Overview
overview
7Static
static
31a34bba303...cN.exe
windows7-x64
71a34bba303...cN.exe
windows10-2004-x64
7$PLUGINSDI...er.exe
windows7-x64
3$PLUGINSDI...er.exe
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3RapidTyping.chm
windows7-x64
3RapidTyping.chm
windows10-2004-x64
3RapidTyping.exe
windows7-x64
3RapidTyping.exe
windows10-2004-x64
3fmodex.dll
windows7-x64
3fmodex.dll
windows10-2004-x64
3freetype6.dll
windows7-x64
3freetype6.dll
windows10-2004-x64
3icudt44.dll
windows7-x64
1icudt44.dll
windows10-2004-x64
1icule44.dll
windows7-x64
3icule44.dll
windows10-2004-x64
3iculx44.dll
windows7-x64
3iculx44.dll
windows10-2004-x64
3icuuc44.dll
windows7-x64
3icuuc44.dll
windows10-2004-x64
3zlib1.dll
windows7-x64
3zlib1.dll
windows10-2004-x64
3Analysis
-
max time kernel
105s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240910-en -
resource tags
arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system -
submitted
28-09-2024 08:04
Static task
static1
Behavioral task
behavioral1
Sample
1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe
Resource
win10v2004-20240910-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Installer.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Installer.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240910-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
RapidTyping.chm
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
RapidTyping.chm
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
RapidTyping.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
RapidTyping.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
fmodex.dll
Resource
win7-20240708-en
Behavioral task
behavioral18
Sample
fmodex.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
freetype6.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
freetype6.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
icudt44.dll
Resource
win7-20240708-en
Behavioral task
behavioral22
Sample
icudt44.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
icule44.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
icule44.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
iculx44.dll
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
iculx44.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral27
Sample
icuuc44.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
icuuc44.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral29
Sample
zlib1.dll
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
zlib1.dll
Resource
win10v2004-20240802-en
General
-
Target
1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe
-
Size
8.7MB
-
MD5
42b2d6e42c5eae489ed0a7b5e98bdcb0
-
SHA1
41b4454967e0b34006451fd074dac7981dc4f775
-
SHA256
1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0c
-
SHA512
d00115763c5cc5db0ac5f1e841bc94723355eef0ff68d16dcc889c4e3e83efd5ff2876b87a6e3612ca129ea445a77ee6efbd6b216e7fa8ee1be40cd98a6adc7d
-
SSDEEP
196608:L/eQntyZ88cg9Ti6kv0Qpl9JULuIosSu8EcsEKJU3F9b6c6LJby:O8G9Ti65o9JQuPRQe3Lb6lJy
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000\Control Panel\International\Geo\Nation Installer.exe -
Executes dropped EXE 2 IoCs
pid Process 4036 Installer.exe 736 installChecker.exe -
Loads dropped DLL 5 IoCs
pid Process 3224 1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe 3224 1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe 3224 1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe 3224 1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe 3224 1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language installChecker.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Installer.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3224 wrote to memory of 4036 3224 1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe 87 PID 3224 wrote to memory of 4036 3224 1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe 87 PID 3224 wrote to memory of 4036 3224 1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe 87 PID 4036 wrote to memory of 736 4036 Installer.exe 88 PID 4036 wrote to memory of 736 4036 Installer.exe 88 PID 4036 wrote to memory of 736 4036 Installer.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe"C:\Users\Admin\AppData\Local\Temp\1a34bba303197eade878b483cd8b02c2bd6bd2af9d5ec501bc61b4b318704f0cN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\nst9CFD.tmp\Installer.exeC:\Users\Admin\AppData\Local\Temp\nst9CFD.tmp\Installer.exe /check2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\installChecker.exe"C:\Users\Admin\AppData\Local\Temp\installChecker.exe" ANT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:736
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
242KB
MD58f9b5f4f87207be1cf810ddc95124f92
SHA1f5cec54c9aac59167ba95ec8077438be381fba3d
SHA2564501e3f8f41966d403e76d3b1d04525098f0b6d41b65741a8351f3b0d3e4397e
SHA512dac421d8132e474ddfc9ba5954928b40d952af17c4c2085c30f5f3dc631962c2f05db52cb487371108b6b61e6fbc0a82d68ced48e9075a1fbc5a214d5d201097
-
Filesize
395KB
MD5be2d0db081acbcf78f5eebff8223a943
SHA158d19519bffc719e916599e1f3f1090871d309b6
SHA2567f14f84f3e694e5fa12bd98906f26244679bc995b2f3d840c432b2f492afe3ce
SHA51214e102d3b956a869fa2733133ab56cc515bf876fcefcf0b117f2d06d08292b59370bbac36b20528ded8b3be0081544615ba2311949d7e05c04687f88dbb5b78e
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e