4d1514934696d4e78db5769f4d4652dda9e025549a511669f2c1de104f360f55

Analysis

max time kernel
131s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/09/2024, 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/downloader_easeus/2.2.0/5free/EDownloader.exe
Size

1.2MB
MD5

75c6aa0ea529a99be1aa7a6ce1d40eb7
SHA1

90b78031df82bb75366e26c5313ed2b5f41a4dc1
SHA256

2fae081440a24194dae7aeab20612cff53f6c94e6c0d09ead3ba2cba70a87e46
SHA512

d35250868409cb1c93471af557f895eaf76c38599c28730fb7a75300175c1b78c288e259d4d0d5fe1fefadb68c1f760ca6b1c2b7860598ddc1483b303cb500a0
SSDEEP

24576:2s/G6GbJFLBoVs9nIDak3ri91DcSF+oYPa5crmMO4k5mBc:2WsDsbWgo/5wBvk5mBc

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AliyunWrapExe.Exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1684	1404	EDownloader.exe	84
PID 1404 wrote to memory of 1684	1404	EDownloader.exe	84
PID 1404 wrote to memory of 1684	1404	EDownloader.exe	84
PID 1404 wrote to memory of 2352	1404	EDownloader.exe	86
PID 1404 wrote to memory of 2352	1404	EDownloader.exe	86
PID 1404 wrote to memory of 2352	1404	EDownloader.exe	86
PID 2352 wrote to memory of 2552	2352	InfoForSetup.exe	87
PID 2352 wrote to memory of 2552	2352	InfoForSetup.exe	87
PID 2352 wrote to memory of 2552	2352	InfoForSetup.exe	87
PID 1404 wrote to memory of 3724	1404	EDownloader.exe	89
PID 1404 wrote to memory of 3724	1404	EDownloader.exe	89
PID 1404 wrote to memory of 3724	1404	EDownloader.exe	89
PID 1404 wrote to memory of 4960	1404	EDownloader.exe	90
PID 1404 wrote to memory of 4960	1404	EDownloader.exe	90
PID 1404 wrote to memory of 4960	1404	EDownloader.exe	90
PID 1404 wrote to memory of 4316	1404	EDownloader.exe	93
PID 1404 wrote to memory of 4316	1404	EDownloader.exe	93
PID 1404 wrote to memory of 4316	1404	EDownloader.exe	93
PID 1404 wrote to memory of 4620	1404	EDownloader.exe	96
PID 1404 wrote to memory of 4620	1404	EDownloader.exe	96
PID 1404 wrote to memory of 4620	1404	EDownloader.exe	96

C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EDownloader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /Uid "S-1-5-21-656926755-4116854191-210765258-1000"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"United States\",\"Pageid\":\"999999\",\"Timezone\":\"GMT-00:00\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunWrapExe.Exe
    C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunWrapExe.Exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"2\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=467\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1726120160}\",\"Result\":\"Failed\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3724
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download2.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"0\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download2.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=169\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1726120160}\",\"Result\":\"Failed\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4960
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download3.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"2\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download3.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=358\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1726120162}\",\"Result\":\"Failed\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4316
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"0\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=705\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1726120162}\",\"Result\":\"Failed\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EasyLog.log

Filesize
4KB

MD5
d1d97d57f081a8999515baa335cb2e0e

SHA1
c07835c715efdc33458f82146f7f56f88f96daaa

SHA256
b670429e6e956c57d044fd7b5d3a7dc072f3d96ca7e5aae92d8db9d4f570799b

SHA512
600ce5424efd02e9d9de039a5ae0a046b2ccf309776ef222febe0288f65e2c631116e0137540e81451b35e61095f8ed9ae750fff6273dd7d151110c127e1e351

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EasyLog.log

Filesize
2KB

MD5
afc4e9a765c5537c723272a0ad06f21f

SHA1
78605d423f7fc20dfa6bcb15f84e44c2aaf2d48e

SHA256
b589612214b7858355a64ff36359aa6b3270539deeeed8d73ad70ffa32336176

SHA512
c00a232c8c57b8ecf3e38f4694fe106050cf2d44b1332738683a11e347a5c67afbc595a16daaac9e68401e7b56921e2aa559ea0b8a36552c4d59e65641811cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EasyLog.log

Filesize
3KB

MD5
2718406ced61d28849aa6442bf0958d3

SHA1
1c577d550925a390d11573827778667b28f94e18

SHA256
bac0435b1b11bd2786048ee2258dc30650618805b9abbbb74201f62ad72f9dda

SHA512
3bb3cf459478d6d972a0f9ffb8f16ecc26d0aa35966e6408a394d959ab28c58c46d815c6dd6d98951ab03b9a3c7e0e5472f4b9d965fe7c2be9878cedf9c1fa40

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunConfig.ini

Filesize
1KB

MD5
7d92c67d447c5eb590a5bdd2a340ad00

SHA1
f3f2a262b37f7df5a54a40934ea349766c6dd554

SHA256
ed8c944a8b94534dbfa09414f53b22aea8a77b99f041ccd086f73d25727ca160

SHA512
63bda30b0c6de637754738123c1621c66d565455a0c21d99dd97fc7000c5ca04fbe127c9cd44deec37bd9340fb1f9c5522d1479d513cf4d6e3c875cfda1508fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
88B

MD5
7f411750d07619f38537e7fd612b8b44

SHA1
cda241a1ce5141288582c8f0ac4850992b427bdc

SHA256
ae89726af2bd0c0218fbf63af20d4464f44dced5156364d817b6e73afc8e9f87

SHA512
35dad46325060004a66e01e10af6a3ebfd94b6751347b6ec64840c4ec03d81480fc324494ea39dded03bf2f1a1ce352b15ab518d14214c15567af17fb32f16b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
1KB

MD5
8df498712ed18541584f663fe5cc8e52

SHA1
e81d2dc0196b5548187236014d3d921583036714

SHA256
18e5878da460e9fb86523940641a9ef142cbe857876a31543c263ff4619f4007

SHA512
f12e16163d10f3ebd04c20ee69768641cfc72fc60e86ea7cba80ccb722fc2c73c3bb9268fa183a7c3010d14ee6815651bd0276f682959153647f6c9505af69df

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
366B

MD5
2ff9e4d31f01b05ad0ad0f972d232096

SHA1
f38b6627f7512bbf95991637bb6d348fe1fdfa2c

SHA256
62c51aa3dd235f6c0f4a6f0466996e7c5de000f8628d391ede39e47899d1e709

SHA512
d74aef4b63b17fd5c20559ae13fc365bdcbb8b97b4971142412a8d75d37b03b7021685d1c7a2464f1fd1be42eb8cf499b517195292bc1e1ea8b711ee2ec94c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
698B

MD5
0c91d31fe6725325b4990f97c82d792d

SHA1
8dc54b5ee4641c05935f80d5832c11825d19cc37

SHA256
66d15acd8a0fc93c5bcd1c1072176684f0f2b8e88fcd660ec62a55e88f7142eb

SHA512
67efcec74b45f78e0ce3bf3d20368ff893381130e4d3bc61d77cccbd2697db2723c40c19058de983bf10fc0902662b572fe15ca8a67589c897e196a124593690

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
1KB

MD5
ab0804316fc8fd788f9f1a9eb74d6f76

SHA1
6d1340defea178b2dcacba879975bdec306d6eb7

SHA256
e2e667c144f9e0c7a764c7111717931a6f7dec9570eb00f9c5df2f23e21a0b7b

SHA512
640460a3c007c4d5db521fbfa69d6c13bd91c2b0aef8cfcdc5b8601b6b393d5cd062e2b82b3660f4c08402944ef6639413dff77915a6531884b80de0b951a0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
1KB

MD5
a0140b3f37eb68a197853186afbeb1c8

SHA1
6d57da9ffa8e3779d36002639c80998446545aef

SHA256
3f0d3a880e12c417e976ed086324405a16a950624bad4a86550d2354f4b930c4

SHA512
b625a84ee74ca6c4435d2e2588c2f2790f7d029278dfe36c7047a50b7ede60caa046b06ff77eb10ddcdca49e394e70ef899ab9a5a6ad1f73ab6627bf5205afc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
974B

MD5
246f2ba89c5b7083115123a5e56a8c49

SHA1
78d141c9dcc555c7fdeadb89d81c4a89b2439cee

SHA256
3a54ccbdb0c819977066f104d3629f5728fa75c5aa47ee980b1419f5457099ee

SHA512
143c70a8c2f7a9b65dcc6b4eb7da31f0bb99025316b9de078fbd9d6b9319d068c63756d5a9fafaa3061d3ae7cff45401e303cf21e2baf012c84211dabc6deb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
2KB

MD5
5253ceaf836928dc34323cc88ea28dc7

SHA1
012d8d1cb98c409e072909e33966437461a0b05a

SHA256
293e2226432679ccedfe6f6cd4c630f493ff97ec4950dceb497baf845d840a82

SHA512
a6818e407e7be067a23add19d17c6b9e378aaa0b24ec372ec486ac1f5397c20121b5c501805360506e9e74619e74e155a59c063e8ec3105de11b27cd563a0ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
1KB

MD5
95de2277548803eff0b010bbe2bf4bad

SHA1
a76a5314f13bfda8e14e5884fa4f6e2cc1538949

SHA256
6d7f4d64578c9bc58e87fe9e32a4d0aaab373cdf96564b2d75fdf91263f92544

SHA512
6625d9a9e291634dbd4a5d9abc2d0f0f2c91ca89cfe08c3b491fadb12c53b8f7bfa7a42d14cadc175fdf27f7166b4d16132c39f3a9b276d14fe7c6c1495fba14

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\tempInfo.web

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit