Overview
overview
10Static
static
7Crack.exe
windows7-x64
3Crack.exe
windows10-2004-x64
7GloryWSetp.exe
windows7-x64
7GloryWSetp.exe
windows10-2004-x64
10Install.exe
windows7-x64
7Install.exe
windows10-2004-x64
7KiffApp2.exe
windows7-x64
1KiffApp2.exe
windows10-2004-x64
1Setup.exe
windows7-x64
7Setup.exe
windows10-2004-x64
7md1_1eaf.exe
windows7-x64
10md1_1eaf.exe
windows10-2004-x64
10Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-11-2024 22:13
Behavioral task
behavioral1
Sample
Crack.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
Crack.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
GloryWSetp.exe
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
GloryWSetp.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
Install.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
Install.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
KiffApp2.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
KiffApp2.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
Setup.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
Setup.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
md1_1eaf.exe
Resource
win7-20240708-en
General
-
Target
Install.exe
-
Size
381KB
-
MD5
58c203a58312c6121c932e9a59079064
-
SHA1
f57f41180fbe8e5dffafef79ea88f707c5cb748a
-
SHA256
3555826df75751600d127b343a3214a0f9b4c211b1fdcdf9ccceb1dda6be5f27
-
SHA512
e141e9da04e6ba43d639c729d83fd9773bda1c51759dda84f59f27a017a5809e47e4ddaa5a2c8be92ef81ca58fabe06faeca37252a7b4ab64d18679fc5e8e406
-
SSDEEP
6144:x/QiQXCjoL8+Ee0CYDTAsdRnhOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZoglM7f:pQi3joL8+iDNdRhlL//plmW9bTXeVhD4
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1884 Install.tmp -
Loads dropped DLL 5 IoCs
pid Process 1204 Install.exe 1884 Install.tmp 1884 Install.tmp 1884 Install.tmp 1884 Install.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 2 ipinfo.io 4 ipinfo.io -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\AskFinder\unins000.dat Install.tmp File created C:\Program Files (x86)\AskFinder\is-7E0QN.tmp Install.tmp File opened for modification C:\Program Files (x86)\AskFinder\unins000.dat Install.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Install.tmp -
Script User-Agent 2 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 3 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1884 Install.tmp 1884 Install.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1884 Install.tmp -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1204 wrote to memory of 1884 1204 Install.exe 30 PID 1204 wrote to memory of 1884 1204 Install.exe 30 PID 1204 wrote to memory of 1884 1204 Install.exe 30 PID 1204 wrote to memory of 1884 1204 Install.exe 30 PID 1204 wrote to memory of 1884 1204 Install.exe 30 PID 1204 wrote to memory of 1884 1204 Install.exe 30 PID 1204 wrote to memory of 1884 1204 Install.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Install.exe"C:\Users\Admin\AppData\Local\Temp\Install.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\is-UNBGR.tmp\Install.tmp"C:\Users\Admin\AppData\Local\Temp\is-UNBGR.tmp\Install.tmp" /SL5="$400E0,138429,56832,C:\Users\Admin\AppData\Local\Temp\Install.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1884
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
705KB
MD5e838042d7af3186550417a8dd588a2e1
SHA1785b7da17fec27400eebc6336973c36fc7ac5305
SHA256a73d9825393fce8026e6e1eecbe95706a76f305b37fead6263f614d0559dfb2a
SHA5128a5075f4a8b6c1b9e230ba2550321bbec272cbf6a26f5f7c8c1d3b4bcaa8e44b1ce21eacfefcee95cd377544bfbe5bae93ff7d63d4d2333a5f5af7e885c6c263
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
Filesize
200KB
MD5d82a429efd885ca0f324dd92afb6b7b8
SHA186bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA5125bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df
-
Filesize
694KB
MD5ffcf263a020aa7794015af0edee5df0b
SHA1bce1eb5f0efb2c83f416b1782ea07c776666fdab
SHA2561d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64
SHA51249f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a