6b57197633273a41a53c14121504f89f1134bb1ca30166f4eefa3808bfbf75e2

Analysis

max time kernel
141s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
31-08-2024 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InstallWizard101.exe
Size

26.0MB
MD5

2ec7ca56b024233004ef3f59f287a3cd
SHA1

629b419b966f043ebde271ad9ce9fd0a9ccc0cec
SHA256

6b57197633273a41a53c14121504f89f1134bb1ca30166f4eefa3808bfbf75e2
SHA512

c5a7e97a5e2c7537b6d55c1f1cf4f970986850562e727f73d34d7c25decda0689abda6ef5072a9ad0eb98b777bb844f8427a345fbd6df8811a71443cf85c40cc
SSDEEP

786432:GKRTcqIr+TUW48OpddotcwMA/gZpL2DAbyHo/Qq+c0j5m2WF7f:+qI6Tx6qtc

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
780	ISBEW64.exe

Loads dropped DLL 7 IoCs

pid	Process
2776	InstallWizard101.exe
2776	InstallWizard101.exe
2776	InstallWizard101.exe
2776	InstallWizard101.exe
2776	InstallWizard101.exe
2776	InstallWizard101.exe
2776	InstallWizard101.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallWizard101.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 780	2776	InstallWizard101.exe	30
PID 2776 wrote to memory of 780	2776	InstallWizard101.exe	30
PID 2776 wrote to memory of 780	2776	InstallWizard101.exe	30
PID 2776 wrote to memory of 780	2776	InstallWizard101.exe	30

C:\Users\Admin\AppData\Local\Temp\InstallWizard101.exe
"C:\Users\Admin\AppData\Local\Temp\InstallWizard101.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\{8F47FD2D-6EEB-4DE1-8187-9B161940C4B1}\ISBEW64.exe
  C:\Users\Admin\AppData\Local\Temp\{8F47FD2D-6EEB-4DE1-8187-9B161940C4B1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66F490B5-C140-4CC5-814E-C46A27CA1E12}
  2⤵
  - Executes dropped EXE
  PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\skinc86d.rra

Filesize
864B

MD5
0743900be8906421e466cd27d67821b6

SHA1
0a6a96118398b9c7ebc15c80a1523b384830bd7a

SHA256
a0aba51fd572069d1f65d49b3e29a581f83e609f591f37eb6943682f68e795af

SHA512
cd21b8a76e8f790d96858148ef702c57a9b16c4a3ecaf23ec6487bf22c348e94a085f7afa174e85f025cf67bdccbeaab0b754e5749a3a364be9ade945e000589

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1A41C984-7A05-4F94-943E-D38BCC455B07}\Disk1\data1.hdr

Filesize
15KB

MD5
7543ef671a3d2d879908d0356288b6ea

SHA1
d781d8d505fa7de40b1e2e54768635998d7d0eff

SHA256
31dd513e07758648892e9ee4b5f5285e2559ac7cac5e83134f3a7055e5ede5c7

SHA512
b1003f70272db41273f54b70130f8ce8efcb6619b5fc5806cef4ad50aed0724120b7a07be66de9c9667e723a2907f23fa25672428ba881c94ddb3bb431c7fa56

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1A41C984-7A05-4F94-943E-D38BCC455B07}\Disk1\setup.exe

Filesize
384KB

MD5
a1d38b383502a8c48c7070f127190f4a

SHA1
3f8eba721174910ecbb116d8cca7b7a27db291ae

SHA256
a5ad5e28f5ba16cef53d2caa1d1b3ee5ac7c8f0a5dc6a99f1f047a8fe450ac5a

SHA512
5cf30cd4169ec6156d964cf495f145ad64b84047d73aa5ef7b19abe34b6f20059e0f41158604c63d47894805e6b3f9532c2e560cb06f18b67855b36ca5c7cef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1A41C984-7A05-4F94-943E-D38BCC455B07}\Disk1\setup.isn

