d878d90bf61339329b61f229d2eab2f3a178c66cec43e33da2b620f6d3d9f658

Analysis

max time kernel
101s
max time network
192s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
25/07/2024, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Silent Installing x64.cmd
Size

1KB
MD5

30941f6e22b0f57e06dc4e355ae636f4
SHA1

0370bb30363e593686c4d1b0ec7e0fa820140dd0
SHA256

c56d8402704a520df42e0b24c03acab1147c536de2f3cbf9b29cd648ddcdf65d
SHA512

b8ea32edb908fcbf52c41a81f6b95375b247194be8841882edd08a898ec9686b5bc09ba347cb0d9d08e033a1007528dba0f5e7276d15f2c0b4a1c0a1c9092e88

Score

7^/10

defense_evasion discovery privilege_escalation

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp

Loads dropped DLL 1 IoCs

pid	Process
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3720	reg.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2460	2340	WerFault.exe	87
4168	2340	WerFault.exe	87

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\.Admin\shell\runas\command	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\.Admin	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\.Admin\shell	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\.Admin\shell\runas	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-95457810-830748662-4054918673-1000_Classes\.Admin\shell\runas\command\ = "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"	reg.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3720	reg.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
2340	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4700	2484	cmd.exe	83
PID 2484 wrote to memory of 4700	2484	cmd.exe	83
PID 2484 wrote to memory of 3720	2484	cmd.exe	84
PID 2484 wrote to memory of 3720	2484	cmd.exe	84
PID 2484 wrote to memory of 4576	2484	cmd.exe	85
PID 2484 wrote to memory of 4576	2484	cmd.exe	85
PID 2484 wrote to memory of 3284	2484	cmd.exe	86
PID 2484 wrote to memory of 3284	2484	cmd.exe	86
PID 2484 wrote to memory of 3284	2484	cmd.exe	86
PID 3284 wrote to memory of 2340	3284	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.exe	87
PID 3284 wrote to memory of 2340	3284	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.exe	87
PID 3284 wrote to memory of 2340	3284	Wallpaper_Engine_v2.5.28_RePack_by_xetrin.exe	87

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Silent Installing x64.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\system32\mode.com
  mode con:cols=145 lines=15
  2⤵
  PID:4700
- C:\Windows\system32\reg.exe
  reg add hkcu\software\classes\.Admin\shell\runas\command /f /ve /d "cmd /x /d /r set \"f0=%2\" &call \"%2\" %3"
  2⤵
  - Access Token Manipulation: Create Process with Token
  - Modifies registry class
  - Modifies registry key
  PID:3720
- C:\Windows\system32\fltMC.exe
  fltmc
  2⤵
  PID:4576
- C:\Users\Admin\AppData\Local\Temp\Wallpaper_Engine_v2.5.28_RePack_by_xetrin.exe
  "C:\Users\Admin\AppData\Local\Temp\Wallpaper_Engine_v2.5.28_RePack_by_xetrin.exe" /X64 /VERYSILENT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3284
- - C:\Users\Admin\AppData\Local\Temp\is-QO3M0.tmp\Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-QO3M0.tmp\Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp" /SL5="$5027A,168019810,261120,C:\Users\Admin\AppData\Local\Temp\Wallpaper_Engine_v2.5.28_RePack_by_xetrin.exe" /X64 /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2340
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 888
      4⤵
      Program crash
      PID:2460
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2340 -s 888
      4⤵
      Program crash
      PID:4168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2340 -ip 2340
1⤵
PID:3924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2340 -ip 2340
1⤵
PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-KKDVS.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QO3M0.tmp\Wallpaper_Engine_v2.5.28_RePack_by_xetrin.tmp

Filesize
3.9MB

MD5
848b24f1b76decdb88171c832513e206

SHA1
92cc0f8d2a7576140276a043fa5783746584c6fc

SHA256
43f18653a4ce3ed5ba0a5290bbb830d1cb254f8f2737e71780ca6d3f00ecedb8

SHA512
3ba654d88dfac74922bfddcf0761cc0073f58cbf29c0fbd559c719dae56c04889783b6bc15276560a1ff0a6780ca0f7c5c40ce98074db12978e09d3a91957bc8

Download Submit
memory/2340-7-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-9-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/2340-8-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-6-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download
memory/2340-11-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-12-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-18-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-33-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-29-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-26-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-24-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-23-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-22-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/2340-20-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-19-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/2340-17-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-16-0x00000000030C0000-0x00000000030C1000-memory.dmp

Filesize
4KB

Download
memory/2340-21-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-13-0x00000000030B0000-0x00000000030B1000-memory.dmp

Filesize
4KB

Download
memory/2340-15-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-14-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-10-0x00000000030A0000-0x00000000030A1000-memory.dmp

Filesize
4KB

Download
memory/2340-32-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-38-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-42-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-55-0x00000000038A0000-0x00000000038A1000-memory.dmp

Filesize
4KB

Download
memory/2340-66-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-54-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-80-0x0000000000400000-0x0000000000809000-memory.dmp

Filesize
4.0MB

Download
memory/2340-65-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-64-0x00000000038D0000-0x00000000038D1000-memory.dmp

Filesize
4KB

Download
memory/2340-63-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-62-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-61-0x00000000038C0000-0x00000000038C1000-memory.dmp

Filesize
4KB

Download
memory/2340-60-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-59-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-58-0x00000000038B0000-0x00000000038B1000-memory.dmp

Filesize
4KB

Download
memory/2340-57-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-56-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-53-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-52-0x0000000003890000-0x0000000003891000-memory.dmp

Filesize
4KB

Download
memory/2340-51-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-50-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-49-0x0000000003880000-0x0000000003881000-memory.dmp

Filesize
4KB

Download
memory/2340-48-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-47-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-46-0x0000000003870000-0x0000000003871000-memory.dmp

Filesize
4KB

Download
memory/2340-45-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-43-0x0000000003860000-0x0000000003861000-memory.dmp

Filesize
4KB

Download
memory/2340-41-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-40-0x0000000003850000-0x0000000003851000-memory.dmp

Filesize
4KB

Download
memory/2340-37-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download
memory/2340-36-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-35-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-34-0x0000000003830000-0x0000000003831000-memory.dmp

Filesize
4KB

Download
memory/2340-44-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-39-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-31-0x0000000003820000-0x0000000003821000-memory.dmp

Filesize
4KB

Download
memory/2340-30-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-28-0x0000000003810000-0x0000000003811000-memory.dmp

Filesize
4KB

Download
memory/2340-27-0x0000000002770000-0x00000000028B0000-memory.dmp

Filesize
1.2MB

Download
memory/2340-25-0x0000000003800000-0x0000000003801000-memory.dmp

Filesize
4KB

Download
memory/3284-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3284-2-0x0000000000401000-0x000000000041B000-memory.dmp

Filesize
104KB

Download
memory/3284-83-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download