Overview

overview

6

Static

static

3

EzExtractSetup.exe

windows11-21h2-x64

5

$PLUGINSDIR/INetC.dll

windows11-21h2-x64

3

$PLUGINSDI...in.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...st.exe

windows11-21h2-x64

6

$PLUGINSDI...em.dll

windows11-21h2-x64

3

GoogleUpdateSetup.exe

windows11-21h2-x64

4

$PLUGINSDI...gs.dll

windows11-21h2-x64

3

EzExtractP...ll.dll

windows11-21h2-x64

1

EzExtractProShell.dll

windows11-21h2-x64

5

EzExtractP...32.dll

windows11-21h2-x64

3

Analysis

  • max time kernel
    109s
  • max time network
    103s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    07/08/2024, 13:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    EzExtractSetup.exe

  • Size

    4.4MB

  • MD5

    7399ebe1e1b9c99f3cb4a2521d424384

  • SHA1

    7a560782421feb72b1e84f162cf0abd0809fda28

  • SHA256

    4704846c5605552a2573aeb62f176630fd2ba5498457420c3fb36a27cae6800f

  • SHA512

    80b6b5b2a93656211073560e3eb93063edec44d54a4346b64cab5898162936d3109e7d213d73a93e50ce3a20d163ce6f8eb27e3f31e72bae6c684e528413981d

  • SSDEEP

    98304:fH85t/nKfACE3rHQc6cdxaf3JZ4csu+VCnkcayYl:fKhKfTkAzfHnstVCkcayYl

Score
5/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 5 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\EzExtractSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\EzExtractSetup.exe"
    1⤵
    • Drops file in Program Files directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1228
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell32.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:4220
    • C:\Windows\SysWOW64\regsvr32.exe
      C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Windows\system32\regsvr32.exe
        /s "C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll"
        3⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:3784
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe" "C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"
      2⤵
        PID:3520
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3728
      • C:\Windows\explorer.exe
        C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:1704
        • C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe
          "C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2824
      • C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe
        "C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1916
      • C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe
        "C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2436
      • C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe
        "C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:1588

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\EzExtractPro\EzExtractProApp.exe
        Filesize

        881KB

        MD5

        3b67b6026237810356f5aefb373d2b15

        SHA1

        1a4d565f81195adb9c048f8eb7fa7d77018ee3d1

        SHA256

        554ef8f1d2b201421a53dbbf897fcbea20dbba9d6e8fa881ad0b52be60c11f5e

        SHA512

        4e4a7445b1580c2076174c336414d5918a3fc0afbb13d56d29bd1fc18ca114affad1ced06fd52624292012dff2b95a76b19f4e3f9940c2d9a333c290a95d4641

        Download Submit

      • C:\Program Files (x86)\EzExtractPro\EzExtractProCoreDll.dll
        Filesize

        1.9MB

        MD5

        ede6796697abfd295b96322048642a69

        SHA1

        d0e7aaa407c4576eee42032bf743e9194a9c21e7

        SHA256

        6f9b0b8e8d1efbe25b81b0676a5902ec97aac1bfdc84a1a2d1b58659eb44dc5d

        SHA512

        88daf23e91c542c7348aa5c0fd16d382ef2fa95d7d5f91a4d5e39cf5d5b361eeaf4f33fcb43a71b52e4cea20c2b9dcb2b4e909d7ca3e5ab0c6d569f672dd385f

        Download Submit

      • C:\Program Files (x86)\EzExtractPro\EzExtractProShell.dll
        Filesize

        167KB

        MD5

        968e162057c49c860813e465bfd3c2fa

        SHA1

        78e5b2e365a3cd7bd3f7fc4dfd9991568ee2ec8d

        SHA256

        08ccd848487f570175e3c5b8fa70b04ce30e3afb9f43b4105180e2eb079c85c6

        SHA512

        5c41164239607fd32393742943e588d461b8a1d276d9e8142929aa7a22b6f5a82a723b2fff0389ed84677cb9ea9cbf1d793a66d27c367b8f7b9909a242f94eec

        Download Submit

      • C:\Program Files (x86)\EzExtractPro\EzExtractProShell32.dll
        Filesize

        126KB

        MD5

        24be51bce468016e106b55b19a2cbc80

        SHA1

        c7e18c81ebe523a1fefd845c9f9e09b881fccd11

        SHA256

        2d3a1c7e0e6256344648a054bc5526d4804538fef9cc87efab9edb426bf1f4a6

        SHA512

        697d736f24b8e28db98885ad248048f43d6bf26237dc0e9651d37810d992fb2482cfd23a26d10164a2a30ad326fbbaca9390730ec498972cc91f673b77756859

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EzExtractProApp.exe.log
        Filesize

        3KB

        MD5

        4c6eb2305444b1b8734d8c64122e5acf

        SHA1

        64e1006e834fcadd5d437753a0ff4491d5641262

        SHA256

        df2d9d39654ac8570f0708127e9b625442e58b329d9d39d3261924f35a8024f0

        SHA512

        d551db8c6b617a05cfc531923444a247bc440c8906eebb321199a4bf11531a894f1e11c583736f3b99607aa2b51c7d9de7f1e610a0eef5fb5a2ba22adee76c7f

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nst81C5.tmp\INetC.dll
        Filesize

        25KB

        MD5

        40d7eca32b2f4d29db98715dd45bfac5

        SHA1

        124df3f617f562e46095776454e1c0c7bb791cc7

        SHA256

        85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9

        SHA512

        5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nst81C5.tmp\NsisPlugin.dll
        Filesize

        280KB

        MD5

        1d0e98e6817a35237509731e1398b47a

        SHA1

        2690a72941f1641495a1cf51ebf5399987a74e5c

        SHA256

        23abc9395b36419700f31b507f13a189ec2eeb70c7e1a1fe9406c2b9e0728298

        SHA512

        5cf919baa11e3cdc3518a351e206a5dc84bb1beaf933194d27fb0a96edbc6b90a58106c45a357e8c7af9de815b4e74cf5e42a22bc91b5fac02bb386a6638d0ce

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nst81C5.tmp\System.dll
        Filesize

        12KB

        MD5

        cff85c549d536f651d4fb8387f1976f2

        SHA1

        d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

        SHA256

        8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

        SHA512

        531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nst81C5.tmp\modern-wizard.bmp
        Filesize

        25KB

        MD5

        cbe40fd2b1ec96daedc65da172d90022

        SHA1

        366c216220aa4329dff6c485fd0e9b0f4f0a7944

        SHA256

        3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

        SHA512

        62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nst81C5.tmp\nsDialogs.dll
        Filesize

        9KB

        MD5

        6c3f8c94d0727894d706940a8a980543

        SHA1

        0d1bcad901be377f38d579aafc0c41c0ef8dcefd

        SHA256

        56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

        SHA512

        2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

        Download Submit

      • C:\Users\Admin\AppData\Roaming\EzExtractProApp\EzExtractProAppConfig.json
        Filesize

        254B

        MD5

        9ccc10c5b64000d751fc039db637b91d

        SHA1

        5b258a1511433f9e2ce42f480f07c42ff86f5996

        SHA256

        a6f4a1aa3d61b7af4a1691d2d5dfb468ecf980cd065dfc44a987ab7c2bc480b4

        SHA512

        b242a4af4a49da6734c462adf46261ebd56fbfebb67dc309053e5a3f4846de90d6a9648aa57a98931400eb65436e5cf1e4f2f3bb08ebe708c9f6909f0b31d87f

        Download Submit

      • memory/1916-94-0x0000000020BC0000-0x0000000020D73000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2436-86-0x00000000212D0000-0x00000000212E2000-memory.dmp

        Filesize

        72KB

        Download

      • memory/2436-90-0x0000000020210000-0x00000000203C3000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2436-87-0x0000000021330000-0x000000002136C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2824-63-0x0000000000800000-0x00000000008DE000-memory.dmp

        Filesize

        888KB

        Download

      • memory/2824-85-0x00000000205F0000-0x00000000207A3000-memory.dmp

        Filesize

        1.7MB

        Download

      • memory/2824-80-0x000000001C490000-0x000000001C49E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2824-79-0x00000000208D0000-0x0000000020908000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2824-78-0x000000001C120000-0x000000001C128000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2824-64-0x000000001B7D0000-0x000000001B916000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2824-97-0x00000000205F0000-0x00000000207A3000-memory.dmp

        Filesize

        1.7MB

        Download