eab3e3b6e8b995b1e61a855aced2ad720125cdeed905488df69935ac0797a61a

General

Target

exodus-windows-x64-24.37.2.exe
Size

222.5MB
MD5

616deee795c2cab43b331b9911a1324d
SHA1

220259576ffbf3bdc2c82f5998cb9b804ed10b49
SHA256

eab3e3b6e8b995b1e61a855aced2ad720125cdeed905488df69935ac0797a61a
SHA512

7695d888de5bf4af0f33eec6c5f3ff9c540d768e2fa48a2a42b97061ca3a3acd425bab553a67a291deb8e1f4dadc5e35a68861b1156b510b7c85d469694cb90e
SSDEEP

3145728:3QrwAI2n0KjGajGyFv7PAQq7ZUCQ4ljRjE1XzZl/LUCrMarnqWRcVMWrvt7lOZ4Z:grwvhaGpYA7if4rA9zZhLqeYpt0Z4gQz

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2328	Update.exe
2440	Squirrel.exe
2040	Exodus.exe
744	Exodus.exe

Loads dropped DLL 6 IoCs

pid	Process
2528	exodus-windows-x64-24.37.2.exe
2328	Update.exe
2328	Update.exe
2328	Update.exe
2328	Update.exe
2328	Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exodus-windows-x64-24.37.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Squirrel.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2528	exodus-windows-x64-24.37.2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2328	Update.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2328	2528	exodus-windows-x64-24.37.2.exe	29
PID 2528 wrote to memory of 2328	2528	exodus-windows-x64-24.37.2.exe	29
PID 2528 wrote to memory of 2328	2528	exodus-windows-x64-24.37.2.exe	29
PID 2528 wrote to memory of 2328	2528	exodus-windows-x64-24.37.2.exe	29
PID 2528 wrote to memory of 2328	2528	exodus-windows-x64-24.37.2.exe	29
PID 2528 wrote to memory of 2328	2528	exodus-windows-x64-24.37.2.exe	29
PID 2528 wrote to memory of 2328	2528	exodus-windows-x64-24.37.2.exe	29
PID 2328 wrote to memory of 2440	2328	Update.exe	30
PID 2328 wrote to memory of 2440	2328	Update.exe	30
PID 2328 wrote to memory of 2440	2328	Update.exe	30
PID 2328 wrote to memory of 2440	2328	Update.exe	30

C:\Users\Admin\AppData\Local\Temp\exodus-windows-x64-24.37.2.exe
"C:\Users\Admin\AppData\Local\Temp\exodus-windows-x64-24.37.2.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
  "C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\exodus\app-24.37.2\Squirrel.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.37.2\Squirrel.exe" --updateSelf=C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2440
- - C:\Users\Admin\AppData\Local\exodus\app-24.37.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.37.2\Exodus.exe" --squirrel-install 24.37.2
    3⤵
    - Executes dropped EXE
    PID:2040
- - C:\Users\Admin\AppData\Local\exodus\app-24.37.2\Exodus.exe
    "C:\Users\Admin\AppData\Local\exodus\app-24.37.2\Exodus.exe" --squirrel-firstrun
    3⤵
    - Executes dropped EXE
    PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\SquirrelTemp\RELEASES

Filesize
79B

MD5
6c9fb77891307c945de33f9168e68ac5

SHA1
59e16b728aaee2265e51743fc1d3823390c6ad3e

SHA256
8c863657d31f5cea6d320aa2870302666477520894028a50035cdf7de3fab3c0

SHA512
a8171a90cfb976f0a4eedd5bb98b3ac2d0a80cf6a584d5f9fe865905cfbce118c3cba88f13cb635d44f6a25554d9c4a0530558f6152af7945a09481a00609881

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\background.gif

Filesize
10.7MB

MD5
9b01c5eab2c0bbf63c29944e485c062d

SHA1
a8182f1d6363817757d9a4c652ca78591826c803

SHA256
eb59903ac99cd42ace0b9204c6f2696c61ced7ff9c94e4da1334b3b5356655fc

SHA512
edd950fc94e1c06960541527fda50f2da2f6c99206b691ab465eef69fdae491ca9e3d9b29c3e322f3590a64c73e59c0f24028e873557037a9807e83d946a383b

Download Submit
C:\Users\Admin\AppData\Local\SquirrelTemp\setupIcon.ico

Filesize
352KB

MD5
f4fd06cc518f26026049ccce65a4ec81

SHA1
6298ba68c06b31f1ec19e7ce757c26ff3e6df3f7

SHA256
381905c1421a53741029db9ac3b9544bc39daabc8e14a8883ab0b64c5c0d2ca3

SHA512
e53583d6a33b8f4b8d9d71aa19b1027b2152e35bc1595ee62916be3f1eb95015b4b1ca70d6bdeaa54742c11a374ccd663062229ce22410dc3d2b96bf8d6538d2

Download Submit
\Users\Admin\AppData\Local\SquirrelTemp\Update.exe

Filesize
1.7MB

MD5
c5f6cda4976ae38cd9fba3d1e5ebd244

SHA1
2006c37f01d010963a4331c42e579b87a2d16039

SHA256
dae7bd888b715b8e215482bc5ea6f028ded32a3ad88bf4acb6431d2a62ffe3f4

SHA512
a1a7529b0ceb3df471e803eac1d9256c009a9c8252884f64a28a59d59753c75e1bff726a35af02db5bdf20a2d194850bfdbed163722b09465ca32d10d059524d

Download Submit
\Users\Admin\AppData\Local\exodus\app-24.37.2\squirrel.exe

Filesize
2.1MB

MD5
5341b31761b38bb6a42cb155aaea8661

SHA1
46a98e293a2596d51c8d4171b39fa2549def9d96

SHA256
55f4fdbd5fc93ded3565dd1af4d16479be3a27dab565243464107d8a1b114685

SHA512
906583cd16ef56dfe13c44fbb4556a0d7d9160e63ab0e6d798d526f5cb7466812a6bbabe95448d339bf8a7ef740229ce39964d2502880ad996dba418d0da6080

Download Submit
memory/2328-10-0x0000000000870000-0x0000000000A34000-memory.dmp

Filesize
1.8MB

Download
memory/2328-85-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/2328-84-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/2328-119-0x0000000000450000-0x000000000045A000-memory.dmp

Filesize
40KB

Download
memory/2440-108-0x0000000000CE0000-0x0000000000EFC000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing