Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 14:07

General

  • Target

    x-lite-5.8.3.102651-installer_apR-1F1.exe

  • Size

    1.6MB

  • MD5

    0a16f76a3e64b4014e956fce2af4b38d

  • SHA1

    5206d9ea862dc0b8d4b787661174d6e4b65fd74a

  • SHA256

    11529a261bc9f448f4973bf6be2ca0eb2d5b165b2905858daef3ab4e3b8cc210

  • SHA512

    afba0ab83efabca3555919f1f6acb89afaa980d8ec4014a242917ba45d4cb22ad9ed31881c87acc750ec8eb8ed47ca25ff20534630efbed8140ff09d78f9a2f0

  • SSDEEP

    24576:TawwKusHwEwSNRjVUBj5UQA04kb6rZ/TaUY5r0qxaqmJ6URF:zwREDBUBFUHkb6rZ7S5cmU

Score
6/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\x-lite-5.8.3.102651-installer_apR-1F1.exe
    "C:\Users\Admin\AppData\Local\Temp\x-lite-5.8.3.102651-installer_apR-1F1.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Users\Admin\AppData\Local\Temp\is-N2ELF.tmp\x-lite-5.8.3.102651-installer_apR-1F1.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-N2ELF.tmp\x-lite-5.8.3.102651-installer_apR-1F1.tmp" /SL5="$502DA,781278,776192,C:\Users\Admin\AppData\Local\Temp\x-lite-5.8.3.102651-installer_apR-1F1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:4200

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\is-EQVK0.tmp\100.png

          Filesize

          46KB

          MD5

          5fd73821f3f097d177009d88dfd33605

          SHA1

          1bacbbfe59727fa26ffa261fb8002f4b70a7e653

          SHA256

          a6ecce54116936ca27d4be9797e32bf2f3cfc7e41519a23032992970fbd9d3ba

          SHA512

          1769a6dfaa30aac5997f8d37f1df3ed4aab5bbee2abbcb30bde4230afed02e1ea9e81720b60f093a4c7fb15e22ee15a3a71ff7b84f052f6759640734af976e02

        • C:\Users\Admin\AppData\Local\Temp\is-EQVK0.tmp\101.png

          Filesize

          38KB

          MD5

          d9ee988b72b14e305f2b8891b1952cde

          SHA1

          fe73c83b75b11b6eec464cd68df6748ad446ff47

          SHA256

          2fe0e0d53b94b1dfecb7a9a1990479d55371c49d8387e9037a48460c4b2d76fe

          SHA512

          9f31c3470a598350296879d6a7d8ccff96d64b59dafb00e53b8ae90f78b341bf7cbde1a4d0fe836e6013048910ee9aa54baece3b6d754c5c0c1e0cd52ccf6eaa

        • C:\Users\Admin\AppData\Local\Temp\is-EQVK0.tmp\image.png

          Filesize

          22KB

          MD5

          42d8d0159577c2efee2a8d4b1531feb8

          SHA1

          97074033a60d208d0dcde812998e85c4bc717639

          SHA256

          3cbfa49246431f862c484886496c21a157518fe13ce1832786b5fc5bbdb0cb4b

          SHA512

          afa1001b2bcabca08d56c470d381af4c70acb7ad5783e2fe939526f3d43f12dec8084e6c684e114d0b1ae60335982539dcf3622c3d064d97ecc9f281e3727582

        • C:\Users\Admin\AppData\Local\Temp\is-N2ELF.tmp\x-lite-5.8.3.102651-installer_apR-1F1.tmp

          Filesize

          3.0MB

          MD5

          4cc9ddb18514c94300fd78fe002b0d2f

          SHA1

          0aa4ff18d1239cad8d0aa1b96a376ee396f47ff7

          SHA256

          c4a5100dcf1eb5dc959e50e36a710c92a53a5c77d0569ee03293142e0eb43fc4

          SHA512

          5c1fd45057ea83273bdc1da5b4393e4b4a4a504d4f07283c8e537f50af9559dd036a3e1ef7d7473332d77fd53eca2fbba122c5de3d1ac0fb11ece1be430220d3

        • memory/3572-21-0x0000000000400000-0x00000000004CB000-memory.dmp

          Filesize

          812KB

        • memory/3572-1-0x0000000000400000-0x00000000004CB000-memory.dmp

          Filesize

          812KB

        • memory/3572-2-0x0000000000401000-0x00000000004A9000-memory.dmp

          Filesize

          672KB

        • memory/4200-28-0x0000000000400000-0x0000000000706000-memory.dmp

          Filesize

          3.0MB

        • memory/4200-22-0x0000000000400000-0x0000000000706000-memory.dmp

          Filesize

          3.0MB

        • memory/4200-6-0x0000000000400000-0x0000000000706000-memory.dmp

          Filesize

          3.0MB

        • memory/4200-27-0x0000000003500000-0x0000000003640000-memory.dmp

          Filesize

          1.2MB

        • memory/4200-19-0x0000000003500000-0x0000000003640000-memory.dmp

          Filesize

          1.2MB

        • memory/4200-29-0x0000000000400000-0x0000000000706000-memory.dmp

          Filesize

          3.0MB

        • memory/4200-20-0x0000000000400000-0x0000000000706000-memory.dmp

          Filesize

          3.0MB

        • memory/4200-35-0x0000000003500000-0x0000000003640000-memory.dmp

          Filesize

          1.2MB

        • memory/4200-36-0x0000000000400000-0x0000000000706000-memory.dmp

          Filesize

          3.0MB

        • memory/4200-37-0x0000000000400000-0x0000000000706000-memory.dmp

          Filesize

          3.0MB

        • memory/4200-39-0x0000000000400000-0x0000000000706000-memory.dmp

          Filesize

          3.0MB

        • memory/4200-41-0x0000000000400000-0x0000000000706000-memory.dmp

          Filesize

          3.0MB