102dd3c800cb047fa756197d7253a7088d267ea3ac1a37663345d0f1628a677f

Analysis

max time kernel
135s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24-08-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExLoader_Installer.exe
Size

21.5MB
MD5

12be4d0a31f72a573a5a7040f8bd7222
SHA1

6204a09bf6312deb859a0c3c17fb7cdea478837f
SHA256

72f3e80d2de369de215ee50cc0bd2f9dc3405e75e0d4553637560ce75198339e
SHA512

228f59e0d10328486d540784e2260f99d20efa26370a9634ef5ccde79ef237bb93778a3746b96cc47ba75ba4e8c94f3bb48136b1a6a1d65963b143abd24a8832
SSDEEP

393216:1GHmVApOQNbTycz8RDsQJURbdrxaJy3lN+H0//goYI4q9qEME9CRd4tczuBH:gHDhfo3SRbQyH60woyuBzCsh

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	ExLoader_Installer.exe

Executes dropped EXE 1 IoCs

pid	Process
5000	ExLoader_Installer.exe

Loads dropped DLL 7 IoCs

pid	Process
5000	ExLoader_Installer.exe
5000	ExLoader_Installer.exe
5000	ExLoader_Installer.exe
5000	ExLoader_Installer.exe
5000	ExLoader_Installer.exe
5000	ExLoader_Installer.exe
5000	ExLoader_Installer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5000	ExLoader_Installer.exe
5000	ExLoader_Installer.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 5000	3528	ExLoader_Installer.exe	87
PID 3528 wrote to memory of 5000	3528	ExLoader_Installer.exe	87

C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
"C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:5000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
183KB

MD5
5724f1bd7efbab4a6e940a3a270a6c58

SHA1
d4d80e3a99d99e6aa6234106803cc683c9cd4b7f

SHA256
84715cef3ad5a28a74a0095d634909e69d536a710f1bd384455d6f3cfb590a05

SHA512
6e1fd4e362781285d7cf81dc48df1a03270fc07651c1499d15d1f3bc22c90093a84e6234623199f6e4937b287693b86f55f5d24b684a31de4023ab1e419515ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSVCP140.dll

Filesize
559KB

MD5
c3d497b0afef4bd7e09c7559e1c75b05

SHA1
295998a6455cc230da9517408f59569ea4ed7b02

SHA256
1e57a6df9e3742e31a1c6d9bff81ebeeae8a7de3b45a26e5079d5e1cce54cd98

SHA512
d5c62fdac7c5ee6b2f84b9bc446d5b10ad1a019e29c653cfdea4d13d01072fdf8da6005ad4817044a86bc664d1644b98a86f31c151a3418be53eb47c1cfae386

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\VCRUNTIME140.dll

Filesize
116KB

MD5
e9b690fbe5c4b96871214379659dd928

SHA1
c199a4beac341abc218257080b741ada0fadecaf

SHA256
a06c9ea4f815dac75d2c99684d433fbfc782010fae887837a03f085a29a217e8

SHA512
00cf9b22af6ebbc20d1b9c22fc4261394b7d98ccad4823abc5ca6fdac537b43a00db5b3829c304a85738be5107927c0761c8276d6cb7f80e90f0a2c991dbcd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dll

Filesize
4.7MB

MD5
cb9807f6cf55ad799e920b7e0f97df99

SHA1
bb76012ded5acd103adad49436612d073d159b29

SHA256
5653bc7b0e2701561464ef36602ff6171c96bffe96e4c3597359cd7addcba88a

SHA512
f7c65bae4ede13616330ae46a197ebad106920dce6a31fd5a658da29ed1473234ca9e2b39cc9833ff903fb6b52ff19e39e6397fac02f005823ed366ca7a34f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.so

Filesize
13.5MB

MD5
632cb6d6c27cc4c704a0653be8a3862b

SHA1
e93e32eb980ded9dcabd7653a3e5c2cc2d9d7274

SHA256
2fb3bfd22062afb1ed80fb20ca154c3d0dbc6e921e3e7b010546f363c045e84b

SHA512
414cf45e996f140210285ba150b473c81b7671b96b2a2e54c5319b60abf9bcb6f0e7c75592a0f0964231ad8ef3bfae6653ff3a4dcdb30b8dc9a3a7f314394e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.bin

Filesize
14KB

MD5
4e304eaf6a0fe86df52d2b7e269b37ba

SHA1
8ac2a261522eed0c8e8b42f248b809bc657cc704

SHA256
5ed623d8a439b6b4a3f85edd7970bbc47e8040a5379e999d80161b087b3c795d

SHA512
d51b943122c135b6ea56ebc7ce54dd2efd28a05cbdc7664d195e29cf2337b8ac0f4e0c442ba0f89f527404fa3930f50607083f69cffef41910883a9c33efc162

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.json

Filesize
413B

MD5
fb1230bb41c3c1290008b9e44059dd39

SHA1
66493d0f8a6a112d8376cd296b05c277b111dca1

SHA256
2429b610ba9010211d18626d311d3dea7274473c2dd50fae833ed739b67b1292

SHA512
d5ae9b9124a7c7f8c3d04c4750459c9bc620e3aeb84f5d56a64308eb9b343d4fb62f8b3e03210e04ad90b91bbbb35dd1a56148d06dbcc0872f99e9b1b9d37c7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Ori%20and%20the%20Blind%20Forest.jpg

Filesize
93KB

MD5
babd1b019be8944f7ef6c64c8194bc8d

SHA1
702a50d3e3a0933db4dc1f37423bca3b5c52acde

SHA256
71ea07c900e7993072f4896c0ab621303feaf4d13b7c9a4b2993e06122b10f76

SHA512
6a854fc0db7206dd182f6ebc594d763b62a75f64663d3e58029cfa2586048838fe8878b043d174923e05f4e3cd2f3e9d96a6dcf5ba8bbd7322bbc3540bbb8b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Bold.otf

Filesize
46KB

MD5
e57b6bc24b970a377574124e026a7c01

SHA1
00184aedd4ee4d2ca6b5c87cf41e78f64304c89b

SHA256
b012d85155925bbe2106b20234b96522dec7914f03b09bc6e2fff71554f31bf6

SHA512
c162cd8a7130d2c94dac5c3dad58794f368436cbf782e8063c245d4cae405af6aa25c2f381549defd520c3f7cdbc04a27f891798697e9c291317d3b3ba82efdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Light.otf

Filesize
45KB

MD5
d10d77b03ba3abe6ccc1c142d9852595

SHA1
6108edf0cfb3d5f25e3c593949c301c5c2aa5f25

SHA256
3c9ef459625f995c62b993b64da299204b741e153ba8e6d988463aaa86b1aa44

SHA512
71c4fc3b6f43b4125c5ea5ae09297d72446de81ffc2928fee33aef386754e60dab11cc170c4d6689dd6eeac451f2a57b9d3372278f750dca6ed39ec82fcf9368

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Medium.otf

Filesize
46KB

MD5
df63e8855d04ab0e25d2bb6a0b1fabfb

SHA1
5512dc285f36cdf7da5ba5eabaca128ca3442537

SHA256
a728e91375dcadbdf6ef6d7e3cd0bbf5c56fb992d5b1be6640b83214c9d015ed

SHA512
eba8afd3289089841e4eda4abd992c2e2020d18d44741733b5a51a2a1e0c0982ffd9da187aa56ba3b891bc259398ec156e08e45265f7218e87eb914794ca69d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-Regular.otf

Filesize
45KB

MD5
d969db6adb881f1dfa91a5b7ec0154d9

SHA1
d7b44b20eb246b0ff5c41147c0d0fb96fde47c48

SHA256
c7fc6d9f2ff611073fa09a6c61a8c086da0ebe8da841a9f4ec4087a3e9b52152

SHA512
2a225a8c12b46aa14e14dd547c6a55c80aef6bfe8cc791dcf60a14ef91994eddc4dec473d856f7c2446d62a41d017d256b64b603d87ae45e75fdeb2230deb5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\NoirPro-SemiBold.otf

Filesize
46KB

MD5
5177edfb54762b59df676052d11b363d

SHA1
fa18815bf4914b93d587c2758b65e234ad51b38b

SHA256
50000ce2f0f8bf3018f1d04aa5c6716583b808ca05c802c46a9de4f084a91f7d

SHA512
7475fe248eafd528a05acab94f3973eeeb0d169203769ee6b42d007b5fa0605a58a290e145d74d57e17486367bacffed22e4a88e576fa9f65d000e487aa78e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svg

Filesize
201B

MD5
7f8d672a2849987b498734dcb90f0c51

SHA1
e53b9319bf964c15099080ac5497ee39f8bab362

SHA256
4a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4

SHA512
b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\cloud-off.svg

Filesize
1KB

MD5
e99140f842b471d330fc27cd73817c4c

SHA1
9957147463f586824b65bc7bfb121d33a9523a96

SHA256
0f4cb470185e3c6c26ae033a3a88e3995340bb08a63432dd9ebb82b73dd665ae

SHA512
f579aef41980539675609c62ff4d80dde22bad59917d439dbd4d325173bed3f24534a72e9903aef58c6ee5d4b03fcb7d0a7be8c93c35da6dbb2e1e046b7da0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\window-minimize.svg

