Analysis
-
max time kernel
130s -
max time network
120s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
03-08-2024 12:33
Static task
static1
Behavioral task
behavioral1
Sample
iplasetup.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
$TEMP.dll
Resource
win10-20240404-en
General
-
Target
iplasetup.exe
-
Size
39.8MB
-
MD5
e872bca75b21b9fd7ea0ccd762d399d9
-
SHA1
aac2a9bf68f87fc237ac121085328071e108ed2a
-
SHA256
26af88cdc77ebe6ae1ac8d015658b05d93df4a4504ae6ab61919008e891d22af
-
SHA512
3bc06f126d92bbd6e8f8f19a90632ba9e0b3232a62ec94db021ffa987efe48c63df671ad47805e43f5878916a1f7ec8ede5808d38cb641737ebcbad1c62535ef
-
SSDEEP
786432:2aiqD9o7TuCV0GvGEpjWWHAxsD8TgdyCCD06KsEKjwUzAqhyNjg797+zr2sZW:2ko7J5eoE4WqTm0ABwY7hy9gp7+X2sk
Malware Config
Signatures
-
Detects Strela Stealer payload 1 IoCs
resource yara_rule behavioral1/files/0x000700000001ac0f-16.dat family_strela -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x000700000001acbd-1070.dat acprotect -
Executes dropped EXE 2 IoCs
pid Process 1788 enumsplitters.exe 1404 ipla.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\WINE ipla.exe -
Loads dropped DLL 47 IoCs
pid Process 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe -
resource yara_rule behavioral1/files/0x000700000001acbd-1070.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\IPLA! = "C:\\Program Files (x86)\\ipla\\ipla.exe /autorun" iplasetup.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvcr71.dll iplasetup.exe File created C:\Windows\SysWOW64\mfc71.dll iplasetup.exe -
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
description ioc Process File opened (read-only) \??\VBoxMiniRdrDN ipla.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\ipla\Images\Emoticons\Love.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\Punk.png iplasetup.exe File created C:\Program Files (x86)\ipla\Sounds\LoginSuccess.wav iplasetup.exe File created C:\Program Files (x86)\ipla\Licencje\mersenne_twister.txt iplasetup.exe File created C:\Program Files (x86)\ipla\mfc90u.dll iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\m2v.ico iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\Gol.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\Surprised.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\trayicons\settings.png iplasetup.exe File created C:\Program Files (x86)\ipla\autodel.bat iplasetup.exe File created C:\Program Files (x86)\ipla\ssleay32.dll iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\mpa.ico iplasetup.exe File opened for modification C:\Program Files (x86)\ipla\Images\Icons\avi.ico iplasetup.exe File opened for modification C:\Program Files (x86)\ipla\Images\Icons\flv.ico iplasetup.exe File opened for modification C:\Program Files (x86)\ipla\Images\Icons\wmv.ico iplasetup.exe File created C:\Program Files (x86)\ipla\Images\trayicons\logout.png iplasetup.exe File created C:\Program Files (x86)\ipla\avutil-54.dll iplasetup.exe File created C:\Program Files (x86)\ipla\Licencje\c-ares.txt iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\mpe.ico iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\ipla_emo_walizka.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\new_emo_confused.png iplasetup.exe File created C:\Program Files (x86)\ipla\swscale-3.dll iplasetup.exe File created C:\Program Files (x86)\ipla\icudtl.dat iplasetup.exe File created C:\Program Files (x86)\ipla\Licencje\xmlParser.txt iplasetup.exe File opened for modification C:\Program Files (x86)\ipla\Images\Icons\rm.