Analysis
-
max time kernel
91s -
max time network
94s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
16/10/2024, 00:47
Static task
static1
Behavioral task
behavioral1
Sample
epm_free_installer.17288686159294b32199.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
$TEMP/downloader_easeus/2.2.0/5free/EDownloader.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
$TEMP/downloader_easeus/2.2.0/5free/aliyun/AliyunWrap.dll
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
$TEMP/downloader_easeus/2.2.0/5free/aliyun/AliyunWrapExe.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
$TEMP/downloader_easeus/2.2.0/5free/aliyun/InfoForSetup.exe
Resource
win11-20241007-en
General
-
Target
$TEMP/downloader_easeus/2.2.0/5free/EDownloader.exe
-
Size
1.2MB
-
MD5
75c6aa0ea529a99be1aa7a6ce1d40eb7
-
SHA1
90b78031df82bb75366e26c5313ed2b5f41a4dc1
-
SHA256
2fae081440a24194dae7aeab20612cff53f6c94e6c0d09ead3ba2cba70a87e46
-
SHA512
d35250868409cb1c93471af557f895eaf76c38599c28730fb7a75300175c1b78c288e259d4d0d5fe1fefadb68c1f760ca6b1c2b7860598ddc1483b303cb500a0
-
SSDEEP
24576:2s/G6GbJFLBoVs9nIDak3ri91DcSF+oYPa5crmMO4k5mBc:2WsDsbWgo/5wBvk5mBc
Malware Config
Signatures
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDownloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AliyunWrapExe.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3700 wrote to memory of 900 3700 EDownloader.exe 77 PID 3700 wrote to memory of 900 3700 EDownloader.exe 77 PID 3700 wrote to memory of 900 3700 EDownloader.exe 77 PID 3700 wrote to memory of 4116 3700 EDownloader.exe 78 PID 3700 wrote to memory of 4116 3700 EDownloader.exe 78 PID 3700 wrote to memory of 4116 3700 EDownloader.exe 78 PID 4116 wrote to memory of 3140 4116 InfoForSetup.exe 79 PID 4116 wrote to memory of 3140 4116 InfoForSetup.exe 79 PID 4116 wrote to memory of 3140 4116 InfoForSetup.exe 79 PID 3700 wrote to memory of 1212 3700 EDownloader.exe 80 PID 3700 wrote to memory of 1212 3700 EDownloader.exe 80 PID 3700 wrote to memory of 1212 3700 EDownloader.exe 80 PID 3700 wrote to memory of 1868 3700 EDownloader.exe 81 PID 3700 wrote to memory of 1868 3700 EDownloader.exe 81 PID 3700 wrote to memory of 1868 3700 EDownloader.exe 81 PID 3700 wrote to memory of 428 3700 EDownloader.exe 82 PID 3700 wrote to memory of 428 3700 EDownloader.exe 82 PID 3700 wrote to memory of 428 3700 EDownloader.exe 82 PID 3700 wrote to memory of 1980 3700 EDownloader.exe 83 PID 3700 wrote to memory of 1980 3700 EDownloader.exe 83 PID 3700 wrote to memory of 1980 3700 EDownloader.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EDownloader.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\EDownloader.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe/Uid "S-1-5-21-3870231897-2573482396-1083937135-1000"2⤵
- System Location Discovery: System Language Discovery
PID:900
-
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe/SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"United States\",\"Pageid\":\"999999\",\"Timezone\":\"GMT-00:00\"}"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4116 -
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunWrapExe.ExeC:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunWrapExe.Exe3⤵
- System Location Discovery: System Language Discovery
PID:3140
-
-
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe/SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"2\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=467\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1729039719}\",\"Result\":\"Failed\"}"2⤵
- System Location Discovery: System Language Discovery
PID:1212
-
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe/SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download2.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"1\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download2.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=169\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1729039720}\",\"Result\":\"Failed\"}"2⤵
- System Location Discovery: System Language Discovery
PID:1868
-
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe/SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download3.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"2\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download3.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=358\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1729039722}\",\"Result\":\"Failed\"}"2⤵
- System Location Discovery: System Language Discovery
PID:428
-
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\InfoForSetup.exe/SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"1\",\"Errorinfo\":\"4\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=999999&lang=English&pcVersion=home&pid=5&tid=1&version=&tmpTime_=705\",\"ResponseJson\":\"{\\"check\\":0,\\"msg\\":\\"version\\u4e3a\\u7a7a\\",\\"time\\":1729039723}\",\"Result\":\"Failed\"}"2⤵
- System Location Discovery: System Language Discovery
PID:1980
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5013d5459c3f484b02bf9087e8104c03b
SHA1388abc1694b93fc728f920e5d70c23d34e3d0839
SHA2566058f3cfadcc4b7ce601c286e57148218205776b106d00c8a9e94c175c9f1f77
SHA512e09a5498cd7a84dde7b7426bc61ed6411e4f27d816ab8c2b9462bcf827d1a0844bf5e6a091a17dd1a8122034668b8d23b302caa96e29e7765ac3b580ec8694f9
-
Filesize
4KB
MD590bba5bb7b1506df66f96fcbc121425f
SHA113ecff0bf165a3b897b8e590757f36a66591ff1e
SHA25604c2bc5b3b15372f0e3ccec313209c2d17420d8e9cee3a9c5b9f78d18cbbd51c
SHA512dae2edc573b41ed6456a9c02b27c07088fb34aaa8c0c31e4763dba0140f7187c0f8d38a8f1bbffffc602b56ef6420dcb2c79edbde21b1fa2d8e711e8b0da3349
-
Filesize
1KB
MD50eb67fa0af2daf4dece74756d810af59
SHA13cf23935fe26f013b42de2ee6da6633f62e402d4
SHA256223742a5b5d95ce56edca7a4fd427d492801cba632084baeab67bc6932b8e171
SHA5128b32283891a1cc5dac65fa9d8744e5a2214f2176538b0556fb304b3d5f8666e1904eab523125a7018c13d1acc610a353ec94103fcfe7faaf296edd9e8cd06684
-
Filesize
88B
MD57f411750d07619f38537e7fd612b8b44
SHA1cda241a1ce5141288582c8f0ac4850992b427bdc
SHA256ae89726af2bd0c0218fbf63af20d4464f44dced5156364d817b6e73afc8e9f87
SHA51235dad46325060004a66e01e10af6a3ebfd94b6751347b6ec64840c4ec03d81480fc324494ea39dded03bf2f1a1ce352b15ab518d14214c15567af17fb32f16b8
-
Filesize
1KB
MD5d25ad3c5b0430841ca9e769146c9edbc
SHA1588f93d0e7f26445dacc2a1d7ddecc2950dab34a
SHA256e065da495da6852ee5e3d23c2eb0850990ef6e780c2ff0c9a32dcc6e716ec9a5
SHA5128275c2dc3f4951613937e597a03cdeb25a18ae191a633419045c3132762f945f34d0123c17157db4cf5245231bdfef85fd241f6fe1ea9ef3533b14a6db12c4c1
-
Filesize
1KB
MD5a41d95cfe92ff2d0c00e0afa3dd64f41
SHA187d37f8752f106924a43c220d0c0797d78a602d9
SHA256fa90a667fb7e99832c4793ca246add4d0a347475225fb5648c1efbf7e495bf3f
SHA512ca1d4307cb9d97f259f8ba99b083129b9fd6ca7bdb0822395a70a5454ab5e077fa1c19d8863fb40e13dc4f2306ae5c6f5846b7ef4de9143268037376807ec20a
-
Filesize
982B
MD5f3ee3b7248ee02606217108ae6ff0a9f
SHA1f2016e42a22fc71d2bd18e76cf2894997a3334a7
SHA25656680a9b2d62349f663f5401c0c763f41ffce0fd6751be0879b02eebfd8d2a12
SHA5123a7eb26ed41a971011e617b081208d755b8ff8d847c17a46fe11f6859b81fd35d37b5800e28f540edf9c50c03bad8c4fbfb9d0330b905f3d9f429103ca088d8a
-
Filesize
1KB
MD5f2269a2cb534372262c918e2e772884f
SHA13e4acd9c5abb6ae8f864c4e2fe020366ca4b9cc8
SHA256e71eb693aa41176d7191dc0fc4010202e92acf95ee57e64af657b57449a268f1
SHA5127531a2e27fc4b49f88cf3723ae85c1c8eddb4d5ea04a2133d7fb116c288c31a722a11cfc32132462e2185742c32356f8a7824478a906212d294b36ba6fa2a2f6
-
Filesize
2KB
MD5ad8777fea8cf5f170c5618648c6d5d7f
SHA1fd3139fbcb4d86ca6212c10a3a6f8b707e675637
SHA256e59c13d440afa366d88578ae539bbc548affbbe1e46e2908b0d5a1afa5fab02c
SHA5123d928614fb6d8c3967ec3b8ecb31c041580b01ecad8723dd57acbf866eff659989797598a2acd8baf388e28c54745991604c77c4d96393f24bc4e08bd963ca3a
-
Filesize
1KB
MD587d5f0f63ede82cd5f57fb09fb1b583b
SHA191b1b0edef26a1402b118b4a6a7d591d021d109f
SHA256c89925348ad7b23118022eb913b25dcb4cfe25ac61bef04640049c86bf5985be
SHA5121c8b09e9a8147dd5f60e90fd79335d42444c968f41ab965647df0f007cc72efed29e2de0274ec036b3bc2ebf509c0e373dd4187a324eacb521b79bca00a99b8d
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99