of 2588	2544	windows11installationassistant.exe	83

C:\Users\Admin\AppData\Local\Temp\windows11installationassistant.exe
"C:\Users\Admin\AppData\Local\Temp\windows11installationassistant.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe
  "C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe" /SkipSelfUpdate /SunValley
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2588
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2588 -s 1888
    3⤵
    - Program crash
    PID:640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2588 -ip 2588
1⤵
PID:4996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsInstallationAssistant\Downloader.dll

Filesize
197KB

MD5
9e1b5963ac0c44bad9f119097ee0bfc8

SHA1
dd1a8692a64ddc5464c5b9737708e945668dabe1

SHA256
1b5cf5d28e4b20ed7d12e0f0acf3de6c19cd5694bb228266854d8981e528e4a8

SHA512
8ff0cbecb23373f1ce49122264fc037802916a821edccf27da879fdd67da2a38768f19a5dc4f17c9fcfa36082ea7b87506ea04314d58f2a646c8deb76f2be7ec

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\Windows10UpgraderApp.exe

Filesize
3.5MB

MD5
a0e338a33da0fdb1bd4810aaec246e13

SHA1
6a8ece04dc43bcc91826765538b71c12c276bd41

SHA256
e4b69eb58da23e8a9006097eba6097f5c593a4a3583b7869c192b91a7f14081c

SHA512
250add3d86b0e1383339e26fd784b67a0aa3b965be0e0118821967b584466d011e9dca5db7b939cf615a192c18a77b14d5b8e0abb015b8f81b54b771994e55a0

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\EULA.css

Filesize
82B

MD5
b81d1e97c529ac3d7f5a699afce27080

SHA1
0a981264db289afd71695b4d6849672187e8120f

SHA256
35c6e30c7954f7e4b806c883576218621e2620166c8940701b33157bdd0ba225

SHA512
e5a8c95d0e9f7464f7bd908cf2f76c89100e69d9bc2e9354c0519bf7da15c5665b3ed97cd676d960d48c024993de0e9eb6683352d902eb86b8af68692334e607

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default.css

Filesize
5KB

MD5
7f5fcac447cc2150ac90020f8dc8c98b

SHA1
5710398d65fba59bd91d603fc340bf2a101df40a

SHA256
453d8ca4f52fb8fd40d5b4596596911b9fb0794bb89fbf9b60dc27af3eaa2850

SHA512
b9fb315fdcf93d028423f49438b1eff40216b377d8c3bc866a20914c17e00bef58a18228bebb8b33c8a64fcaaa34bee84064bb24a525b4c9ac2f26e384edb1ff

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\default_sunvalley.htm

Filesize
54KB

MD5
66b63e270cc9186f7186b316606f541f

SHA1
35468eeefc8d878f843bbf0bb0b4b1d43b843cdf

SHA256
00f8f3e4534146858326d6d2524f3360dfc9e5d149e207d61cabac17ad7a5f9f

SHA512
b9d1b4b201cabf087a44d958584ecb1c110807b9bd9865f1e76bf9d989d7d000ee84f07558bcae5e05d11f7121fe2c402fcf916b00ff5d8eac7eaf05e21a29f2

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\loading.gif

Filesize
16KB

MD5
1a276cb116bdece96adf8e32c4af4fee

SHA1
6bc30738fcd0c04370436f4d3340d460d25b788f

SHA256
9d9a156c6ca2929f0f22c310260723e28428cb38995c0f940f2617b25e15b618

SHA512
5b515b5975fda333a6d9ca0e7de81dbc70311f4ecd8be22770d31c5f159807f653c87acf9df4a72b2d0664f0ef3141088de7f5aa12efc6307715c1c31ba55bb6

Download Submit
C:\Program Files (x86)\WindowsInstallationAssistant\resources\ux\logo.png

Filesize
2KB

MD5
afeed45df4d74d93c260a86e71e09102

SHA1
2cc520e3d23f6b371c288645649a482a5db7ccd9

SHA256
f5fb1e3a7bca4e2778903e8299c63ab34894e810a174b0143b79183c0fa5072f

SHA512
778a6c494eab333c5bb00905adf556c019160c5ab858415c1dd918933f494faf3650e60845d557171c6e1370bcff687672d5af0f647302867b449a2cff9b925d

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU55FF.tmp\appraiserxp.dll

Filesize
364KB

MD5
9ae24ddfebb001b9cf15004176e90d89

SHA1
5fbb398e25611bafc8a115d13d55a4d4b28b96c9

SHA256
82f490f1594fe9545af87a7d90f3905fbc0023a273d2df87780023218839313e

SHA512
d8a83752c270864e7be1123cae01eafa091f1faf0d274d953bb094f61f27b41f95ea47ef284759335ef84fbb2a522b63b0b2b154572775901279a50a9ef23805

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU55FF.tmp\resources\ux\EULA\EULA_en-gb.htm

Filesize
89KB

MD5
31a548cd6e0569db0d8d5a766ea2c003

SHA1
eca3cba694915df5dddd95790eacc20dda1fdacf

SHA256
74a5b919aab524487a9a6b55a2de78d133e8e16c00367a82002d6c9a55d9d34a

SHA512
1cb8910b557550b5db5cc46ac325b0924cef6915e30b4daa33975f21d02d521cb0bf8c53723e03bc875928bfb5b30d8f6013d1c5887013fa6b3db084075d7561

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU55FF.tmp\resources\ux\EULA\EULA_es-es.htm

Filesize
98KB

MD5
4bce0923de384170225f162240731eb9

SHA1
21cfe6b950885981d560002f04ad328fe3797b8e

SHA256
1bd1d819ef445a5b51929b03ce31ccdb697ba862ccbb603d5440fa89fc585238

SHA512
0f2e69e51b28507bf93523dcc8e715dfa3784913f729d242f0efad5e0ce1a3220d80ffe68f47c4de83ff71a0af29225e98ab0c83425ad52db6c41394a8802046

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU55FF.tmp\resources\ux\EULA\EULA_fr-ca.htm

Filesize
102KB

MD5
93246f9e40f56dd432768a4b525ac39f

SHA1
9bdd2cc9209ac9520d8ac78f21fdb69b045c4cbe

SHA256
921b5d35eaa56c62640a4bf37d131fbe8c73deb2d189d01ccce4a451d90759d9

SHA512
14b66b268d84e5f90523cffb8a5608c05e928a4e791e61543efcb4897528e40c936c1b54288a93494e9e88c17f1b6343bcf99612bb44bfc5cfc2926d4037f4d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WXU55FF.tmp\resources\ux\Microsoft.WinJS\css\oobe-desktop.css

Filesize
39KB

MD5
5ad8ceea06e280b9b42e1b8df4b8b407

SHA1
693ea7ac3f9fed186e0165e7667d2c41376c5d61

SHA256
03a724309e738786023766fde298d17b6ccfcc3d2dbbf5c41725cf93eb891feb

SHA512
1694fa3b9102771eef8a42b367d076c691b002de81eb4334ac6bd7befde747b168e7ed8f94f1c8f8877280f51c44adb69947fc1d899943d25b679a1be71dec84

Download Submit