Filesize
151B

MD5
d47255b6d3e685cac4804eb58207d0b6

SHA1
7fe02211cf6b77f3971522a3b3888460491ae153

SHA256
29bc4875912360fac26586adaca21449026cc2cf6479f9d9bbb066abe2dd2640

SHA512
b39c96fd2479585b32146a3b33a5419f665391f1b1857b08896c8254b48fdb733551bd9974a3c7dcfb679cbb5b35ed9b8f538f5c44156d399b02b8d0d4fe95ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\grain.png

Filesize
79KB

MD5
3577f702479e7f31a32a96f38a36e752

SHA1
e407b9ac4cfe3270cdd640a5018bec2178d49bb1

SHA256
cc453dfe977598a839a52037ef947388e008e5cdfe91b1f1a4e85afb5509bee2

SHA512
1a4a03931ab56c8352382414f55eb25b324e11890d51ba95597dbd867b35db45db5adcefb47d95b3763f413a66e3228e59531bdbd5ba5541469196adb5eb3d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\rain.webp

Filesize
656B

MD5
be14922d4d3c0caa92982861045a678a

SHA1
6420897088656598492473cd468b072da532dabb

SHA256
d93d33bfa57151721c3e3e196d56648c066aa100d4a26adedcd772cbbcf19422

SHA512
43290f48dd58e85cf6853a900bc469848e99e01faee4644d5605ed4079ae4cbda8e2483d81f847010ab60ce9ee808d54729c75ac5f14a965e7e2cf4c28599f86

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\snow.webp

Filesize
106B

MD5
e2002d0e20b636bb2ee67a869e9d37fe

SHA1
dfee3c36543b1d638bfaeeb528cc27a0e5cbca30

SHA256
890d8963e3f72df8b7dbd845d3d8997765d3e756204cc20dee6e91fb54828067

SHA512
24f516da534505b0169366d4819bc6acca9b4699071ba77c21c5a442ef6f37633bb5440978297c130f77d34421d0fbb6b9029e74d6e273bfe9a03874e4d67004

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.dat

Filesize
760KB

MD5
692337664e861ad322138061132dddc6

SHA1
8a99bc860eda0772f3b1f4a125fa4d474410e21c

SHA256
c12537022ef818991a7bfed41a76d8d6ae962ffbc0e6511ac762a5d0845e7f7c

SHA512
3e2e6adb651e37e530734f999634d7c101fa1c45ae380be8ad169bbfb0a047f2878ff6c8d1428d6b9e7301b447ab2f8839484322ddb3831984be71d442829a55

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dll

Filesize
17.3MB

MD5
3fa6ea067b89692c7615cd7960cc568c

SHA1
254f6ce2570aafb7b0d4ebfad207af4fd877bb7c

SHA256
d2dfe0e7e4676bebd439d335f082ce9a435c448db17f90471d0be4ac16936db7

SHA512
3411391fbd84a7b05fe12e17cfc213fc24aade888d2749954f4c2e63355e6db1edb4059d1c2af54a05c7791591f4924c70dd0cd8c871a3be64df92b08691342f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dll

Filesize
48KB

MD5
eb49c1d33b41eb49dfed58aafa9b9a8f

SHA1
61786eb9f3f996d85a5f5eea4c555093dd0daab6

SHA256
6d3a6cde6fc4d3c79aabf785c04d2736a3e2fd9b0366c9b741f054a13ecd939e

SHA512
d15905a3d7203b00181609f47ce6e4b9591a629f2bf26ff33bf964f320371e06d535912fda13987610b76a85c65c659adac62f6b3176dbca91a01374178cd5c6

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
229B

MD5
50a645b1c0c0d111bc21d126a1c75707

SHA1
a6c7a6aaadb1f4dfdf2860534d780025dd3925c1

SHA256
c3b45076b23d5e47b4296b1839c17516a3299d8055947af87424a1f4cb597317

SHA512
8cf17114c356003e2c610e231e635fbdafb1e7f6694b0951c6235e7515a80ef88c322a20614e4607a66bbd1ec5a34b613894750d3f6695bbb93f95d096c67ab6

Download Submit
memory/5000-441-0x000001D9CD450000-0x000001D9CE1D1000-memory.dmp

Filesize
13.5MB

Download
memory/5000-439-0x000001D9CD3B0000-0x000001D9CD3B1000-memory.dmp

Filesize
4KB

Download
memory/5000-440-0x000001D9CD450000-0x000001D9CE1D1000-memory.dmp

Filesize
13.5MB

Download
memory/5000-443-0x000001D9CD3C0000-0x000001D9CD3C1000-memory.dmp

Filesize
4KB

Download
memory/5000-442-0x000001D9CD450000-0x000001D9CE1D1000-memory.dmp

Filesize
13.5MB

Download