13b330290658229bf081416a24817c412b5e1685945566304495c91033f43241

General

Target

e47c5ddf575205ed07b00cc945c01c00N.exe
Size

10.0MB
MD5

e47c5ddf575205ed07b00cc945c01c00
SHA1

d1366790362400833116402e58d89b282930e513
SHA256

13b330290658229bf081416a24817c412b5e1685945566304495c91033f43241
SHA512

d55f9bef6d02eb90c27e2a710aee61c2dc13013d4a09dfdfdc6d11f068fee54944418b1c695f7fd217ebc5beee274399c7c554964c0f60f6cc0fe9772fb3bb6c
SSDEEP

196608:mLnDmHmHV48jtSYPW7cvAmhJu5FWgDo5kv6/ZQecUkM+lO2g54GE7PNfsTB+:8DZHV5RQ7cImh8HWrkv6hLCg54G8qo

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2160	inst.exe

Loads dropped DLL 3 IoCs

pid	Process
1984	e47c5ddf575205ed07b00cc945c01c00N.exe
2160	inst.exe
2160	inst.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	expand.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e47c5ddf575205ed07b00cc945c01c00N.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2160	inst.exe
2160	inst.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2260	1984	e47c5ddf575205ed07b00cc945c01c00N.exe	30
PID 1984 wrote to memory of 2260	1984	e47c5ddf575205ed07b00cc945c01c00N.exe	30
PID 1984 wrote to memory of 2260	1984	e47c5ddf575205ed07b00cc945c01c00N.exe	30
PID 1984 wrote to memory of 2260	1984	e47c5ddf575205ed07b00cc945c01c00N.exe	30
PID 1984 wrote to memory of 2160	1984	e47c5ddf575205ed07b00cc945c01c00N.exe	32
PID 1984 wrote to memory of 2160	1984	e47c5ddf575205ed07b00cc945c01c00N.exe	32
PID 1984 wrote to memory of 2160	1984	e47c5ddf575205ed07b00cc945c01c00N.exe	32
PID 1984 wrote to memory of 2160	1984	e47c5ddf575205ed07b00cc945c01c00N.exe	32
PID 1984 wrote to memory of 2160	1984	e47c5ddf575205ed07b00cc945c01c00N.exe	32
PID 1984 wrote to memory of 2160	1984	e47c5ddf575205ed07b00cc945c01c00N.exe	32
PID 1984 wrote to memory of 2160	1984	e47c5ddf575205ed07b00cc945c01c00N.exe	32

C:\Users\Admin\AppData\Local\Temp\e47c5ddf575205ed07b00cc945c01c00N.exe
"C:\Users\Admin\AppData\Local\Temp\e47c5ddf575205ed07b00cc945c01c00N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\expand.exe
  "C:\Windows\system32\expand.exe" "C:\Users\Admin\AppData\Local\Temp\QH1827.ins\init.cab" -F:* "C:\Users\Admin\AppData\Local\Temp\QH1827.ins"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\QH1827.ins\inst.exe
  C:\Users\Admin\AppData\Local\Temp\QH1827.ins\inst.exe /filesize=22883049
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QH1827.ins\ofupdres.dll

Filesize
1.6MB

MD5
39acc1ed3952f84bb37c81ac2362379d

SHA1
c50256c318d7dbb44073eae55abdcb961b51a552

SHA256
3b3ec19c2551bb84afda3f7ada7e23b49fdd3e9bdada1c2728f402b7266ec659

SHA512
21bd141c447f9166de2419efe089b261aab5af3b6f68665da32f8f450123715c6ba52366cec1fa9ad498f398bfc9cf0e64507c95a9287192addc570639c2c59f

Download Submit
C:\Users\Admin\AppData\Local\Temp\QH1827.ins\qhofupdconf.ini

Filesize
808B

MD5
4d1db744485f50bee741abe7dc9d7bd9

SHA1
bde697b1c956869ec5bbcc8d5eaf614e45c19f2e

SHA256
16e2c1a2c7092b56fce90f01b29b5834475de3f3071933f219f3bd7a7f1096a8

SHA512
98213b86bf05ccb4c325132635bf4b1b03225b3e9b7b623e64eabe623b19acefafcbe1ed1a351194e6e71223d97493792ed88395b8c011bd6e7f0f3ef9e10b14

Download Submit
\??\c:\users\admin\appdata\local\temp\qh1827.ins\init.cab

Filesize
1.3MB

MD5
5e62889712145e5d3f11f026116d953f

SHA1
ac7a940be04796faf4fd03ba9ec6928024a758ab

SHA256
5416ff02ce947c60574f7d984f007f05025972e775702b442431cb0a36d61b8c

SHA512
b3319b733ff0edd18d1c98e93d62f5fc819489a3d5e5c7beab13f603d454d0efb7cb4e880f4d9cc2c9887e17c8f7b59c984fb130af5b5f52d9375012fbf2d649

Download Submit
\Users\Admin\AppData\Local\Temp\QH1827.ins\ctrllib.dll

Filesize
379KB

MD5
bcaaf43fe426c9b55d0ef0805d7a9401

SHA1
62bf79b8b5449c181ac81e7c88b5b10e37040137

SHA256
bc5d0389a9962de862df1241cb49b100385156b616d098c4d233d82bcf819e1a

SHA512
f5c727dd087d03ef4c569e63b4b0e41b72978269353b4aa0941283d0ad8831f499215a706ac77f76822eddf911fb4152b87065ad65884329f48e2c215b83f55a

Download Submit
\Users\Admin\AppData\Local\Temp\QH1827.ins\inst.exe

Filesize
263KB

MD5
2c36ac074b5d8fd5f4793841ebbe20c2

SHA1
cf07101e4e7e37c2648c5ebdf96045d71f28a41e

SHA256
0b9bb4b38044e776da88b4629021c2cae62ee078fe18196087b6c2ab5a7f2773

SHA512
3c2edd23187748620e748587c41d9310c90cc79ae3b3f3df765ec2d906efe9537b68e2874ffe033f905ca28c28058cf8988635126aedabb03b6ef0d8671d0bba

Download Submit

Analysis

Sharing