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\3gp.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\custom.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\rmvb.ico iplasetup.exe File created C:\Program Files (x86)\ipla\Images\LogoBig.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\Annoyed.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\Santaclaus.png iplasetup.exe File opened for modification C:\Program Files (x86)\ipla\Images\Icons\mov.ico iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\mp4.ico iplasetup.exe File opened for modification C:\Program Files (x86)\ipla\Images\Icons\mpe.ico iplasetup.exe File created C:\Program Files (x86)\ipla\ipla.exe iplasetup.exe File created C:\Program Files (x86)\ipla\cef_100_percent.pak iplasetup.exe File created C:\Program Files (x86)\ipla\Licencje\OpenSSL.txt iplasetup.exe File created C:\Program Files (x86)\ipla\Microsoft.VC90.CRT.manifest iplasetup.exe File created C:\Program Files (x86)\ipla\libeay32.dll iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\flv.ico iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Empty.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\trayicons\StatusInvisibleM.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\AvatarFemale.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Progress.mng iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\Champaign.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\ipla_emo_czapeczka.png iplasetup.exe File opened for modification C:\Program Files (x86)\ipla\Images\Icons\mpa.ico iplasetup.exe File created C:\Program Files (x86)\ipla\Sounds\authorization.wav iplasetup.exe File created C:\Program Files (x86)\ipla\Licencje\IPLA.rtf iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\new_emo_kiss.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\Up.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\trayicons\StatusAwayM.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\Bored.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\ipla_emo_okulary_v2.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\trayicons\StatusBusyM.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\trayicons\StatusDoNotDisturbM.png iplasetup.exe File created C:\Program Files (x86)\ipla\jabberoo.dll iplasetup.exe File created C:\Program Files (x86)\ipla\iplamk.ocx iplasetup.exe File created C:\Program Files (x86)\ipla\images\icons\wmv.ico iplasetup.exe File created C:\Program Files (x86)\ipla\Images\ProgressSmall.mng iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\ipla_emo_okulary_v1.png iplasetup.exe File created C:\Program Files (x86)\ipla\Images\Emoticons\new_emo_mily.png iplasetup.exe File opened for modification C:\Program Files (x86)\ipla\Images\Icons\rmvb.ico iplasetup.exe File created C:\Program Files (x86)\ipla\MediaFileScanner.dll iplasetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iplasetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language enumsplitters.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipla.exe -
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString ipla.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier ipla.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier ipla.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 iplasetup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz iplasetup.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 ipla.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ipla.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ipla.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.MKA\ = "Plik MKA" iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.MPE\Shell\open\ iplasetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2333EB16-E7A7-4DA8-A5B8-5F2F82A3D9A3}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} iplasetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\.3gp\IplaBackup = "VLC.3gp" iplasetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\.ipv\ = "IplaVideo.ipv" iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.MKA\Shell iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.MP4\Shell\open\ iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.MPEG\Shell\open\ iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2333EB16-E7A7-4DA8-A5B8-5F2F82A3D9A3}\ProgID\ = "IPLAMK.iplamkCtrl" iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ipla\shell\open\command\ = "\"C:\\Program Files (x86)\\ipla\\IPLA.exe\" \"%1\"" iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.3G2\Shell\ iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.AVI\DefaultIcon\ = "C:\\Program Files (x86)\\ipla\\images\\icons\\AVI.ico" iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.AVI\Shell\open iplasetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{195C2878-7CB7-4C69-B08B-D43D82441E65} iplasetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E658F60B-44C9-461E-8FDE-62E64E2F2DBC}\TypeLib iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2333EB16-E7A7-4DA8-A5B8-5F2F82A3D9A3}\MiscStatus\ = "0" iplasetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ipla\shell\open iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.MOV\Shell\open\command iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.MPA\Shell\ iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E658F60B-44C9-461E-8FDE-62E64E2F2DBC}\TypeLib\ = "{195C2878-7CB7-4C69-B08B-D43D82441E65}" iplasetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2333EB16-E7A7-4DA8-A5B8-5F2F82A3D9A3}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} iplasetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\.asf\IplaBackup = "VLC.asf" iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo\DefaultIcon\ = "C:\\Program Files (x86)\\ipla\\images\\icons\\custom.ico" iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.ASF\Shell\open\ iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.MOV\Shell\ iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.MOV\Shell\open\command\ = "\"C:\\Program Files (x86)\\ipla\\ipla.exe\" \"%1\"" iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.WMV\DefaultIcon\ = "C:\\Program Files (x86)\\ipla\\images\\icons\\WMV.ico" iplasetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{195C2878-7CB7-4C69-B08B-D43D82441E65}\1.0\HELPDIR iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.MKA\Shell\open\command iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.MPE\ = "Plik MPE" iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.MPE\Shell\ iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.MPEG\Shell\open iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.MPEG\Shell\open\command iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.RM\Shell iplasetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-ipla iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.3GP\ = "Plik 3GP" iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.AVI\Shell\ iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.OGM\DefaultIcon iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{195C2878-7CB7-4C69-B08B-D43D82441E65}\1.0\FLAGS\ = "2" iplasetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1527E1CB-A747-475F-9CF1-92289224977C}\ProxyStubClsid32 iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.FLV iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.M2V\Shell\open iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1527E1CB-A747-475F-9CF1-92289224977C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.3GP\DefaultIcon iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.MKA iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.MKA\Shell\open\command\ = "\"C:\\Program Files (x86)\\ipla\\ipla.exe\" \"%1\"" iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.RM\DefaultIcon iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.RM\Shell\open\ iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{195C2878-7CB7-4C69-B08B-D43D82441E65}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\ipla" iplasetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1527E1CB-A747-475F-9CF1-92289224977C} iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2333EB16-E7A7-4DA8-A5B8-5F2F82A3D9A3}\MiscStatus\1\ = "131217" iplasetup.exe Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\.mkv\ = "IplaVideo.mkv" iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.FLV\Shell\open\command iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.MOV\ = "Plik MOV" iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.MPA iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.IPV\Shell\open\command iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.MKA\Shell\ iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.MP4 iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.MPE\DefaultIcon iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.MPG\DefaultIcon iplasetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.3GP\Shell\open iplasetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IplaVideo.3GP\Shell\open\ iplasetup.exe Key created \REGISTRY\MACHINE\Software\Classes\IplaVideo.OGM\Shell\open\command iplasetup.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 1404 ipla.exe 1404 ipla.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1404 ipla.exe 4376 iplasetup.exe 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 4376 iplasetup.exe 1404 ipla.exe 1404 ipla.exe 1404 ipla.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4376 wrote to memory of 1788 4376 iplasetup.exe 73 PID 4376 wrote to memory of 1788 4376 iplasetup.exe 73 PID 4376 wrote to memory of 1788 4376 iplasetup.exe 73
Processes
-
C:\Users\Admin\AppData\Local\Temp\iplasetup.exe"C:\Users\Admin\AppData\Local\Temp\iplasetup.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\nsa7A61.tmp\enumsplitters.exeC:\Users\Admin\AppData\Local\Temp\nsa7A61.tmp\enumsplitters.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1788
-
-
C:\Program Files (x86)\ipla\ipla.exe"C:\Program Files (x86)\ipla\ipla.exe"1⤵
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks for VirtualBox DLLs, possible anti-VM trick
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231B
MD5299b7d4cdcd92e7267bf01ba77a859d6
SHA1f30ed6a68cc2f0bb12355faeb05ab301d777b19a
SHA256ea09768acb074fcd7d6632a61f35516a2b929d3bafdab614dd7071a214a33ac5
SHA512ff9065f7f5417f5529e6a7a16719237223dc2adf1682b270469a25d173239017b4bab876b262d068ad4618b0cea6fc8454cefa1fe59b9314442649b391e7873a
-
Filesize
1.2MB
MD5a2e809f55c8aa59504e229764c0f5954
SHA17a5e95b997b08dbeec3a1a0f4bf86491c7c612c5
SHA256f5b09319671ea52937b24236c4b06c510ee71be811e54142ce32b53f2ead160d
SHA51289f342f8eb71207f71bca24a610ee927ea83476c37ff1506e6697f27a113bc97b337b8de4ce5641422e8a7bca26b55c877e3abe2fd941c9b9d865fc890581839
-
Filesize
295KB
MD5d6a5730a41889ef9ab6b526ec426d8b4
SHA10f621915d28b6fb98089e9c706501dc9ff670969
SHA256af064ffc6b0250aa1414e32f68c2c0fb900e3fc9f0f718b3f0244a749d8c6786
SHA512bba604f5f5130c2e73d201068ce5201b622433ada3072a16928a77cd52fa16a538e3f897ea3d8062df77d554d3b205b9f1069664fc300fa00c69edd6f6633b95
-
Filesize
20.4MB
MD5d3dbb2f11a8c2e081d8e176af935c307
SHA1547bc8556e73bdab9da5159975051142b0915bfd
SHA25674ec947cce8e9b32d7af4f190a467cf2940d60a7a4a51d2543f622bf145b217d
SHA512e912f1c65249be3cedb1159e8edc5658c202b26164c3ea2a84ee058f0df6cbcc31ae8beb0a2dd202ead96ca56eb8d781f2fc00782e3dac64f4d9bb27d6bbaa75
-
Filesize
3KB
MD552dc0884fadcf8906b614a82ea2abcc5
SHA10204f10246b4769363f91701e81e289a541b0716
SHA2562e0500a0cd75c23019b10f8c920c50a1ba49cc1bb43086d2a289051d805e600d
SHA5120f97c67a13a08c404cfa3c87cc04dfa85ab3fc3137371136db998171b50b0653956262c5b764b6925764d7e544de9293e16ed365b4cd06b6d55cfdd37f968ba9
-
Filesize
207KB
MD5dd37efd8e6ee822e0293652ce251b2f6
SHA14135efa59abe911b1184389ec40115986bf6fe39
SHA25641d3d54f60ab6103d7bc7a21812331ed592ba3d20c6ddf2b7d27a4c7c154fb02
SHA512cdc0fa97c54e6de4e27695ca81a004ff9d56194ab0de99d6481f24e652a41832031b1950fa28d9c19531e1436c560e84612ccf49b9e94b2a7b0ba76221a44201
-
Filesize
957B
MD515cb0196aebe86e326fee520c4358ccf
SHA190e29174188349e45e92b2f991958eb703a688b3
SHA2567bb7ca514052b2647bc95e3c55c66db062876faa22b45987edb07adaa920c2e5
SHA512743db7122a0112d1890fd0d365ef810a56d7464d99d4a1e639df4f1b4c492d01c5eebfb7f32a01d692c1dc4ff8fe352d365915829016e46eb8ac603907dee71e
-
Filesize
988B
MD5ac32be81ccaefe6a825af287c0a6f552
SHA1e84a9b0cf6bb9d0feb6bc5c3d5f4cfc1314cbabf
SHA2566648b059acb93271682e88a48b91f6ad3876d8805277b15e3d9a27b90ea9de39
SHA512290272017cb68adb8a1204cd8afe7a5bdc23c97bcd5cdbfcdf2a8823866dec2f7e87f24b88155704e8729ca650c2811e59e7301c9c3b13fbd28d99c01f2d419f
-
Filesize
1KB
MD5a7fd64ddc53f1f36f1be9d7b95bfecc3
SHA1485b1ba4b2c044c7c54c874868e43df27b658dbd
SHA256a8362bc75f66bcba88e6f1bc465a47084480ee8a6cdba7cf19a240ee18b074fd
SHA512c157d8c22446440153547b67831fcfd5b36b960882490caabfb28b15d04ec1897405e673e63b998056f9defdeeccd009f1ca46d95a45f05060814fdcb951b326
-
Filesize
1KB
MD52abd832a25abd44368a9c440ccd99a92
SHA13ec5a53314400e965269b9d1d81634609270eda9
SHA256f0fb5be5302f46bee0c2bbf551d77767aac814600b56a9ff9a8a20967771439d
SHA51250ee03012b1d3691c203f8953b95e305b310a6fd3df45c29bbda2d494312d0443dbb18758369684a2a4a8444ebfb5b1f92169685c1dd387e28bc36c4c0dc1564
-
Filesize
1KB
MD59a37fc3ac461ed6ad7da3bfd63d025cb
SHA1c75127067eb02cd5f039b14cbf76848f67b58e02
SHA256475e84e29fc4ec49a0a889a3986cb72416fdac049d32c3c1eba28899660e9bbf
SHA51236602b35aec770320c495745cf458e5b032bd9455da27f2e9c54774453a944f19a21caaa8182469f10ff0e5c969f8848d7e34f23956bad24540432dbe4ae012f
-
Filesize
1KB
MD535a4346063d1af2be4f515aefc158a99
SHA1edf4c3383fe199ac7e30d8b984307572f3016f73
SHA256c572811a1a362af6951074ce973132350e69d7945c5b8d8a880576aeb581fcc0
SHA512ecb5d3016ad925acd479a49799405a504bcb07499ab0fd148e3191df4e43955775e6092ef333e601c13975f1b57e534187c7009aec4728f8dafa754f1e30487b
-
Filesize
982KB
MD58bc1000b1c850ebaff07484d69ba41f5
SHA1476d76b735f78d9261d7027445649a3c852a54ca
SHA25696381d2338a39b35aa4ece559290c28b93802361613002c0179e41a7154ad3fb
SHA5128738d8580f386fc81bd2206c2cd400dcde356714d6817e17b937ec2cb09895e302249332ccb55ad0ceaebc5e7861d52b3f3f73c043f75a4a257ef9b383997b29
-
Filesize
292KB
MD509d5cfb527bd99e52c39e1ed81efd187
SHA13e691f24487c5e2a00035cf7e1f8b976f4d25bb5
SHA25612e2ed7494f9a7d118ab70a83e05706e980e140fc0e2a8f5b0a3911a41f74109
SHA512a8cabb0239d28994e5cdee92a56416da75a56ed0b07fb402cdea8563f5650d2035f20183ddcc7e6fb81b5916840bbec2455abcb7b59e14b54e4eea6306a590c0
-
Filesize
2.2MB
MD59e609e3cdfcf51b33ac95fd4f72334c5
SHA1e561a0a1a2b6340ffe25afad2d831128a43b9765
SHA256f0b8f948fe7bb1bafef3d75ffc6b8553909712fc3307197a9c1feef9dec8d162
SHA512a00aa080d94b962d16bd7d1b33cf651b271971ef5bfffd3af837867b49fbeb277a675f6bee0ada6d6a019d540666039ff7c6354f3e70cc75dba88c76f1e89066
-
Filesize
4.1MB
MD5b3f1948defb29d698a88d345f297ea12
SHA18e83e0ec75f6fb4ec3afa529b648f104fe892270
SHA256d636506c429d1b7f1b756b79436c325c2759a71fca98ce0f4338830b06030d8e
SHA512bba7a2f78519b01b39641f73bdb62caba3980ae8ff8f0a39122d934b5e94b3b6fc2d29edd8df708ccaa86697efa6f2fafb5927daa96fcf5e913a6835293fe52e
-
Filesize
276KB
MD54f22b4553602e1745eb5615b5c66a495
SHA1c4d8f9e952c0c2ee97f807a223141610373f1299
SHA25687c42c0d4a8bde7dc6ae93ca8e63ee7a66f6c5208644ba06162f458b02ae228d
SHA512826387d2688ca635769fd2b4355565c4336b35b3d56b5bea1718c519ffcda4f7b3382b8b504b8454088d4633833cfb3c2eef99ebccae5c4495b1b2344673b6e4
-
Filesize
279KB
MD5ee57b90ad2c14b52a0696761ab0205cc
SHA1c2d9f5894197b5f0a4c0be8b6ef6c7086b8a22a6
SHA256ede68f673bd9be47790ab9f5aec5f2e5bfedfdb21365b64a02e9b56bfa475b58
SHA512369dc08af2359414fbe329d43bd463f104595cbe317927225ad53a356be5eeca652b9985ed2051653707242ab54eb2d5877238c280cbc743c00844b436791a69
-
Filesize
383KB
MD5921dff76b7a5e459546cb1e039735cef
SHA1ed785c184f184157ca628b288803b5c985747834
SHA2566a6e5e5cf4346fec83c6711cbf220bda55a454971678b81fd034a67352df5da9
SHA512f9c142f11bcddc55e7718632d488bd45696174b03d8e08df53bbf8019e7749de9bab7e38dfcd0e96b8c6b8b92799dcb98bace095cf75062b008a43d922cabc73
-
Filesize
39.4MB
MD5bf5c2ed166b2b620a503452e719135d2
SHA19fbd4a00f9c761d5f2b3aacbacf22456628901df
SHA25611e0b0a4d0714e003a9633849244fa91b4727718cadbdeac5631b23ac376b317
SHA512ef6f55109f94b319ca90049711557ebfe1f0052f189d28c0d1e1e3eeccbbff731e3fe9ea09e235a084357ccf4467be9d60e5f981ecd102a83e5da054adb9647b
-
Filesize
66KB
MD5a877899119469f2381b4fc927c2b8d53
SHA1d2e2ee3d825100eaba089022739ab716d916d573
SHA256b907288b08ee4c14a2e66149d39aa4d00498553df38ffd5a4a5b64b3f8a616fd
SHA512c1927df5b48bbda27af68eaf6b642a1ec220c9a49ba85693fb5e36813a771cf3c4bfe733aab3283b0abdf77f6c04070d5f01a44345cb1981612ba87f7853f643
-
Filesize
8KB
MD59f1a88b953fd2a2c23b09703b253186c
SHA129d5a5a24e7f782a07e9f5d2ec1d1a6218fec737
SHA2568a8f5bafc105186c85f14e017ab6da33ae8f88a9635e51756f90b6d95381d80d
SHA51210b3a812c92b7324bddcd23adf923fcaec2532f31bdd9fbf17494fc33f99aa0a0a48b94f1fdd6599fa0189567626a90b324a1d132bf9cb8b00a6afc547e64018
