4d1514934696d4e78db5769f4d4652dda9e025549a511669f2c1de104f360f55

Analysis

max time kernel
138s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12-09-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/downloader_easeus/2.2.0/5free/EDownloader.exe
Size

1.2MB
MD5

75c6aa0ea529a99be1aa7a6ce1d40eb7
SHA1

90b78031df82bb75366e26c5313ed2b5f41a4dc1
SHA256

2fae081440a24194dae7aeab20612cff53f6c94e6c0d09ead3ba2cba70a87e46
SHA512

d35250868409cb1c93471af557f895eaf76c38599c28730fb7a75300175c1b78c288e259d4d0d5fe1fefadb68c1f760ca6b1c2b7860598ddc1483b303cb500a0
SSDEEP

24576:2s/G6GbJFLBoVs9nIDak3ri91DcSF+oYPa5crmMO4k5mBc:2WsDsbWgo/5wBvk5mBc

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AliyunWrapExe.Exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InfoForSetup.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 3028	2696	EDownloader.exe	30
PID 2696 wrote to memory of 3028	2696	EDownloader.exe	30
PID 2696 wrote to memory of 3028	2696	EDownloader.exe	30
PID 2696 wrote to memory of 3028	2696	EDownloader.exe	30
PID 2696 wrote to memory of 3028	2696	EDownloader.exe	30
PID 2696 wrote to memory of 3028	2696	EDownloader.exe	30
PID 2696 wrote to memory of 3028	2696	EDownloader.exe	30
PID 2696 wrote to memory of 2220	2696	EDownloader.exe	31
PID 2696 wrote to memory of 2220	2696	EDownloader.exe	31
PID 2696 wrote to memory of 2220	2696	EDownloader.exe	31
PID 2696 wrote to memory of 2220	2696	EDownloader.exe	31
PID 2696 wrote to memory of 2220	2696	EDownloader.exe	31
PID 2696 wrote to memory of 2220	2696	EDownloader.exe	31
PID 2696 wrote to memory of 2220	2696	EDownloader.exe	31
PID 2220 wrote to memory of 2852	2220	InfoForSetup.exe	32
PID 2220 wrote to memory of 2852	2220	InfoForSetup.exe	32
PID 2220 wrote to memory of 2852	2220	InfoForSetup.exe	32
PID 2220 wrote to memory of 2852	2220	InfoForSetup.exe	32
PID 2696 wrote to memory of 2788	2696	EDownloader.exe	33
PID 2696 wrote to memory of 2788	2696	EDownloader.exe	33
PID 2696 wrote to memory of 2788	2696	EDownloader.exe	33
PID 2696 wrote to memory of 2788	2696	EDownloader.exe	33
PID 2696 wrote to memory of 2788	2696	EDownloader.exe	33
PID 2696 wrote to memory of 2788	2696	EDownloader.exe	33
PID 2696 wrote to memory of 2788	2696	EDownloader.exe	33
PID 2696 wrote to memory of 296	2696	EDownloader.exe	34
PID 2696 wrote to memory of 296	2696	EDownloader.exe	34
PID 2696 wrote to memory of 296	2696	EDownloader.exe	34
PID 2696 wrote to memory of 296	2696	EDownloader.exe	34
PID 2696 wrote to memory of 296	2696	EDownloader.exe	34
PID 2696 wrote to memory of 296	2696	EDownloader.exe	34
PID 2696 wrote to memory of 296	2696	EDownloader.exe	34
PID 2696 wrote to memory of 560	2696	EDownloader.exe	36
PID 2696 wrote to memory of 560	2696	EDownloader.exe	36
PID 2696 wrote to memory of 560	2696	EDownloader.exe	36
PID 2696 wrote to memory of 560	2696	EDownloader.exe	36
PID 2696 wrote to memory of 560	2696	EDownloader.exe	36
PID 2696 wrote to memory of 560	2696	EDownloader.exe	36
PID 2696 wrote to memory of 560	2696	EDownloader.exe	36
PID 2696 wrote to memory of 2352	2696	EDownloader.exe	37
PID 2696 wrote to memory of 2352	2696	EDownloader.exe	37
PID 2696 wrote to memory of 2352	2696	EDownloader.exe	37
PID 2696 wrote to memory of 2352	2696	EDownloader.exe	37
PID 2696 wrote to memory of 2352	2696	EDownloader.exe	37
PID 2696 wrote to memory of 2352	2696	EDownloader.exe	37
PID 2696 wrote to memory of 2352	2696	EDownloader.exe	37

