Overview
overview
5Static
static
3Download More.url
windows7-x64
1Download More.url
windows10-2004-x64
1Jasi2169_P...ch.exe
windows7-x64
3Jasi2169_P...ch.exe
windows10-2004-x64
3Join Teleg...re.url
windows7-x64
1Join Teleg...re.url
windows10-2004-x64
1WindowBlin...up.exe
windows7-x64
5WindowBlin...up.exe
windows10-2004-x64
5Analysis
-
max time kernel
52s -
max time network
59s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-11-2024 16:36
Behavioral task
behavioral1
Sample
Download More.url
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Download More.url
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Jasi2169_Patch/WindowBlinds_11.02_Jasi2169_Patch.exe
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
Jasi2169_Patch/WindowBlinds_11.02_Jasi2169_Patch.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Join Telegram for more.url
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Join Telegram for more.url
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
WindowBlinds11_setup.exe
Resource
win7-20240903-en
General
-
Target
WindowBlinds11_setup.exe
-
Size
95.4MB
-
MD5
72ecc6b491dbc5a46ab9f215c556691c
-
SHA1
652c3d358185405793a91dbb8d38cfaab052383d
-
SHA256
04128112e38f9f5f4f4441396407cc6128226f7638aef512419a9aa24b6be1ce
-
SHA512
6e355a4c1947c68aa75af13ca5d1c59dc72e17df22cf423400d53b2875385d16771121a2f80b70c250eb50ad65a5cba5c13b67028ae6c269f87e319d54bba2c5
-
SSDEEP
1572864:SAwUb6en83FlhNoMEvpbfJimmatUGKWvhJiorxsJivsE2I+oYk0qQIr5ZuW+a+:jGiMrhNohTcBoUfWJcSOcUE71YZqbLwr
Malware Config
Signatures
-
resource yara_rule behavioral7/files/0x0005000000019234-3.dat upx behavioral7/memory/2748-7-0x0000000003300000-0x00000000036E8000-memory.dmp upx behavioral7/memory/2644-30-0x0000000000920000-0x0000000000D08000-memory.dmp upx behavioral7/memory/2644-74-0x0000000000920000-0x0000000000D08000-memory.dmp upx behavioral7/memory/2644-97-0x0000000000920000-0x0000000000D08000-memory.dmp upx behavioral7/memory/2644-105-0x0000000000920000-0x0000000000D08000-memory.dmp upx -
Executes dropped EXE 2 IoCs
pid Process 2644 irsetup.exe 2068 GetMachineSID.exe -
Loads dropped DLL 12 IoCs
pid Process 2748 WindowBlinds11_setup.exe 2748 WindowBlinds11_setup.exe 2748 WindowBlinds11_setup.exe 2748 WindowBlinds11_setup.exe 2644 irsetup.exe 2644 irsetup.exe 2644 irsetup.exe 2644 irsetup.exe 2644 irsetup.exe 2644 irsetup.exe 2644 irsetup.exe 2644 irsetup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WindowBlinds11_setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language irsetup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GetMachineSID.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 irsetup.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 irsetup.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 2644 irsetup.exe 2644 irsetup.exe 2644 irsetup.exe -
Suspicious use of WriteProcessMemory 18 IoCs