-
Filesize
120KB
MD5f2f4b4f2985a1a6a45fd370c604f76bc
SHA1b9c75014d8d1119886de917f9ba68e3638f6e21c
SHA256fe5e20bfb1071901e3adfa90f6c0fae4e4428e5ec85ed5a69f78f7567cc16157
SHA5125fd4fe56818da4e1a39ed09196264f403048ecf4bd981f27e97ef3a66dc014655097c5b8e3dbb1460dfedcf90f8945ecf07d9a57d5cb4e4662daf05e3dc07a9d
-
Filesize
42KB
MD5beca78fa9b105c60b39f3cb567e6f5d0
SHA12e31bc180c59adc802bf218eb776db56846aaa43
SHA256d4f922feb8257e85c0476ce7a1b0b0abfd9fc9f30406c789b30f17ddac745260
SHA512434cbd3cc6441a330f26b70e22062f5057e27aead828ec8aca45b5b40d9ab4184d67480db3c8b9c93ef47e51a5f05d0445cf768106a92cbad50daeb78be02f38
-
Filesize
5.8MB
MD5bad139a2d8491896ce10ee8e4e55a921
SHA14346289950aa9b547d96553ced684b6a05af0234
SHA256363e9c63b62d61ff3dd5f3cb1de5d9c2320c95787ae0a30035c19f01adebb0c3
SHA5127ba1908909237986c573244743f4632dde72da9f708c151879102633f7bd7cffbaf1f79b3bb3797952304248aae9dd984f6a07a9dbf6433cc5b2d7f72ee80e15
-
Filesize
18KB
MD5a2e2436ea51eb3def9baf71a03672ef0
SHA1352e3fd7c01ab97b2e22485173a65eb826a492d4
SHA2561a2aa9db7782f5c8c4e4145f0ef5e8d4e6295880bff12c4ca6934f17797f3b5b
SHA512b3f2452f5a8ad9a79421ba25d3d56282bb426f8d300f29787ff1adb1e46e5579d52798177792e379f25f44ca48ffbaf6e7bfc548b9558e3d4bafb67b2c7e766b
-
Filesize
56KB
MD5dcf8677120ea4333339c9b1ae37a0f55
SHA1f52d1fb8fc99c60dfc5f876d310e804da4ec3d1a
SHA2566eab0471453c9848f8a15a10f0610b7026a1d2c583d5e852e341f18f580ebfb8
SHA5124f7272dc0916456871fedde32fb675b1c0fd2f144df604e154eed3ff3fb7031a361c11a22713e8931efbdba0ed03305d6ee12d74abd83b3445ef1515ed8ddba4
-
Filesize
792KB
MD58fea8fd177034b52e6a5886fb5e780bd
SHA199f511388a2420d53b8406baed48ba550842eaad
SHA256546dddc7a31609b5bc3dc8ecef6f6782b77613853c54171fc32314c08a69e8de
SHA5125d82a3b9cf9d69049e6278a6d835b8a9a386c97ae9a69cf658675b0a8751a344d0da1ee704e9bb9023dab7cd77fdca684bdc90837960b583eef0bb4324498696
-
Filesize
9KB
MD555eeccf36aa05fd749a5c8fa635df4e4
SHA193626dad8b3997f5fa9a3a656b64f4437f04a82f
SHA2565b8d69181d3695f85974980cf6e41d7c3b9a0e9b6b9f7511a5813e2671f6e4fc
SHA5129db05923573cadabd22264b8458b8926692069b5093bbe0c21800387fc83f22114fea6a284870259e29c29b8048610f41016611a36a6f1aa63057db392133e4a
-
Filesize
5KB
MD5db40175690a780def9e6c6327654be11
SHA1703c074a625fad245300fb97657f640e91ce36d6
SHA25608a4ab71158afdaea82ae1f5670ae87b0b03facd606db26d4861c178b630cec2
SHA51217012e166365a48a7dcc92aa9f4d67e6fafa347eb637f434d99a4f0f62fd6a438eb21e98aff18f04cc56e3d91e97022a2bf4ef35278d9d15146dbeab6d3c5c7a
-
Filesize
231KB
MD50a4fa7a9ba969a805eb0603c7cfe3378
SHA10f018a8d5b42c6ce8bf34b4a6422861c327af88c
SHA25627329ea7002d9ce81c8e28e97a5c761922097b33cedeada4db30d2b9d505007c
SHA512e13e29712457d5e6351bfd69cba6320795d8b2fd1a047923814f8699f7188ec730ec7f0d946fdff66c8b430fef011415ed045b6ea56e4cc0b1d010171ab88178
-
Filesize
1.0MB
MD51fd3f9722119bdf7b8cff0ecd1e84ea6
SHA19a4faa258b375e173feaca91a8bd920baf1091eb
SHA256385ea2a454172e3f9b1b18778d4d29318a12be9f0c0c0602db72e2cce136e823
SHA512109d7a80a5b10548200d05ab3d7deb9dc2ae8e40d84b468184895eb462211078ecdcb11f01eb50c91c65a924f8e592cd63b78e402dcaea144ff89c11f2ab07d6
-
Filesize
340KB
MD5ca2f560921b7b8be1cf555a5a18d54c3
SHA1432dbcf54b6f1142058b413a9d52668a2bde011d
SHA256c4d4339df314a27ff75a38967b7569d9962337b8d4cd4b0db3aba5ff72b2bfbb
SHA51223e0bdd9458a5a8e0f9bbcb7f6ce4f87fcc9e47c1ee15f964c17ff9fe8d0f82dd3a0f90263daaf1ee87fad4a238aa0ee92a16b3e2c67f47c84d575768edba43e