C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EDownloader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /Uid "S-1-5-21-3290804112-2823094203-3137964600-1000"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3028
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"United States\",\"Pageid\":\"999999\",\"Timezone\":\"GMT-00:00\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunWrapExe.Exe
    C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunWrapExe.Exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"1\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=467\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1726120196}\",\"Result\":\"Failed\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download2.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"2\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download2.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=169\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1726120197}\",\"Result\":\"Failed\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:296
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download3.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"1\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download3.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=358\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1726120198}\",\"Result\":\"Failed\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:560
- C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe
  /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"1\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=705\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1726120199}\",\"Result\":\"Failed\"}"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EasyLog.log

Filesize
2KB

MD5
d7d42f21fc4dfe0c2a8b9ea73ed68a57

SHA1
ba32eea69907e3e7aba0abcc5d5ef9b91e8b2d07

SHA256
2d265da66b8dd32c5e4933b7c99ce9bb031c6986cde2f1a4008932072fe3eaab

SHA512
02fdaa588deeeb2f5f10336d90158a15fe0da377053dc804b7d8288006fef537e3c20ec667ea9580c633d5fd5fe47cecb26e6208a91f271099b5908e79e15a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EasyLog.log

Filesize
3KB

MD5
781f7616d7fef16fd7137e3b7dc49f52

SHA1
88c9714ae4966263fbbba67559d47399bf6971fa

SHA256
d917ca634461e71b6e095246929059b720c9e9790c09f5087afcb7421773b539

SHA512
23db1ea87a3d33116a66fa9a2753154b557b953e47964ab0d545c18c93936e585489a31b34b079b576dfb6abf0dda504fb0b215e8f17dcc15607d0234b04c373

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EasyLog.log

Filesize
4KB

MD5
227138240d010ba3d62a3351fbca6711

SHA1
e6808083487e49c0528898dbbed8d85584d0ac58

SHA256
5bbffb42152b43e66892a9adaa3fa244e3fc0bbe35db6fc1cfadbba07665e30f

SHA512
7fe113ce6f33b3568e71eefeaf77242bd627b35c1a989aec48cd3b2104b961a873d1e875f6c7c9836a74e46c4f9e684d2d7692c15e90dd255dfb8a2ea0d69af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunConfig.ini

Filesize
1KB

MD5
1bcf7ac54cd4208cb18522c35baa4518

SHA1
f2d0a4ecca52c2e606caaa2264fa46b3a50a7d68

SHA256
1c99256632b2ad383f9cfcc8da113b37e0d81698cbba85fbc44574ba620b71d5

SHA512
469882f7f71f5e23e06c14575bd2d2c6a475488a174a3fa75acb0eaa04acddd6b0de1117e6bbe65ff0a216a8e9231205a207e47fe23327a513654460046281b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
3KB

MD5
6a61ff4fa1e5245c1972553bf6e5873e

SHA1
49b59c0c93c4611d231090fbb2b65dd0fdf5b7b2

SHA256
573e45a628b8be06fdbcdeeb7b25383f9e9cc826dad882f4ec3168d96600bbf9

SHA512
12236127447c18803ae9aa214f541a8df8b337e3e92c4baa5cfe316b16e5abf81f4287b6ac2aa54d3f2e5db8517e10545a2bbe445ae7c1ad7b91bb8ce2d67264

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
3KB

MD5
5dcc860e72ff0e85300fa8c48c3cfbdd

SHA1
e970c5056be829fc00e9210d38124f4c3dbb7cee

SHA256
500aa5ee295dd2f8d544d11d3cd55efbed0719cea1a10a772fe18476678aae02

SHA512
c39a3a091a5701dc1c584c11c8033b306a3d9ea3afe8fd35498e0eeabf6b744ffc0f40b93dc4d5241c0d37dd266c0c2b149bbbad8ec8ac3c149c701bece5f4c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
4KB

MD5
23acd697271a539a01fa03cb2a23575b

SHA1
c81a8ef74f1a5b62e5082c38e0bd8f8f096a9947

SHA256
e678998852cb9d9d328e1d715bdb30ccc0ff3f036dabb77368cb80679581f693

SHA512
bf3e23db4448ed6cd961412db7cbb64a760579317c9849ced68372f5d0eb3768b1334495482aa2afee84bed73be5fe72d4e5e73d3b928973551b2a16f391d3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
982B

MD5
2d8a3d88c25433606208f8dae8efb174

SHA1
a5dfe51061d8292d8549eb9152ad2e3457a55016

SHA256
586e6064858915dd0b84fc21c01d36e9ad9253efb11666ea83eb167a6f470566

SHA512
4f3530542faa06f5c40b5629cc0e438364847a248f92c0cf6844c02fd3dd63e9e351a14e94a58aa6ba33d330c10d0dc533c899d5808cdeadeadc6409d37f447c

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
5KB

MD5
ca6d4278c7fa7fc05c5f588fb9387b6d

SHA1
7468c1bf471b1d8f97fce098020796f30cfad21f

SHA256
f7d190eb4fb297269d672b1ac421c468884acd59ba5b18679657ace60c9124e7

SHA512
8e41473939d8dfa89ae718267d79423ca0aa3a7e8a0b757d87e1270fcf0711087578f5fbe6ba707812a3b364ea3dd852a62e8dd0dbeb0f98325f8e5f3ec289ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
4KB

MD5
48aa8bf1080ee45d0293090d1f09d926

SHA1
89c8f2111fdc4b21e0b9e60cd67a6f46e1bb28e7

SHA256
72d90d6d92e617e4c29d1bdc8379afef95b5b964274fbf3b20cdfd429625c27c

SHA512
03988a7036a0465ca3881ad3784c08c505ea8fcbe06dc987f323cf0211ba02d135a66c254f5687fe04648ce61b481130188aa79b2943fcd06af09f6990fa57b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
4KB

MD5
d4fe12bb0154ceb2f3fa8a7251aba9e1

SHA1
10fd81ed1c83e82717d61b7491630b2f7682e272

SHA256
05b7d63e776676b69d0d0d4bbe1cf947b1d2239e8b41fa1f4e45db11ed123674

SHA512
7ddfc33e8f70438f927f4212cf5fcfce993ec28c9c7b226d8659b354bfdea9f0e8461f3678044d299ee64b62a44889d5bd155d5bf80157ec7b1c14a50fa39fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
3KB

MD5
d326113201099bb967e2edcf8e755913

SHA1
b972746fcc1e150743fdc61fb9ed71d3560c8c3d

SHA256
d330ad09f81070bc5cb3bca56b1900a314ef28104c997f196b16a7d8d2ffce06

SHA512
c95b17a0848e8f0923605c92badcde3ba02a0a2b783919e1ffff2695cb35e86459986ad7f1bb0207115becb732ec0b48cabe2b5c9caa2f7a9bc9f13386b21dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
1KB

MD5
c7ab0d4fab6470af7026bbeee95bdc97

SHA1
ded206497632642bfc46a21d2e4a2cc93b1fd2b7

SHA256
b443e2d24ad8271a83c2c67b3d1c5358c1d4dd12937d4f05fb0626232e854ab1

SHA512
e4265184615270d72ccef88bdf71d48920e7f3b6b285f40bd4d078522ac746e14068a7467651e976ed9093d9aa7737fb24c1425550f97c46e99d265142916b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\DataFile.ini

Filesize
88B

MD5
7f411750d07619f38537e7fd612b8b44

SHA1
cda241a1ce5141288582c8f0ac4850992b427bdc

SHA256
ae89726af2bd0c0218fbf63af20d4464f44dced5156364d817b6e73afc8e9f87

SHA512
35dad46325060004a66e01e10af6a3ebfd94b6751347b6ec64840c4ec03d81480fc324494ea39dded03bf2f1a1ce352b15ab518d14214c15567af17fb32f16b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\tempInfo.web

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit