Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-es -
resource tags
arch:x64arch:x86image:win7-20240708-eslocale:es-esos:windows7-x64systemwindows -
submitted
17/10/2024, 00:27
Static task
static1
Behavioral task
behavioral1
Sample
pct_trial_installer_20241016.17291248214345b9952.exe
Resource
win7-20240903-es
Behavioral task
behavioral2
Sample
$TEMP/downloader_easeus/13.0/4trial/EDownloader.exe
Resource
win7-20240708-es
Behavioral task
behavioral3
Sample
$TEMP/downloader_easeus/13.0/4trial/aliyun/AliyunWrap.dll
Resource
win7-20240708-es
Behavioral task
behavioral4
Sample
$TEMP/downloader_easeus/13.0/4trial/aliyun/AliyunWrapExe.exe
Resource
win7-20240903-es
Behavioral task
behavioral5
Sample
$TEMP/downloader_easeus/13.0/4trial/aliyun/InfoForSetup.exe
Resource
win7-20241010-es
General
-
Target
$TEMP/downloader_easeus/13.0/4trial/EDownloader.exe
-
Size
1.2MB
-
MD5
b5791976db6be716f520c660de443e8e
-
SHA1
2a68065e1bce3540bbf506597639ea737d3817f2
-
SHA256
863c1c6cfbc0e16ea72b7bae915806c77b1fce1366ca9eb00c7a87038066db60
-
SHA512
8cc2c5703f02e0773ede600a16583776f4ec3fef9540eab1c5fb924fc8ecb1b84f4394c2dc9fa749f12cec45292495710b97f196015a0dafd3e571fba98c5b08
-
SSDEEP
24576:LIHpr4Q+0X+oZPvTWifDZiKg/VXbbyEiSikGhiaUrAoxkxYufmRdY:L0U4uohabbGhYA6cfSdY
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EDownloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AliyunWrapExe.Exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InfoForSetup.exe -
System Time Discovery 1 TTPs 1 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 1028 InfoForSetup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2800 EDownloader.exe 2800 EDownloader.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 2800 wrote to memory of 2848 2800 EDownloader.exe 30 PID 2800 wrote to memory of 2848 2800 EDownloader.exe 30 PID 2800 wrote to memory of 2848 2800 EDownloader.exe 30 PID 2800 wrote to memory of 2848 2800 EDownloader.exe 30 PID 2800 wrote to memory of 2848 2800 EDownloader.exe 30 PID 2800 wrote to memory of 2848 2800 EDownloader.exe 30 PID 2800 wrote to memory of 2848 2800 EDownloader.exe 30 PID 2800 wrote to memory of 2716 2800 EDownloader.exe 31 PID 2800 wrote to memory of 2716 2800 EDownloader.exe 31 PID 2800 wrote to memory of 2716 2800 EDownloader.exe 31 PID 2800 wrote to memory of 2716 2800 EDownloader.exe 31 PID 2800 wrote to memory of 2716 2800 EDownloader.exe 31 PID 2800 wrote to memory of 2716 2800 EDownloader.exe 31 PID 2800 wrote to memory of 2716 2800 EDownloader.exe 31 PID 2716 wrote to memory of 2836 2716 InfoForSetup.exe 32 PID 2716 wrote to memory of 2836 2716 InfoForSetup.exe 32 PID 2716 wrote to memory of 2836 2716 InfoForSetup.exe 32 PID 2716 wrote to memory of 2836 2716 InfoForSetup.exe 32 PID 2800 wrote to memory of 740 2800 EDownloader.exe 33 PID 2800 wrote to memory of 740 2800 EDownloader.exe 33 PID 2800 wrote to memory of 740 2800 EDownloader.exe 33 PID 2800 wrote to memory of 740 2800 EDownloader.exe 33 PID 2800 wrote to memory of 740 2800 EDownloader.exe 33 PID 2800 wrote to memory of 740 2800 EDownloader.exe 33 PID 2800 wrote to memory of 740 2800 EDownloader.exe 33 PID 2800 wrote to memory of 1028 2800 EDownloader.exe 34 PID 2800 wrote to memory of 1028 2800 EDownloader.exe 34 PID 2800 wrote to memory of 1028 2800 EDownloader.exe 34 PID 2800 wrote to memory of 1028 2800 EDownloader.exe 34 PID 2800 wrote to memory of 1028 2800 EDownloader.exe 34 PID 2800 wrote to memory of 1028 2800 EDownloader.exe 34 PID 2800 wrote to memory of 1028 2800 EDownloader.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\EDownloader.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\EDownloader.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\InfoForSetup.exe/Uid "S-1-5-21-3551809350-4263495960-1443967649-1000"2⤵
- System Location Discovery: System Language Discovery
PID:2848
-
