Analysis
-
max time kernel
150s -
max time network
158s -
platform
windows7_x64 -
resource
win7-20240903-es -
resource tags
arch:x64arch:x86image:win7-20240903-eslocale:es-esos:windows7-x64systemwindows -
submitted
17/10/2024, 00:14
Static task
static1
Behavioral task
behavioral1
Sample
pct_trial_installer_20241016.17291238325471b9952.exe
Resource
win7-20240903-es
Behavioral task
behavioral2
Sample
$TEMP/downloader_easeus/13.0/4trial/EDownloader.exe
Resource
win7-20240903-es
Behavioral task
behavioral3
Sample
$TEMP/downloader_easeus/13.0/4trial/aliyun/AliyunWrap.dll
Resource
win7-20240903-es
Behavioral task
behavioral4
Sample
$TEMP/downloader_easeus/13.0/4trial/aliyun/AliyunWrapExe.exe
Resource
win7-20240903-es
Behavioral task
behavioral5
Sample
$TEMP/downloader_easeus/13.0/4trial/aliyun/InfoForSetup.exe
Resource
win7-20241010-es
General
-
Target
$TEMP/downloader_easeus/13.0/4trial/EDownloader.exe
-
Size
1.2MB
-
MD5
b5791976db6be716f520c660de443e8e
-
SHA1
2a68065e1bce3540bbf506597639ea737d3817f2
-
SHA256
863c1c6cfbc0e16ea72b7bae915806c77b1fce1366ca9eb00c7a87038066db60
-
SHA512
8cc2c5703f02e0773ede600a16583776f4ec3fef9540eab1c5fb924fc8ecb1b84f4394c2dc9fa749f12cec45292495710b97f196015a0dafd3e571fba98c5b08
-
SSDEEP
24576:LIHpr4Q+0X+oZPvTWifDZiKg/VXbbyEiSikGhiaUrAoxkxYufmRdY:L0U4uohabbGhYA6cfSdY
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDownloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AliyunWrapExe.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe -
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 2156 InfoForSetup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2308 EDownloader.exe 2308 EDownloader.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2764 2308 EDownloader.exe 30 PID 2308 wrote to memory of 2764 2308 EDownloader.exe 30 PID 2308 wrote to memory of 2764 2308 EDownloader.exe 30 PID 2308 wrote to memory of 2764 2308 EDownloader.exe 30 PID 2308 wrote to memory of 2764 2308 EDownloader.exe 30 PID 2308 wrote to memory of 2764 2308 EDownloader.exe 30 PID 2308 wrote to memory of 2764 2308 EDownloader.exe 30 PID 2308 wrote to memory of 2852 2308 EDownloader.exe 31 PID 2308 wrote to memory of 2852 2308 EDownloader.exe 31 PID 2308 wrote to memory of 2852 2308 EDownloader.exe 31 PID 2308 wrote to memory of 2852 2308 EDownloader.exe 31 PID 2308 wrote to memory of 2852 2308 EDownloader.exe 31 PID 2308 wrote to memory of 2852 2308 EDownloader.exe 31 PID 2308 wrote to memory of 2852 2308 EDownloader.exe 31 PID 2852 wrote to memory of 2796 2852 InfoForSetup.exe 32 PID 2852 wrote to memory of 2796 2852 InfoForSetup.exe 32 PID 2852 wrote to memory of 2796 2852 InfoForSetup.exe 32 PID 2852 wrote to memory of 2796 2852 InfoForSetup.exe 32 PID 2308 wrote to memory of 2052 2308 EDownloader.exe 34 PID 2308 wrote to memory of 2052 2308 EDownloader.exe 34 PID 2308 wrote to memory of 2052 2308 EDownloader.exe 34 PID 2308 wrote to memory of 2052 2308 EDownloader.exe 34 PID 2308 wrote to memory of 2052 2308 EDownloader.exe 34 PID 2308 wrote to memory of 2052 2308 EDownloader.exe 34 PID 2308 wrote to memory of 2052 2308 EDownloader.exe 34 PID 2308 wrote to memory of 2156 2308 EDownloader.exe 35 PID 2308 wrote to memory of 2156 2308 EDownloader.exe 35 PID 2308 wrote to memory of 2156 2308 EDownloader.exe 35 PID 2308 wrote to memory of 2156 2308 EDownloader.exe 35 PID 2308 wrote to memory of 2156 2308 EDownloader.exe 35 PID 2308 wrote to memory of 2156 2308 EDownloader.exe 35 PID 2308 wrote to memory of 2156 2308 EDownloader.exe 35 PID 2308 wrote to memory of 916 2308 EDownloader.exe 37 PID 2308 wrote to memory of 916 2308 EDownloader.exe 37 PID 2308 wrote to memory of 916 2308 EDownloader.exe 37 PID 2308 wrote to memory of 916 2308 EDownloader.exe 37 PID 2308 wrote to memory of 916 2308 EDownloader.exe 37 PID 2308 wrote to memory of 916 2308 EDownloader.exe 37 PID 2308 wrote to memory of 916 2308 EDownloader.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\EDownloader.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\EDownloader.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\InfoForSetup.exe/Uid "S-1-5-21-2872745919-2748461613-2989606286-1000"2⤵
- System Location Discovery: System Language Discovery
PID:2764
-
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\InfoForSetup.exe/SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"Spain\",\"Pageid\":\"\",\"Timezone\":\"GMT-00:00\"}"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\AliyunWrapExe.ExeC:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\AliyunWrapExe.Exe3⤵
- System Location Discovery: System Language Discovery
PID:2796
-
-
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\InfoForSetup.exe/SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"5\",\"Errorinfo\":\"4\",\"Result\":\"Failed\"}"2⤵
- System Location Discovery: System Language Discovery
PID:2052
-
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\InfoForSetup.exe/SendInfo Window "Downloading" Activity "Result_Download_Program" Attribute "{\"Average_Networkspeed\":\"0.00B\",\"Elapsedtime\":\"5\",\"Errorinfo\":\"1004\",\"Result\":\"result_fail\"}"2⤵
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:2156
-
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\InfoForSetup.exe/SendInfo Window "Download_Failed" Activity "Click_Retry"2⤵
- System Location Discovery: System Language Discovery
PID:916
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5413423c644c6f518ab34e3dc42a4f3f3
SHA119a08ac54c26e404d54f5a3b6868f7dbced96f40
SHA25611fba3f5a27333bbf24993058b3edb05302f1143622b6a52a0d4398ebc74aa9d
SHA512e7c82f54df28395c923a58da83f1dba2a9ba15d239e25418cd1065aa7e743850fa60f108ca43ece06253409e6babe3cfd11dbf3f7942d4e0240641cc35a5fb24
-
Filesize
362B
MD54d6a6899dff7f3cb86136cb86dfc1877
SHA1c6091321cb33aac3a13cbfc401f8caa0a83fcbad
SHA2568e10556c5d27d0460e952252d548d1e655186574836a1e9ea0ee27e998b4998f
SHA512d7a5aee696022ab8f129ff7544baa08d78f9e19816610985004963fe651f6edb86e0359384e50a185728e5d865f3be2d34b49879adce0060f45f87d0375561ff
-
Filesize
538B
MD5998ecd08861d2e07eee39635115eca7b
SHA1e691a9d5ca2abd69fd6735b750008a6bd9230d6d
SHA256c1ad4e4a7ccce5536bd6fe05cf34661d1a15daf01d3ecb0f60e5379318e4890b
SHA512efee66f939d5c14c6e73f07f55d980d9b4763077764d94290aecc9af4a7cfbf8ec4fdc3a3e9c4c471b2877aeeab80ae16ed1022de52f18bf27e27de3acb475c2
-
Filesize
88B
MD57f411750d07619f38537e7fd612b8b44
SHA1cda241a1ce5141288582c8f0ac4850992b427bdc
SHA256ae89726af2bd0c0218fbf63af20d4464f44dced5156364d817b6e73afc8e9f87
SHA51235dad46325060004a66e01e10af6a3ebfd94b6751347b6ec64840c4ec03d81480fc324494ea39dded03bf2f1a1ce352b15ab518d14214c15567af17fb32f16b8
-
Filesize
1KB
MD51c01dc5b737a5ae9f77b95dc323a2955
SHA164452e2ff238a3d8f7dbd05500f1ffa1c8a6fa13
SHA256d8aa289def65435e3313e7aa7a9557ec972fcc98458f709ccb7601883886ebe6
SHA512cb23c06450cc51ebd815b7238fc68bbb2ae2404f8cb371ab2429804815f593db58a766f2b9aa952186a13bab3354a88f5487dd319c9be639a52f4af162dfce12
-
Filesize
616B
MD54ef414c4e72488cf900890373c420a03
SHA1063cd558b40795915d9aa910412bb5759bfba2e0
SHA256ec8b64c919a6b4f5b59617e950707604dbd878721a8a098fe5a455757f1d9be5
SHA512800e2dcd144b84ff0adccdbe958d9aacb90593035c37df25136140064a6043d33b8b6a8a71ca17d827aa5d7553ff5d208d180e1116f534f07f038953adec8a87
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99