Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31/10/2024, 14:07
Static task
static1
Behavioral task
behavioral1
Sample
x-lite-5.8.3.102651-installer_apR-1F1.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
x-lite-5.8.3.102651-installer_apR-1F1.exe
Resource
win10v2004-20241007-en
General
-
Target
x-lite-5.8.3.102651-installer_apR-1F1.exe
-
Size
1.6MB
-
MD5
0a16f76a3e64b4014e956fce2af4b38d
-
SHA1
5206d9ea862dc0b8d4b787661174d6e4b65fd74a
-
SHA256
11529a261bc9f448f4973bf6be2ca0eb2d5b165b2905858daef3ab4e3b8cc210
-
SHA512
afba0ab83efabca3555919f1f6acb89afaa980d8ec4014a242917ba45d4cb22ad9ed31881c87acc750ec8eb8ed47ca25ff20534630efbed8140ff09d78f9a2f0
-
SSDEEP
24576:TawwKusHwEwSNRjVUBj5UQA04kb6rZ/TaUY5r0qxaqmJ6URF:zwREDBUBFUHkb6rZ7S5cmU
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 4200 x-lite-5.8.3.102651-installer_apR-1F1.tmp -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x-lite-5.8.3.102651-installer_apR-1F1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language x-lite-5.8.3.102651-installer_apR-1F1.tmp -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 x-lite-5.8.3.102651-installer_apR-1F1.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ x-lite-5.8.3.102651-installer_apR-1F1.tmp -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 22 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4200 x-lite-5.8.3.102651-installer_apR-1F1.tmp 4200 x-lite-5.8.3.102651-installer_apR-1F1.tmp 4200 x-lite-5.8.3.102651-installer_apR-1F1.tmp 4200 x-lite-5.8.3.102651-installer_apR-1F1.tmp 4200 x-lite-5.8.3.102651-installer_apR-1F1.tmp 4200 x-lite-5.8.3.102651-installer_apR-1F1.tmp 4200 x-lite-5.8.3.102651-installer_apR-1F1.tmp 4200 x-lite-5.8.3.102651-installer_apR-1F1.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4200 x-lite-5.8.3.102651-installer_apR-1F1.tmp -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3572 wrote to memory of 4200 3572 x-lite-5.8.3.102651-installer_apR-1F1.exe 84 PID 3572 wrote to memory of 4200 3572 x-lite-5.8.3.102651-installer_apR-1F1.exe 84 PID 3572 wrote to memory of 4200 3572 x-lite-5.8.3.102651-installer_apR-1F1.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\x-lite-5.8.3.102651-installer_apR-1F1.exe"C:\Users\Admin\AppData\Local\Temp\x-lite-5.8.3.102651-installer_apR-1F1.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3572 -
C:\Users\Admin\AppData\Local\Temp\is-N2ELF.tmp\x-lite-5.8.3.102651-installer_apR-1F1.tmp"C:\Users\Admin\AppData\Local\Temp\is-N2ELF.tmp\x-lite-5.8.3.102651-installer_apR-1F1.tmp" /SL5="$502DA,781278,776192,C:\Users\Admin\AppData\Local\Temp\x-lite-5.8.3.102651-installer_apR-1F1.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:4200
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46KB
MD55fd73821f3f097d177009d88dfd33605
SHA11bacbbfe59727fa26ffa261fb8002f4b70a7e653
SHA256a6ecce54116936ca27d4be9797e32bf2f3cfc7e41519a23032992970fbd9d3ba
SHA5121769a6dfaa30aac5997f8d37f1df3ed4aab5bbee2abbcb30bde4230afed02e1ea9e81720b60f093a4c7fb15e22ee15a3a71ff7b84f052f6759640734af976e02
-
Filesize
38KB
MD5d9ee988b72b14e305f2b8891b1952cde
SHA1fe73c83b75b11b6eec464cd68df6748ad446ff47
SHA2562fe0e0d53b94b1dfecb7a9a1990479d55371c49d8387e9037a48460c4b2d76fe
SHA5129f31c3470a598350296879d6a7d8ccff96d64b59dafb00e53b8ae90f78b341bf7cbde1a4d0fe836e6013048910ee9aa54baece3b6d754c5c0c1e0cd52ccf6eaa
-
Filesize
22KB
MD542d8d0159577c2efee2a8d4b1531feb8
SHA197074033a60d208d0dcde812998e85c4bc717639
SHA2563cbfa49246431f862c484886496c21a157518fe13ce1832786b5fc5bbdb0cb4b
SHA512afa1001b2bcabca08d56c470d381af4c70acb7ad5783e2fe939526f3d43f12dec8084e6c684e114d0b1ae60335982539dcf3622c3d064d97ecc9f281e3727582
-
Filesize
3.0MB
MD54cc9ddb18514c94300fd78fe002b0d2f
SHA10aa4ff18d1239cad8d0aa1b96a376ee396f47ff7
SHA256c4a5100dcf1eb5dc959e50e36a710c92a53a5c77d0569ee03293142e0eb43fc4
SHA5125c1fd45057ea83273bdc1da5b4393e4b4a4a504d4f07283c8e537f50af9559dd036a3e1ef7d7473332d77fd53eca2fbba122c5de3d1ac0fb11ece1be430220d3