description pid Process procid_target PID 2748 wrote to memory of 2644 2748 WindowBlinds11_setup.exe 30 PID 2748 wrote to memory of 2644 2748 WindowBlinds11_setup.exe 30 PID 2748 wrote to memory of 2644 2748 WindowBlinds11_setup.exe 30 PID 2748 wrote to memory of 2644 2748 WindowBlinds11_setup.exe 30 PID 2748 wrote to memory of 2644 2748 WindowBlinds11_setup.exe 30 PID 2748 wrote to memory of 2644 2748 WindowBlinds11_setup.exe 30 PID 2748 wrote to memory of 2644 2748 WindowBlinds11_setup.exe 30 PID 2644 wrote to memory of 1972 2644 irsetup.exe 31 PID 2644 wrote to memory of 1972 2644 irsetup.exe 31 PID 2644 wrote to memory of 1972 2644 irsetup.exe 31 PID 2644 wrote to memory of 1972 2644 irsetup.exe 31 PID 2644 wrote to memory of 2068 2644 irsetup.exe 33 PID 2644 wrote to memory of 2068 2644 irsetup.exe 33 PID 2644 wrote to memory of 2068 2644 irsetup.exe 33 PID 2644 wrote to memory of 2068 2644 irsetup.exe 33 PID 2644 wrote to memory of 2068 2644 irsetup.exe 33 PID 2644 wrote to memory of 2068 2644 irsetup.exe 33 PID 2644 wrote to memory of 2068 2644 irsetup.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe"C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1981986 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\WindowBlinds11_setup.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-3533259084-2542256011-65585152-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg.exe" export HKLM\Software\Stardock C:\Users\Admin\AppData\Local\Temp\registry_export.txt /y /reg:323⤵
- System Location Discovery: System Language Discovery
PID:1972
-
-
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.exe" C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\GetMachineSID.tmp3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2068
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
39B
MD5865c04af1ace3192feae236929e93f75
SHA15a7e1395345d4f17e7ffb9fbebcfd848f25f583a
SHA2568cea363a44ac2993ef8a802e01e7f810e54fd4740db077c953a0512edd5e4c59
SHA51219bebd5127a267295666625175e7b8e533f1ab355b7cbede457632ca527ab2da32fda25e2980c3e0ba8e294a8ddd62647a9a21bfe8df111e60e60a7abd0bb49e
-
Filesize
326KB
MD580d93d38badecdd2b134fe4699721223
SHA1e829e58091bae93bc64e0c6f9f0bac999cfda23d
SHA256c572a6103af1526f97e708a229a532fd02100a52b949f721052107f1f55e0c59
SHA5129f28073cc186b55ef64661c2e4f6fe1c112785a262b9d8e9a431703fdb1000f1d8cc0b2a3c153c822cfd48782ae945742ccb07beae4d6388d5d0b4df03103bd4
-
Filesize
393KB
MD56eec47ab86d212fe3ed0f56985c8e817
SHA106da90bcc06c73ce2c7e112818af65f66fcae6c3
SHA256d0b2fa60e707982899ecd8c4dc462721c82491245b26721a7c0e840c5f557aed
SHA51236d6ef8a3fecb2c423079cadbfcbe2b044095f641c9a6ce0f9d0e96c6400f00a089aa26cc9d361bfdbcfdc3a8487d18d64956b36f39320648d1ddb565221a9cb
-
Filesize
58KB
MD555bbf335f75f2a2fe0a5daf603964d41
SHA1f1b9686e8a9f10682722fc5e08c02c016b597804
SHA256723adae0e69127a6bfbc65c5ef552a351264205ea5e2bc3b80e505feaa5d0e43
SHA512af49055234cb4a0ddbc68212db094c7a7a1058ccf6a1a5830238fe3ff96fa35390d242322436839d6d7e419bd9e4ad8962e213222470625cffb46423dec44db6
-
Filesize
97KB
MD5da1d0cd400e0b6ad6415fd4d90f69666
SHA1de9083d2902906cacf57259cf581b1466400b799
SHA2567a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575
SHA512f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a
-
Filesize
1.3MB
MD568ac216f38a5f7c823712c216ca4b060
SHA1f6ad96e91103c40eb33fd3f1324d99093e5d014e
SHA256748d48d246526e2a79edcde87255ffa5387e3bcc94f6ca5e59589e07e683cd80
SHA5129b7dce4ed6e2caee1cdb33e490e7062344d95d27ba48e96f66094a3413da27fb32680dd2e9a5b2091489780929c27fe36914210793fbef81dfb5b4fb1a9b469b