Overview
overview
10Static
static
3ResIL.dll
windows7-x64
1ResIL.dll
windows10-2004-x64
3libGLESv2.dll
windows7-x64
3libGLESv2.dll
windows10-2004-x64
3res_mods/1...zA.exe
windows7-x64
1res_mods/1...zA.exe
windows10-2004-x64
1setup.exe
windows7-x64
10setup.exe
windows10-2004-x64
10updates/Un...00.exe
windows7-x64
7updates/Un...00.exe
windows10-2004-x64
7vivoxsdk.dll
windows7-x64
1vivoxsdk.dll
windows10-2004-x64
1Analysis
-
max time kernel
19s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
05-07-2024 16:27
Static task
static1
Behavioral task
behavioral1
Sample
ResIL.dll
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
ResIL.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
libGLESv2.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
libGLESv2.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral5
Sample
res_mods/1.23.0.0/scripts/client/gui/mods/7zA.exe
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
res_mods/1.23.0.0/scripts/client/gui/mods/7zA.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral7
Sample
setup.exe
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
setup.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
updates/Uninstall/unins000.exe
Resource
win7-20240704-en
Behavioral task
behavioral10
Sample
updates/Uninstall/unins000.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral11
Sample
vivoxsdk.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
vivoxsdk.dll
Resource
win10v2004-20240704-en
General
-
Target
updates/Uninstall/unins000.exe
-
Size
1.5MB
-
MD5
3ab31d714c50ae078f9eaba7b2497191
-
SHA1
45c5e807e459d95618c03a6ded9debe1d70013f3
-
SHA256
4f1ad8d1547c95e51defcb129c5dcf2568c9735524ab3face5f0fafc5bcbc0eb
-
SHA512
f89961fb914796b07da8f224317bb794f9cf0cc8b40e635823b0bb8a6713048c5b2de08e1c4e9dd4f81c6f579e3bc3551a9342ba34db9a6de1c0d6755ec140ae
-
SSDEEP
24576:0H9/gqpQYze0XKvc4BYCsCS3D4kjiIUjyeyXEDq8UbVlc3GYgl4KvjKMrexLxB:cIEJxCWluyZ8UbMZz
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2444 _iu14D2N.tmp -
Executes dropped EXE 1 IoCs
pid Process 2444 _iu14D2N.tmp -
Loads dropped DLL 3 IoCs
pid Process 1840 unins000.exe 2444 _iu14D2N.tmp 2444 _iu14D2N.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2444 _iu14D2N.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1840 wrote to memory of 2444 1840 unins000.exe 29 PID 1840 wrote to memory of 2444 1840 unins000.exe 29 PID 1840 wrote to memory of 2444 1840 unins000.exe 29 PID 1840 wrote to memory of 2444 1840 unins000.exe 29 PID 1840 wrote to memory of 2444 1840 unins000.exe 29 PID 1840 wrote to memory of 2444 1840 unins000.exe 29 PID 1840 wrote to memory of 2444 1840 unins000.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\updates\Uninstall\unins000.exe"C:\Users\Admin\AppData\Local\Temp\updates\Uninstall\unins000.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp"C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Users\Admin\AppData\Local\Temp\updates\Uninstall\unins000.exe" /FIRSTPHASEWND=$701502⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2444
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD53ab31d714c50ae078f9eaba7b2497191
SHA145c5e807e459d95618c03a6ded9debe1d70013f3
SHA2564f1ad8d1547c95e51defcb129c5dcf2568c9735524ab3face5f0fafc5bcbc0eb
SHA512f89961fb914796b07da8f224317bb794f9cf0cc8b40e635823b0bb8a6713048c5b2de08e1c4e9dd4f81c6f579e3bc3551a9342ba34db9a6de1c0d6755ec140ae
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3