6dc7d7b67b3fd1a1c71c776420d4d96102653f4e26bd2fb2821f836b58444350

General

Target

GiAlbum_1.2/vcredist_x86/vcredist_x86.exe
Size

4.0MB
MD5

c0622ed3b105ac0e4c99e45db43f9589
SHA1

da383992ef6be194bc59384182ec2f8ba2948dc2
SHA256

1d1086f9867856594eb2f55ef6f0ad61818f5d7304cde7ddbb9f998d5c24a194
SHA512

a7d727a3b02655e0522fd351390775c6221dbf4955c00731d916dd798ce3a0e8817a90872baabccdf943f2c53802c513e937d6a56668a9a7ee1c40c7ba4b186d
SSDEEP

98304:gXEhwLmBFfL0BuPGttL5zekO76RwMixrhym5UuXrbcOtit:gXWwLmBFatnzekOpMixrh15UuXvkt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2260	install.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	vcredist_x86.exe
2260	install.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2260	install.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2260	2296	vcredist_x86.exe	28
PID 2296 wrote to memory of 2260	2296	vcredist_x86.exe	28
PID 2296 wrote to memory of 2260	2296	vcredist_x86.exe	28
PID 2296 wrote to memory of 2260	2296	vcredist_x86.exe	28
PID 2296 wrote to memory of 2260	2296	vcredist_x86.exe	28
PID 2296 wrote to memory of 2260	2296	vcredist_x86.exe	28
PID 2296 wrote to memory of 2260	2296	vcredist_x86.exe	28

C:\Users\Admin\AppData\Local\Temp\GiAlbum_1.2\vcredist_x86\vcredist_x86.exe
"C:\Users\Admin\AppData\Local\Temp\GiAlbum_1.2\vcredist_x86\vcredist_x86.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- \??\c:\f9f05442cd414335dbc1\install.exe
  c:\f9f05442cd414335dbc1\.\install.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\f9f05442cd414335dbc1\eula.1033.txt

Filesize
9KB

MD5
62f82dc664ac6e50f65f76eeb59a4a1a

SHA1
f7ee5b70758edff004f653c6eb32089e5c47dbf2

SHA256
923e129f15ee4d60582160c39160648299d2de315953540824970d2838f06b44

SHA512
efb738ebbc91f73453d06b3a891f78864db226769888e497d6ab63321a858918211b701890ae4b72682d19f5e2cd6d771b10759f180fc20f1fdec95c6b39e8c0

Download Submit
\??\c:\f9f05442cd414335dbc1\globdata.ini

Filesize
1KB

MD5
0a6b586fabd072bd7382b5e24194eac7

SHA1
60e3c7215c1a40fbfb3016d52c2de44592f8ca95

SHA256
7912e3fcf2698cf4f8625e563cd8215c6668739cae18bd6f27af2d25bec5c951

SHA512
b96b0448e9f0e94a7867b6bb103979e9ef2c0e074bcb85988d450d63de6edcf21dc83bb154aafb7de524af3c3734f0bb1ba649db0408612479322e1aa85be9f4

Download Submit
\??\c:\f9f05442cd414335dbc1\install.ini

Filesize
843B

MD5
0da9ab4977f3e7ba8c65734df42fdab6

SHA1
b4ed6eea276f1a7988112f3bde0bd89906237c3f

SHA256
672621b056188f8d3fa5ab8cd3df4f95530c962af9bb11cf7c9bd1127b3c3605

SHA512
1ef58271cdedbdc53615631cc823483f874c89c2d62e0678de9d469a82bd676eb8abd34656caa5128b7edb0eb24dbf0992e5e571a97f7782c933b2be88af3144

Download Submit
\??\c:\f9f05442cd414335dbc1\vc_red.msi

Filesize
228KB

MD5
ad35bad20a685af5c4338d88d5099057

SHA1
7de96ad7eac90154b53f74c9aa809f7d19acbd6c

SHA256
68b2b9dc469ba6a8260e8a46906e533f13000d386e17d8d9294725439b7d974f

SHA512
8687cafce5943623f25f25b5e08a1b03b212e7b30b04f37308d30dafd9df0450e321f037c21f3706387cafaad04b85e6c9d7b01f165c65e6d9ad0929a682dd6a

Download Submit
\??\c:\f9f05442cd414335dbc1\vcredist.bmp

Filesize
5KB

MD5
06fba95313f26e300917c6cea4480890

SHA1
31beee44776f114078fc403e405eaa5936c4bc3b

SHA256
594884a8006e24ad5b1578cd7c75aca21171bb079ebdc4f6518905bcf2237ba1

SHA512
7dca0f1ab5d3fd1ac8755142a7ca4d085bb0c2f12a7272e56159dadfa22da79ec8261815be71b9f5e7c32f6e8121ecb2443060f7db76feaf01eb193200e67dfd

Download Submit
\f9f05442cd414335dbc1\install.exe

Filesize
549KB

MD5
e8b4398587aaafa5ea6a6b7c085c5c8d

SHA1
b0f9932de85bcfbc5242f17782ee39f8ffe4f5ff

SHA256
bf7a2310d20fd9da0df9daaafd1e55168685d24a35d94c19e3667f53942d06d7

SHA512
43451648647b792134d54dd4289676182a902e591960c489a849a801368e8ead5a82b484983bf468e67312f732eb9334dcb6b602035ea9308751276917b61f6a

Download Submit
\f9f05442cd414335dbc1\install.res.1033.dll

Filesize
89KB

MD5
56a6fbda0ee4dcccd162abf3e252db2a

SHA1
be0a2670bd1825b809405c664acb31079481812e

SHA256
2425634e6462c70fd34e3a1c543fb333e8256aff2d8d85264e9142bba1a2991f

SHA512
f95ea2ef8dd3e0b722a51ea694d5f40bf9011cd54f1402714c8a98eb32e5bf11a2c76e999559e5c1b46ba1c8a467667c6c3130125312db9ee232eaf1d07aab64

Download Submit
memory/2260-35-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2260-38-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing