Analysis
-
max time kernel
147s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
16/10/2024, 00:47
Static task
static1
Behavioral task
behavioral1
Sample
epm_free_installer.17288686159294b32199.exe
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
$TEMP/downloader_easeus/2.2.0/5free/EDownloader.exe
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
$TEMP/downloader_easeus/2.2.0/5free/aliyun/AliyunWrap.dll
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
$TEMP/downloader_easeus/2.2.0/5free/aliyun/AliyunWrapExe.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
$TEMP/downloader_easeus/2.2.0/5free/aliyun/InfoForSetup.exe
Resource
win11-20241007-en
General
-
Target
$TEMP/downloader_easeus/2.2.0/5free/aliyun/AliyunWrap.dll
-
Size
499KB
-
MD5
04bb1a799bcdba7643201749633e8a3a
-
SHA1
2039c43181f4a64bef31617749b517e30dae8a17
-
SHA256
84beff2c37a816ad67a2a9ed6cdb61469a1bb6971d22650e6c77098ac2fc6ebc
-
SHA512
4118717d6460aeeed7a8fcc8e5fb07abc1e55569bf5215e4f96b6c213bee73cd53cdc93953dbc0d923b1b9ad9cbbe06da78f5378e8777708928a6ab6073aea75
-
SSDEEP
12288:sErmJOpaClo3cm/jFjEwJaZECM4xv+Dk4Dl36PIp5HqEY727+:sBFYHnZQDsIbqES2q
Malware Config
Signatures
-
Program crash 1 IoCs
pid pid_target Process procid_target 4320 2376 WerFault.exe 77 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2376 2956 rundll32.exe 77 PID 2956 wrote to memory of 2376 2956 rundll32.exe 77 PID 2956 wrote to memory of 2376 2956 rundll32.exe 77
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunWrap.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\2.2.0\5free\aliyun\AliyunWrap.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 5843⤵
- Program crash
PID:4320
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2376 -ip 23761⤵PID:1460