8b46861abb7266c798b27cd6e4cc95e6e81215870128f892236b7a27dfb02b74

General

Target

WinaeroTweaker-1.63.0.0-setup.exe
Size

5.7MB
MD5

df244a4909ab521e04df2306c026fc27
SHA1

2282c628e8191ced198c2aa21a623a2eda6e0431
SHA256

fabd429204db75e2ff9fe7fae5dc981b8c392be42a936273c99dcc41eeb0730d
SHA512

6609d199ffab65e84fa2f11d36c336465a79b3430f16305e57b46c07edcafac239c16f8bd76e5f08318d76fa294024017f9be21dad16145571727c550f37f279
SSDEEP

98304:nkLSlahKN+zztgHtfsTwFFF8yIn7t5J7BZAI6GzilpVSZpi8XiSzmItNUiTknrrv:c9hQS2HKik/tfgP+YutiSzmILUiTU6y7

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4064	WinaeroTweaker-1.63.0.0-setup.tmp

Loads dropped DLL 1 IoCs

pid	Process
4064	WinaeroTweaker-1.63.0.0-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweaker-1.63.0.0-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinaeroTweaker-1.63.0.0-setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2916	taskkill.exe
2188	taskkill.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	taskkill.exe
Token: SeDebugPrivilege	2188	taskkill.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 4064	3796	WinaeroTweaker-1.63.0.0-setup.exe	74
PID 3796 wrote to memory of 4064	3796	WinaeroTweaker-1.63.0.0-setup.exe	74
PID 3796 wrote to memory of 4064	3796	WinaeroTweaker-1.63.0.0-setup.exe	74
PID 4064 wrote to memory of 4988	4064	WinaeroTweaker-1.63.0.0-setup.tmp	75
PID 4064 wrote to memory of 4988	4064	WinaeroTweaker-1.63.0.0-setup.tmp	75
PID 4064 wrote to memory of 4988	4064	WinaeroTweaker-1.63.0.0-setup.tmp	75
PID 4064 wrote to memory of 4460	4064	WinaeroTweaker-1.63.0.0-setup.tmp	76
PID 4064 wrote to memory of 4460	4064	WinaeroTweaker-1.63.0.0-setup.tmp	76
PID 4064 wrote to memory of 4460	4064	WinaeroTweaker-1.63.0.0-setup.tmp	76
PID 4988 wrote to memory of 2916	4988	cmd.exe	79
PID 4988 wrote to memory of 2916	4988	cmd.exe	79
PID 4988 wrote to memory of 2916	4988	cmd.exe	79
PID 4460 wrote to memory of 2188	4460	cmd.exe	80
PID 4460 wrote to memory of 2188	4460	cmd.exe	80
PID 4460 wrote to memory of 2188	4460	cmd.exe	80

C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.63.0.0-setup.exe
"C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.63.0.0-setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Local\Temp\is-R1F3R.tmp\WinaeroTweaker-1.63.0.0-setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-R1F3R.tmp\WinaeroTweaker-1.63.0.0-setup.tmp" /SL5="$601FE,5100998,832000,C:\Users\Admin\AppData\Local\Temp\WinaeroTweaker-1.63.0.0-setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweaker.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im winaerotweaker.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im winaerotweakerhelper.exe /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im winaerotweakerhelper.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-R1F3R.tmp\WinaeroTweaker-1.63.0.0-setup.tmp

Filesize
3.0MB

MD5
1f8bc6b583179090e759faa5b1c97430

SHA1
d8ac7e18aa560acb861b37b13ae5622633bd7830

SHA256
e960ecec070425603934a878e09329edc9a44f2112bfb90e84b162a654074a67

SHA512
72244fa43407ae2f88d00cdfa3d8ccdc8da0ea663eb60dbfd37ea355a01f861559cfe20801c1f6898792b9d59d8c265cc941bafcc6ca1dd1c1f37bf23f2f695b

Download Submit
\Users\Admin\AppData\Local\Temp\is-N3FJ9.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
memory/3796-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3796-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3796-11-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/4064-6-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download
memory/4064-12-0x0000000000400000-0x0000000000713000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing