7d8057f12048bfd4e011d830963a6dd19e00308fb66dcc9b03d9227f0380a9a8

General

Target

setup.exe
Size

432KB
MD5

22732b9578525e074e71514a97294552
SHA1

b3907009cf153497ad285b2702c777187ae1ba2e
SHA256

b52bec4464e60ae492eddbd344fd26ae295070bada2856ed60f0c7987477e08a
SHA512

7834fada59bf75e2a9b2eaa73dc965873700a50d5721e23fb8fa20ab38671be91247daf290e744aef19da81b7760a96059985b7b4e53dd23321f7c519045ba5c
SSDEEP

6144:MOxMK/tIRDOEPF8BXr0x/u55kjKTpiDH31Us0HzfB7YSs5l4XfBaju4Ti:PxMitkCEqYxdjApQlU3lkbuJaju9

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1456	setup.exe
1456	setup.exe
1456	setup.exe
1456	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	setup.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ALPR\alpr.exe	setup.exe
File created	C:\Program Files (x86)\ALPR\~GLH0008.TMP	setup.exe
File created	C:\Program Files (x86)\ALPR\~GLH000a.TMP	setup.exe
File created	C:\Program Files (x86)\ALPR\~GLH000b.TMP	setup.exe
File opened for modification	C:\Program Files (x86)\ALPR\readme.txt	setup.exe
File created	C:\Program Files (x86)\ALPR\~GLH0006.TMP	setup.exe
File opened for modification	C:\Program Files (x86)\ALPR\whatsnew.txt	setup.exe
File opened for modification	C:\Program Files (x86)\ALPR\file_id.diz	setup.exe
File opened for modification	C:\PROGRA~2\ALPR\INSTALL.LOG	setup.exe
File opened for modification	C:\Program Files (x86)\ALPR\UNWISE.EXE	setup.exe
File opened for modification	C:\Program Files (x86)\ALPR\alpr.cnt	setup.exe
File created	C:\Program Files (x86)\ALPR\~GLH0007.TMP	setup.exe
File created	C:\Program Files (x86)\ALPR\~GLH0009.TMP	setup.exe
File opened for modification	C:\Program Files (x86)\ALPR\license.txt	setup.exe
File created	C:\PROGRA~2\ALPR\INSTALL.LOG	setup.exe
File created	C:\Program Files (x86)\ALPR\~GLH0004.TMP	setup.exe
File created	C:\Program Files (x86)\ALPR\~GLH0005.TMP	setup.exe
File opened for modification	C:\Program Files (x86)\ALPR\order.txt	setup.exe
File created	C:\Program Files (x86)\ALPR\~GLH0003.TMP	setup.exe
File opened for modification	C:\Program Files (x86)\ALPR\Alpr.hlp	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ALPR\license.txt

Filesize
35KB

MD5
2500ad2c71bca447db07c90bda261f62

SHA1
031f6054e11a8ec7f7069d42d3090496e5ddc8d0

SHA256
28b96eedf10e80360c285c0a7fa3321482a6371f97541a740c9c6249f3ed71af

SHA512
b7d916416eb1c4c014cf1af786192bbd76677b5885f72df93f43dae2f7321b4c8ee22dbe3a7b1572251b0557a76d4ce8adfa7a03b4e762d121a05a8e521faecb

Download Submit
C:\Program Files (x86)\ALPR\readme.txt

Filesize
2KB

MD5
1295ac583be505fcdf5d9e0a7f70a0a7

SHA1
21458ef093194a566b377ca8dd3b280a66e9e2c6

SHA256
7e32c6f51815d15c9507e8fba6bbb1a3ca2fda5784acd287f59e958cd3dcd753

SHA512
1fd2dddf7cd09b381c848d109f60e42365044b0ad83e4c5778297081d1441b91facfd61ffae835b34879df79c1b88d9b754392188efdf5bab311b8c6d2bba917

Download Submit
\Program Files (x86)\ALPR\UNWISE.EXE

Filesize
146KB

MD5
443e13846997c537e8f5ed61130ab705

SHA1
6b10d458a5f1e3dbf8dfa96b118cf232d3a66f5f

SHA256
49ef36bd01b8ebf38c7b807a5fb44cbaf47c9d4efa883b01c41494c61ae4a2e2

SHA512
dd994d001f7de591cd03a7d875ec0a96be0dbf31ee7c2508ab67c701a27bdebdcb14dffd7f971f2dc5b86bb44443e4816880d73cacf7974b1731078a841fddb8

Download Submit
\Program Files (x86)\ALPR\alpr.exe

Filesize
241KB

MD5
e02713aa0ca0c47da722878f654e44d3

SHA1
5e5ee1163afb8da0b0dc826a3ca16a2a5d153e2b

SHA256
d2f646020a8f4cfdd016b61fd0c0a2fac3a1ef61da8c92c8a82bbf103c7163da

SHA512
08f58a9f331a45f34e3fc24d341bd6d996d545aa8791c33f5ca33fd0aff6907fd0052fd082bc6de29b54e7ac7788870e54cbeb5f605aea526c768c97c2b1c67c

Download Submit
\Users\Admin\AppData\Local\Temp\GLC3736.tmp

Filesize
150KB

MD5
f3b9bfed127ffc97f63cd8c7ce8bc1a9

SHA1
468425842e3a29a4de6adb03652f02fdafd9fc82

SHA256
9acc324586a37cfa6f862439cfea45acd1378b4880b831cf5cca71389e0c5582

SHA512
671828ffce8660e3326f63f4e6a80941bbacfaa13ded2d58e6ffeacf9501ee66683b70fa4a100bfe7d24aea6fee8c3eda0e9a6c5ecdd792f6febb1981be030ff

Download Submit
\Users\Admin\AppData\Local\Temp\GLF42FC.tmp

Filesize
9KB

MD5
0ce392cdcf8714d0b32cb619d8eb5fb1

SHA1
d26f89db5b09c2c990ebc9e8314af7f510299189

SHA256
5f1957ed9d0632ef3225709584ea44d001d579cbcb5ea7ba87384c16fdd18604

SHA512
08039808cfe58643ba732869e98979455663618b436a2fed134c1ca937365ddce0d5b40258a257783ab32a800a1667cc88118d49dc9ff52d59de0fccc6d498dd

Download Submit

Analysis

Sharing