4d1514934696d4e78db5769f4d4652dda9e025549a511669f2c1de104f360f55

Analysis

max time kernel
138s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/downloader_easeus/2.2.0/5free/EDownloader.exe
Size

1.2MB
MD5

75c6aa0ea529a99be1aa7a6ce1d40eb7
SHA1

90b78031df82bb75366e26c5313ed2b5f41a4dc1
SHA256

2fae081440a24194dae7aeab20612cff53f6c94e6c0d09ead3ba2cba70a87e46
SHA512

d35250868409cb1c93471af557f895eaf76c38599c28730fb7a75300175c1b78c288e259d4d0d5fe1fefadb68c1f760ca6b1c2b7860598ddc1483b303cb500a0
SSDEEP

24576:2s/G6GbJFLBoVs9nIDak3ri91DcSF+oYPa5crmMO4k5mBc:2WsDsbWgo/5wBvk5mBc

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AliyunWrapExe.Exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EDownloader.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2548	2568	EDownloader.exe	30
PID 2568 wrote to memory of 2548	2568	EDownloader.exe	30
PID 2568 wrote to memory of 2548	2568	EDownloader.exe	30
PID 2568 wrote to memory of 2548	2568	EDownloader.exe	30
PID 2568 wrote to memory of 2548	2568	EDownloader.exe	30
PID 2568 wrote to memory of 2548	2568	EDownloader.exe	30
PID 2568 wrote to memory of 2548	2568	EDownloader.exe	30
PID 2568 wrote to memory of 340	2568	EDownloader.exe	31
PID 2568 wrote to memory of 340	2568	EDownloader.exe	31
PID 2568 wrote to memory of 340	2568	EDownloader.exe	31
PID 2568 wrote to memory of 340	2568	EDownloader.exe	31
PID 2568 wrote to memory of 340	2568	EDownloader.exe	31
PID 2568 wrote to memory of 340	2568	EDownloader.exe	31
PID 2568 wrote to memory of 340	2568	EDownloader.exe	31
PID 340 wrote to memory of 2280	340	InfoForSetup.exe	32
PID 340 wrote to memory of 2280	340	InfoForSetup.exe	32
PID 340 wrote to memory of 2280	340	InfoForSetup.exe	32
PID 340 wrote to memory of 2280	340	InfoForSetup.exe	32
PID 2568 wrote to memory of 2624	2568	EDownloader.exe	33
PID 2568 wrote to memory of 2624	2568	EDownloader.exe	33
PID 2568 wrote to memory of 2624	2568	EDownloader.exe	33
PID 2568 wrote to memory of 2624	2568	EDownloader.exe	33
PID 2568 wrote to memory of 2624	2568	EDownloader.exe	33
PID 2568 wrote to memory of 2624	2568	EDownloader.exe	33
PID 2568 wrote to memory of 2624	2568	EDownloader.exe	33
PID 2568 wrote to memory of 2948	2568	EDownloader.exe	34
PID 2568 wrote to memory of 2948	2568	EDownloader.exe	34
PID 2568 wrote to memory of 2948	2568	EDownloader.exe	34
PID 2568 wrote to memory of 2948	2568	EDownloader.exe	34
PID 2568 wrote to memory of 2948	2568	EDownloader.exe	34
PID 2568 wrote to memory of 2948	2568	EDownloader.exe	34
PID 2568 wrote to memory of 2948	2568	EDownloader.exe	34
PID 2568 wrote to memory of 3028	2568	EDownloader.exe	36
PID 2568 wrote to memory of 3028	2568	EDownloader.exe	36
PID 2568 wrote to memory of 3028	2568	EDownloader.exe	36
PID 2568 wrote to memory of 3028	2568	EDownloader.exe	36
PID 2568 wrote to memory of 3028	2568	EDownloader.exe	36
PID 2568 wrote to memory of 3028	2568	EDownloader.exe	36
PID 2568 wrote to memory of 3028	2568	EDownloader.exe	36
PID 2568 wrote to memory of 2576	2568	EDownloader.exe	37
PID 2568 wrote to memory of 2576	2568	EDownloader.exe	37
PID 2568 wrote to memory of 2576	2568	EDownloader.exe	37
PID 2568 wrote to memory of 2576	2568	EDownloader.exe	37
PID 2568 wrote to memory of 2576	2568	EDownloader.exe	37
PID 2568 wrote to memory of 2576	2568	EDownloader.exe	37
PID 2568 wrote to memory of 2576	2568	EDownloader.exe	37

C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EDownloader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /Uid "S-1-5-21-3551809350-4263495960-1443967649-1000"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"United States\",\"Pageid\":\"999999\",\"Timezone\":\"GMT-00:00\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:340
- - C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunWrapExe.Exe
    C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunWrapExe.Exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2280
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"1\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=467\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1726120157}\",\"Result\":\"Failed\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2624
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download2.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"1\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download2.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=169\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1726120158}\",\"Result\":\"Failed\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2948
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download3.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"2\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download3.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=358\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1726120159}\",\"Result\":\"Failed\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"1\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=705\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1726120160}\",\"Result\":\"Failed\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EasyLog.log

Filesize
1KB

MD5
2e946a8610966a263b395528da590249

SHA1
f417a3e02adb5c014651fe9fcbabc9b6e2226fea

SHA256
b835bbb79b9dac3935903f3b212f5d413c19da9b622f9efe1ec74e24d470df38

SHA512
da70d4e21720eeaa3963abead034942f58eb8cd8de2113adf260724969976fe54070a0c8f19a7532b56abd1bae2d286ea5c03417a43fd213100caefc0fdbee81

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EasyLog.log

Filesize
2KB

MD5
a845399683170e66b6ab8db5d9e84528

SHA1
3710da684d374d57e3570234a3f5e01bb5a62eed

SHA256
7b7fe3510995d1db08ec74366ac8c55aec61cc5f2d661d737f16d7f70390d1fb

SHA512
ed976b40ab30162199201c42d318435fdd6ffc0d2d994851e71d184df7246844ee0835e10223119681edb354bb28169891b21584185eb2fc285db7da97e1feb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EasyLog.log

Filesize
2KB

MD5
833a59a768df15ea5f1a105771aa67d1

SHA1
64e08cd8868c16e52e10bec8d3b1d2b662019ae0

SHA256
c13574b32c3c36d678eae7679d71d6204525647decc4d225d0eef4a2b993ecfd

SHA512
0fcf2b0630efcb022728d72e5983f2f9621567ed7949316b97a90148fad597730bc95f91c2ff6cc7952e2727198ec081bfeaefe3da722a167c9cfe1c7871c64e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EasyLog.log

Filesize
3KB

MD5
960ca6f31f79bd3b5af4405598138263

SHA1
9da23eee15ab246fc558a8f06e6c8b9365ebf7eb

SHA256
b75dc077409e7a88ceb348e89f8f2db00f1bf0fff55d38ec34b11dd01580018f

SHA512
f1e8068033663c848ee8b0b45cc3b3fdf3440bb9e80e64a0ce6e27a6cd777516cb066f3b81cabff0f39a9c1fb2f2e50591d50a415d5ed850e77bc2d7834c7a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EasyLog.log

Filesize
4KB

MD5
e3d5620e3edc1257ba7e8b0444fb38e3

SHA1
28252129217c8dce4039c2bb9e89b4ba05a2567e

SHA256
b14c274f0819c18b14611451af2e7531ab5c83f45f85fa1a5fe68a3b3b93a416

SHA512
c8ca61f9355cc5374b548f82d3a60edcdcd7e1766275d4f57014a8a3cf86b2207264d9d80f4e869db9d3f4a1bf75ab1e5e0aa855c334c570dc023d83b0586560

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunConfig.ini

Filesize
1KB

MD5
c40de765bbefbb571dcc21d23b9b3d5c

SHA1
0ae9a6102025e27c6018aea6b30d8cf3ac6283ff

SHA256
b85fb977c1e1680cc61d1333d9209942d6557010f7b2ac4e397602d8720a92d1

SHA512
8a6eb14d23dce90efa691eb65a2ac434a0716cb883390b1b77c31a6d2ccd54705acf29ecacce5d661b2b4ba28a11735b14f0a5a66fe3e46a8238cea91704610a

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
3KB

MD5
67c6cdfde8b64c7e6d3507002842a933

SHA1
eef2f78c911af828f0e931e2a1f99f8b8ef1fd66

SHA256
d6f3cb19bbdb3c245a4682f00808ff5d442f6c6a345c917e8dc9e64b4bd8e166

SHA512
e6a1a362898457daad8e0965cb61c692957fb54605b399659b8a9ce8cbe573cadec75d285d6584f01819fee8670bc06d5396a08e8fd01495fe7b548cb619a9b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
5KB

MD5
d9b33b8f072232afca8ac6a768480cef

SHA1
c91d60ef573594f3e129a0910f944a309a9f3aab

SHA256
48b3b51a55e89274fed5957f8a3ac8a98b6ea106645f02ec8ae8bb682432f5e5

SHA512
7d8252a35214eeb832717b1890eb004a14f74cb5558d64e4d2aa2cf1338e6ea80e8c516b9c9b31fc41b5098b9e5ac85731e5d75bc1e6cc65ba003e4a954a9fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
4KB

MD5
c425fc2afad819c867298bc2b653b1e0

SHA1
11edb9712a7a7466ca7cc0a825c768950eb05d9c

SHA256
68f997f08ebca3b933185998ae11426fe8003fe64cd2191842c8e4c5b0e3bc74

SHA512
afe4d8a2ddbfe0929e57974af1ef303fa78403e6682e7fc611f0ce8acfaadf55a7d3e46ad78021069163fe940cb71b858887c307148e63dd46dbd0e341e6d5dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
3KB

MD5
4ee594765255c1e2ef3c43da123f7d8d

SHA1
cdd3c16dbce469c59ff5171b0a97790b346c586e

SHA256
2f452c781917ce98cb2d72ee532d7db8061e26f3ff4b98729c62e865428ca574

SHA512
241eadfae5f675067a858c17f841a02746688edf723e37b7a4ff0145f18fb8cca4e5ca51798172a81dd95e89bc2b847d68aff368b8baf9c3d36cb3cf1029d10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
4KB

MD5
9e9d84ea6f74039be13156967cd87e19

SHA1
520f43b57c52902328e28e7b79f514d1759fef0e

SHA256
65a28489fa53d995ce5aef7a4c36b55b5e0ab80a69ca2e8b22cc382346613085

SHA512
e79bbfd40d3e1f2077b79967ba5464bd49c9cc9866b2b69811fe3c7761d6a30846283e07f7a7ea453d4b7b80ec2dcfe052dca006d4b94fe6bbaf04f8a5d0629f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
3KB

MD5
d8f03436ad3b67d8ff51f0440407868a

SHA1
f7bbf4ed1a4d4b9a5bc8ca7ae49a64c35e9313d7

SHA256
ed6c527088d2adea3e91081590089a57257c22ec316930ab0120cd016bf3b30d

SHA512
e390d89ad9d8f795f87ca344047c9ff7dc7e984933a3d68560fce9fea48f1a66b6c2aaeec780999cc3d7e48a3fe7175a78a469a220180ace40007295fb783c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
982B

MD5
d157a4bf52cff798bf1f51ff343dccf2

SHA1
acdf74d244162ab1d9c50e012117688f4ff3bd09

SHA256
5bff83ae2aa1bbb3a8399b2b866afbdc7f1047a2f9006f97c52a7bf56bf8c333

SHA512
eecc7fcc7642ac302709ec772a41a872161da774278a48337aba824748f912bd5396e3c8a944cd3a653afe8b2c6ff8ea2804fb2a47ad3d2ef219559f95910eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
1KB

MD5
23e4e8e7d1b8a310335ef353dc8c7c49

SHA1
a9634b480dfc5a0f6bf30842dc6301c88a866d8e

SHA256
d29ad6484a6f93e83ee3e776ed450a77b8e390176f3b0bf43f6dd3f36d404cda

SHA512
886b2c8e4a709a408a221e40597c957b5678e872d2dd5eff3b273f661bb497ffe98185144d2dfbd48c59473eaa5bafe6ee40d8cb354e1dba91fd678ad592e145

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
88B

MD5
7f411750d07619f38537e7fd612b8b44

SHA1
cda241a1ce5141288582c8f0ac4850992b427bdc

SHA256
ae89726af2bd0c0218fbf63af20d4464f44dced5156364d817b6e73afc8e9f87

SHA512
35dad46325060004a66e01e10af6a3ebfd94b6751347b6ec64840c4ec03d81480fc324494ea39dded03bf2f1a1ce352b15ab518d14214c15567af17fb32f16b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\tempInfo.web

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit