8b46861abb7266c798b27cd6e4cc95e6e81215870128f892236b7a27dfb02b74

General

Target

SilentSetup.cmd
Size

471B
MD5

7d6a53b4ede015a95c460b357de3a452
SHA1

02f301492eb96d44c285b967f1e34646b6b68a14
SHA256

206661f36abed6395524213eced38ff12a12c58f643efc77cbbbb0fe46a02dfe
SHA512

6c3eb0b1907654cdb19f8405f2677e9607c9e7b00474ce10728409a0d4ab8986386bcad14f4cc07f6f99e6e4f7f30c81c09c42d8cdfa03f4a885bf150dc3aecf

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
164	WinaeroTweaker-1.63.0.0-setup.tmp

Loads dropped DLL 1 IoCs

pid	Process
164	WinaeroTweaker-1.63.0.0-setup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroControls.dll	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweaker_x86_64.dll	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\Elevator.exe	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-9JBCS.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-C9LL7.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\unins000.dat	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweakerHelper.exe	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\unins000.dat	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-I0K15.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-4QJS0.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-JVF1U.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-US4LK.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-3KU8B.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\WinaeroTweaker_i386.dll	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-HEKHM.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-MAKM1.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File opened for modification	C:\Program Files\Winaero Tweaker\no_tab_explorer.exe	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-9ESSM.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-JQ5UU.tmp	WinaeroTweaker-1.63.0.0-setup.tmp
File created	C:\Program Files\Winaero Tweaker\is-5RDM6.tmp	WinaeroTweaker-1.63.0.0-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweaker-1.63.0.0-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweaker-1.63.0.0-setup.tmp

Kills process with taskkill 2 IoCs

evasion

pid	Process
1864	taskkill.exe
3708	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
164	WinaeroTweaker-1.63.0.0-setup.tmp
164	WinaeroTweaker-1.63.0.0-setup.tmp

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3708	taskkill.exe
Token: SeDebugPrivilege	1864	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
164	WinaeroTweaker-1.63.0.0-setup.tmp

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 2400	4140	cmd.exe	74
PID 4140 wrote to memory of 2400	4140	cmd.exe	74
PID 4140 wrote to memory of 2400	4140	cmd.exe	74
PID 2400 wrote to memory of 164	2400	WinaeroTweaker-1.63.0.0-setup.exe	75
PID 2400 wrote to memory of 164	2400	WinaeroTweaker-1.63.0.0-setup.exe	75
PID 2400 wrote to memory of 164	2400	WinaeroTweaker-1.63.0.0-setup.exe	75
PID 164 wrote to memory of 952	164	WinaeroTweaker-1.63.0.0-setup.tmp	76
PID 164 wrote to memory of 952	164	WinaeroTweaker-1.63.0.0-setup.tmp	76
PID 164 wrote to memory of 952	164	WinaeroTweaker-1.63.0.0-setup.tmp	76
PID 164 wrote to memory of 2176	164	WinaeroTweaker-1.63.0.0-setup.tmp	77
PID 164 wrote to memory of 2176	164	WinaeroTweaker-1.63.0.0-setup.tmp	77
PID 164 wrote to memory of 2176	164	WinaeroTweaker-1.63.0.0-setup.tmp	77
PID 952 wrote to memory of 1864	952	cmd.exe	80
PID 952 wrote to memory of 1864	952	cmd.exe	80
PID 952 wrote to memory of 1864	952	cmd.exe	80
PID 2176 wrote to memory of 3708	2176	cmd.exe	81
PID 2176 wrote to memory of 3708	2176	cmd.exe	81
PID 2176 wrote to memory of 3708	2176	cmd.exe	81

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\SilentSetup.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.63.0.0-setup.exe
  WinaeroTweaker-1.63.0.0-setup.exe /SP- /VERYSILENT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\is-3QJG3.tmp\WinaeroTweaker-1.63.0.0-setup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-3QJG3.tmp\WinaeroTweaker-1.63.0.0-setup.tmp" /SL5="$402DA,5100998,832000,C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.63.0.0-setup.exe" /SP- /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:164
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:952
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im winaerotweaker.exe /f
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im winaerotweakerhelper.exe /f
        5⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Winaero Tweaker\WinaeroTweaker.exe

Filesize
5.2MB

MD5
99c3342a209d92e537879699108f8288

SHA1
58ebfcc943cc6abd064dd176f79a1e8fa04759ed

SHA256
bd2eb1ade28a7a3023b8e96ea1d44c82c7df50fcbac460c63c05ab11d7849bb4

SHA512
76b1a5c27f724297f247c32b40c7c05f0afde0f19aba31199f7b82ea5b0b52b97bb718eb757352c35d9683162d94486c888a04ffe5d2d6de1e072b090de14dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3QJG3.tmp\WinaeroTweaker-1.63.0.0-setup.tmp

Filesize
3.0MB

MD5
1f8bc6b583179090e759faa5b1c97430

SHA1
d8ac7e18aa560acb861b37b13ae5622633bd7830

SHA256
e960ecec070425603934a878e09329edc9a44f2112bfb90e84b162a654074a67

SHA512
72244fa43407ae2f88d00cdfa3d8ccdc8da0ea663eb60dbfd37ea355a01f861559cfe20801c1f6898792b9d59d8c265cc941bafcc6ca1dd1c1f37bf23f2f695b

Download Submit
\Users\Admin\AppData\Local\Temp\is-5U36G.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/164-6-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/164-53-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/2400-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/2400-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2400-54-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing