Analysis
-
max time kernel
599s -
max time network
604s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
-
submitted
22-11-2024 03:25
General
-
Target
ErrorFileRemover.exe
-
Size
2.4MB
-
MD5
dbfbf254cfb84d991ac3860105d66fc6
-
SHA1
893110d8c8451565caa591ddfccf92869f96c242
-
SHA256
68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c
-
SHA512
5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d
-
SSDEEP
49152:6kAG2QGTC5xvMdgpdb1KRHGepUu2cGbqPs9+q2HRPTnFVSLE:6kAjQGTCnvMmpYQqPNRPTnF4Y
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 15 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 19 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies data under HKEY_USERS 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Modifies WinLogon for persistence
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 85C124E974A4815FD74652CF1F5EB6B72⤵
- Loads dropped DLL
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D0DF24FCC7D9A7DE0396A15905B2F351 M Global\MSI00002⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {EDB707B6-9464-4A86-957E-8042D78A2628} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"C:\Program Files (x86)\Windows\Error file remover\fatalerror.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5181⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
99KB
MD50f35c0f15e91bf2533656b0129fff225
SHA119dd9cfae6a1166a655d913aceee9bcbfd35991a
SHA2567035ce433cd48a51a30c9599a65bfc4f86b94d37ddb1f3da5fd769976e111493
SHA51257a41522b513cbe8f73738df977664744d3f71d2783eab03881b031c70b741a70271e3087e06d320c9215a7c338e006583003773f86feea2cff18f0a0fa90ffa
-
Filesize
69B
MD57ab1355b8ae96751a8e6f3d6c953cd34
SHA190e3fcb6fb0cc25cbfc602f8d9920adaa9986802
SHA256abd27abe6af73b4e33b98f706250163f2fdbeaea452e900d108da5afb3283936
SHA512af35de60b0e2cdfa8809aefd152918e549fc0ed2e5c672a0fff1811abff1ca6b837179c1fac73361b15f55f1f7b36709d61c89fe07848f5bb8a48d04d6ed9aac
-
Filesize
84B
MD5a93f81025eb9327246712b7d13ae0ece
SHA1791c3f4441b5a62b815d63d205c1c552690dbbe6
SHA25636f63277652d93a37a8fe93bc4a3533590ba92ca08eec97408ceac27978f3009
SHA5122cef3c4c26c6dad4064c62d11835a9fd6c202649608c66ad535276c25a6faa550235385f3e817785768977c9f4bb6e8747c371980a6262553f9f7d79c47581aa
-
Filesize
84B
MD568ff1ccfea788678e926d7d48f990cb8
SHA19748174737bf2759ce864ceb0a888be971ab22f6
SHA256ae8e2145e52732ef616bb81433171b9a7a5633eb1017cb3687a72f3e35c6699d
SHA5129db7b35e28cc343c693ca92671680cad584ed30d540e02fe2a7259ea6950024a856dfa6b9289f6ef5b1f0b51b81236507c03846382be50b1a7d025e154e1d988
-
Filesize
4KB
MD55c58ea5b80d8472bd7eacc63bbea861a
SHA19add817c0e59f3ea96f7a08336d9d223b218d98c
SHA256013cef8fe16201e72f55fa503a98a6abd36f53e188d3e05536e6330a7a95d09d
SHA5120b34fb75a9e50a3bfbeaa0c9db30f871dad98ef6325eefd782b266cfdd8396f37bec35e551a3604fe01d571a789f6810795da2fb661bc7020bb7b287b30aac41
-
Filesize
1010KB
MD527bc9540828c59e1ca1997cf04f6c467
SHA1bfa6d1ce9d4df8beba2bedf59f86a698de0215f3
SHA25605c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a
SHA512a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848
-
Filesize
724KB
MD5bab1293f4cf987216af8051acddaf97f
SHA100abe5cfb050b4276c3dd2426e883cd9e1cde683
SHA256bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344
SHA5123b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49
-
Filesize
24KB
MD5e579c5b3c386262e3dd4150eb2b13898
SHA15ab7b37956511ea618bf8552abc88f8e652827d3
SHA256e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2
SHA5129cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb
-
Filesize
180KB
MD5d552dd4108b5665d306b4a8bd6083dde
SHA1dae55ccba7adb6690b27fa9623eeeed7a57f8da1
SHA256a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5
SHA512e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969
-
Filesize
88KB
MD54083cb0f45a747d8e8ab0d3e060616f2
SHA1dcec8efa7a15fa432af2ea0445c4b346fef2a4d6
SHA256252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a
SHA51226f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133
-
Filesize
96KB
MD53cab78d0dc84883be2335788d387601e
SHA114745df9595f190008c7e5c190660361f998d824
SHA256604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd
SHA512df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820
-
Filesize
128KB
MD57e6b88f7bb59ec4573711255f60656b5
SHA15e7a159825a2d2cb263a161e247e9db93454d4f6
SHA25659ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f
SHA512294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c
-
Filesize
312KB
MD5aa82345a8f360804ea1d8d935f0377aa
SHA1c09cf3b1666d9192fa524c801bb2e3542c0840e2
SHA2569c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437
SHA512c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db
-
Filesize
126KB
MD53531cf7755b16d38d5e9e3c43280e7d2
SHA119981b17ae35b6e9a0007551e69d3e50aa1afffe
SHA25676133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089
SHA5127b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd
-
Filesize
16.4MB