Filesize
242KB

MD5
2ac72b647497822707613ec6fc824e9b

SHA1
f8ff9ba4e17065f2f7cb81e581429bf1e9164539

SHA256
c418e898666b49ae6bdd08d993c2d866d4e24885ed387477e9e0433774db126e

SHA512
5239fdd9c7129be99552b00bc8754ffe3ca95c26418f2e4c9af42ed0a30cedc58a30ccc654657961cc1e911b11fb07e608e88d2e48e634f8ebb2bbf4d95a6b3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{1A41C984-7A05-4F94-943E-D38BCC455B07}\setup.ini

Filesize
459B

MD5
5cfe1617e8702e6abdfc846e3f00c6ce

SHA1
b86b3a992c03089f041e56635ceb4aa11b6604c4

SHA256
2bbcedb9e033c8233231240f51c17f4085a9a3026321f43f79c4cd33a07536f2

SHA512
937ea64ac004df7a27c35abd1582ba5f6bfcf745b42b4bfe4211518dd8044ccc85acfb1680d2e9f7f6e79ccaa85471b1bd58e4b0935bc56c004f621b41560100

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8F47FD2D-6EEB-4DE1-8187-9B161940C4B1}\ISBEW64.exe

Filesize
114KB

MD5
2a276ba2b7782476302c59d0f760f4bc

SHA1
43bbb884a7b65534c417ae5a3f3f17f7e80e2f7d

SHA256
d3294cc8c750c4bd63016e87e9d2c53a501c173567f4edb9a3c6f1bd9836064a

SHA512
6bed8d3291ed422aed187637838bfb957ea59c772be3bc52c12242474712f411e174afe55ed6955b910a8ce3635f1552260063cf6db428a4e34bc76a4e3e01f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8F47FD2D-6EEB-4DE1-8187-9B161940C4B1}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\DIFxData.ini

Filesize
86B

MD5
10baa5b67536f4433f37534b9c8bb828

SHA1
82e5c34b1279afda223b639b49078d03c52875f5

SHA256
1b9fd5c1f18357bd459be20bfcbf47ee18fa0c5d5cc42f6aed2705d5868b65f4

SHA512
49c6798ebb3b6137cafb78b88350d02094367523dcf8f9e580de1941e514b8b3df786d1d817090e5dab80ac4d0d015796b2ce28b296db31d111e0d0bbaeebb37

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8F47FD2D-6EEB-4DE1-8187-9B161940C4B1}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\FontData.ini

Filesize
39B

MD5
00f313e3e007599349a0c4d81c7807c4

SHA1
f0171f15aab836a1979d3833e46b5e59e4ea32e0

SHA256
766ee687d90b0217eb41cb85aca04375bdc24db986a33536631f864b7ce1a08a

SHA512
8bb25a62c0b1640dec36403a493ed54c05f7cde7b7357c8faea785a79c4b76bbe6a3d6fe78db52b558a37abac90c2b2e8b13868a76294554d51670e9fa8764ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8F47FD2D-6EEB-4DE1-8187-9B161940C4B1}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\VASData.ini

Filesize
30B

MD5
b16ff78e4420d4049da82fffe3026d31

SHA1
612be1fde59d3d4534a4d8e0947b65060ed6146b

SHA256
029f695d7a558a0070bdb42c07d35c7ae436fbd0688079b7ada58093505d9579

SHA512
8042f5a1f12ef644b7def42c52c90a252ff4a6c099956530cff8147daf2edd8934f5bc79bb560f550d47755fead71a1d0fbe7d52fdc0fb30a0ad64471beaaf7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8F47FD2D-6EEB-4DE1-8187-9B161940C4B1}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\_IsRes.dll

Filesize
385KB

MD5
33f898677e78b00543cbd351ed5b61d0

SHA1
6dc725e9c0a7c46f8a93694db27bd1e47a2e6155

SHA256
9ce56dc8ad52a4b4eeccddba820fe051a06ba446cdb1074424012b83c9ed6346

SHA512
08d871909825c903aff050cd304da1848ab19221776a4d58c8f6e4fc26ddd0c3f58dbfc5fe6d0c48ee4a52125e0f39ef0252963e1b92a73aa0ce9ece8263e0eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8F47FD2D-6EEB-4DE1-8187-9B161940C4B1}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\isrt.dll

Filesize
217KB

MD5
0f68d760fb480a1b039ca7d6b877d24c

SHA1
259d101a49646c3abe17114111ff9aa7df1b8fc2

SHA256
5974ce20a780d384383cfc24af4dc62bc22ca67ce1d76ea9981c42631480ab63

SHA512
d551553ceca5b9ba86f7422893df78ce71167096cbeae65319c344abf57601e8e6c8f9779a9a45ed28ce32c3e1c477b843d8ad4437e0643c0fabf56ab7f586d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{8F47FD2D-6EEB-4DE1-8187-9B161940C4B1}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\setup.inx

Filesize
251KB

MD5
0514f97eb5d8998cc211cf59a1043d80

SHA1
60a6f312214cf071a5ddc7469342d2d1e2660348

SHA256
f03b8e241e5170713eea95e3c3f7ff45c80d26ce04cc7c7c9f2eb5372c90e20b

SHA512
a66490a626df9e6cb6f2ae5d98b01faf4e173f98b2c297a0a24248c7d4486776d9e7ca23ea12d8266bdb3bad7a542eb2386e2981f69185f83c3d7bc96b3b436c

Download Submit
\Users\Admin\AppData\Local\Temp\{1A41C984-7A05-4F94-943E-D38BCC455B07}\Disk1\ISSetup.dll

Filesize
542KB

MD5
2dd1c4a68e2a8a401018f5efdab5adde

SHA1
13fc964947516230c70d38281d0312bc1afe13c0

SHA256
7c173cdaea8e3a3cc95b7196681cb904f3996f81289d5890b30f38c99eba45ae

SHA512
c69f3e46d36e07e6093f66cf072c83fc8c7249ff86c9cd84168ee46dbb7a621d562cee7de5685b408bd5f71889d6433e99ff8045955e5b8ab2c9eeb71941d165

Download Submit
\Users\Admin\AppData\Local\Temp\{1A41C984-7A05-4F94-943E-D38BCC455B07}\_Setup.dll

Filesize
145KB

MD5
0d3f826d9467179b3d03feb31314ca63

SHA1
530d0fc49c93d7c84e0a7637f4a8c1639b80b1ba

SHA256
7d259642019033a6630208c28c096c03c8db8b68c1c35ac73a675e6eb7707d86

SHA512
295169fe2946a39f5aee1430a5d3cf8bccdae22b578cf1f3e907c8abced329d0627a4b8359e5be7161aa3785f81352fa90001a2acd35f21ebc50ccab010c59cd

Download Submit
\Users\Admin\AppData\Local\Temp\{8F47FD2D-6EEB-4DE1-8187-9B161940C4B1}\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\_ISUser.dll

Filesize
12KB

MD5
3b7fd4af5fba6631a82cf5d1f939d5ef

SHA1
bacc10315f54689d613389258a5b5992da0e2422

SHA256
e121d8973b2d5bf18a59b5cd1b491bb1ee38ca5be3e7dc9e37319d3a3d5a944b

SHA512
bd98de626e4b800756b3e4ef52701dc534262dd5a6cb623bfc57689d13ad0874953b57a492ad42853b5c1545d116997ea285a30b6be5828165f25223832f0c35

Download Submit
memory/2776-211-0x0000000003D00000-0x0000000003D02000-memory.dmp

Filesize
8KB

Download
memory/2776-210-0x0000000003C70000-0x0000000003CF8000-memory.dmp

Filesize
544KB

Download
memory/2776-60-0x0000000002350000-0x00000000024EA000-memory.dmp

Filesize
1.6MB

Download
memory/2776-63-0x0000000000240000-0x0000000000242000-memory.dmp

Filesize
8KB

Download
memory/2776-334-0x0000000003C70000-0x0000000003CF8000-memory.dmp

Filesize
544KB

Download
memory/2776-333-0x0000000002350000-0x00000000024EA000-memory.dmp

Filesize
1.6MB

Download