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\InfoForSetup.exe/SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"Spain\",\"Pageid\":\"\",\"Timezone\":\"GMT-00:00\"}"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\AliyunWrapExe.ExeC:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\AliyunWrapExe.Exe3⤵
- System Location Discovery: System Language Discovery
PID:2836
-
-
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\InfoForSetup.exe/SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"2\",\"Errorinfo\":\"4\",\"Result\":\"Failed\"}"2⤵
- System Location Discovery: System Language Discovery
PID:740
-
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\downloader_easeus\13.0\4trial\aliyun\InfoForSetup.exe/SendInfo Window "Downloading" Activity "Result_Download_Program" Attribute "{\"Average_Networkspeed\":\"0.00B\",\"Elapsedtime\":\"2\",\"Errorinfo\":\"1004\",\"Result\":\"result_fail\"}"2⤵
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:1028
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
794B
MD5eaaf1fa99f898d89e7bd488479d17b1f
SHA1ae5f0f4162cf6975a64d96a8b18dcbadd38ab634
SHA256ae7d468aa05506d726b9f6873c7049c4cf900e039e0d9dfd87d5681f2c66a07d
SHA5120f74b030e8c3bc5fb1a1aff6a00064dd609062f99f916e063f50aae600a9ec0987094e0035c957581b722e640065d08b2c3de033f5a96b2e019e401f608b318d
-
Filesize
1KB
MD57b92d69fd825c846b43f667310134478
SHA18400ba8933c3ebed6e7ab910282d18ed4db92f34
SHA256f849c7b42ce79d72e0a6b8a111867496953824d0553d78e0453fc9e0788f0ebc
SHA512461e538f9704d0a87c260ec3452175a9905d8da393727229284d04f0db0f9428bb020e3dc0650f2215b570d2b9b7970c8c1fb449b401813bc63d04481e93cace
-
Filesize
1KB
MD57971b4687475c3a9c631fa723caa4bd8
SHA1800bd7c8e42350a26011341b215d61423e471044
SHA256d1b211bbbb8ca24bb325a88b4b5918c7a9f5758abf19330d7da60bb2b53a47cc
SHA512b6b8f7590322e2da3a8f0a495e6b5618465a20f890c04a45cc1926e72c11485f075eaec033ce76f46e6fe613552379fa2304ee2c3f9d95f323875f9f74e0dc85
-
Filesize
1KB
MD5e6fd601a122a2fa0c48518cd10774c56
SHA18f6e544caa34bc693a193c4d665ab79179aa6b57
SHA25637bca74ce883f5ad6422de2358586b77db8c54ee331d19b27c3486e80ae821e6
SHA5123127cdaf6097f2ceaac88800ecf5e2ca590296a8f6e356fcee62ef451d94f808ecb0453b8cad5160bc99ca0efd7128ce3024f71957006b27cd5bac07f99cf1ec
-
Filesize
538B
MD5efc5dd69c76c9242e80a64e30c1a6838
SHA160a58825144816fb17a0a85471f039f7ea4a64a9
SHA2567d80ccd284bd0ec7f1039618493d6d46db84212657932c1360867b24fe36cd6f
SHA51219393e135fb18ad26848edfd38caeb386abc51c35ff5ce3a171a995a983ba0b975e30c4df77e0dc9a88f0298594eaa51dc468a4d93457ded993693236ddcbe27
-
Filesize
88B
MD57f411750d07619f38537e7fd612b8b44
SHA1cda241a1ce5141288582c8f0ac4850992b427bdc
SHA256ae89726af2bd0c0218fbf63af20d4464f44dced5156364d817b6e73afc8e9f87
SHA51235dad46325060004a66e01e10af6a3ebfd94b6751347b6ec64840c4ec03d81480fc324494ea39dded03bf2f1a1ce352b15ab518d14214c15567af17fb32f16b8
-
Filesize
1KB
MD5787b065a119199e4aee915d1a8df8ac0
SHA1c23c49adbc48739c6a02114a08fb1d1764f4dcac
SHA256df115fe9dfb578d4f40023a7f582ba27ed4b27a5e07cf334f29de8686fe4e371
SHA512700ac749551302e4ed33d7a9ae35e8239a4b9f4e22f50002ffac71e1a5b447751049402d2d8217f40298e634b90dee59d472c4927f52099599b1e3c3ad95c42e
-
Filesize
616B
MD5d65ea776d7b53ff405effdbf53c786f7
SHA1d88d612224af3278530794b6900197eeefef3e47
SHA256b7a006c4c8cfa20a0549c0c38a571a0e3b4228e13c22ec2bcbe976aeb2f87c69
SHA512ce5a98407ea9a401eeb228a4f469aeac87cb357494388d0cc36591513c2de49f6716463993460f0c93e55d4a0f982e65aa2931d9c564eeba380bc31b87387daa
-
Filesize
616B
MD579185712ba973c6c7f7fda9a63671f02
SHA1e02a2b0897371e8e0c48093bfc082b6a22b66412
SHA2565962b9851ac525c5b4eb31c4b0bd2ee6962644b8592d098a3cae125996f8115f
SHA51266b3c8b950f134c112526237191385fd77b70b0ede1924b9ca4c57ac0dfc748dadc73e90ecb43e7911c838b7482e5d76ca5d6b99012bd3c7fe29891ceaa8e2c6
-
Filesize
1B
MD5cfcd208495d565ef66e7dff9f98764da
SHA1b6589fc6ab0dc82cf12099d1c2d40ab994e8410c
SHA2565feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9
SHA51231bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99