Overview

overview

10

Static

static

6

DUMP_00A10...iR.exe

windows7-x64

7

DgH5SjZFle...DI.exe

windows7-x64

10

Dumped_.exe

windows7-x64

7

EntrateSetup.exe

windows7-x64

9

ErrorFileRemover.exe

windows7-x64

10

ExtraTools.exe

windows7-x64

7

F45F47EDCE...54.exe

windows7-x64

10

decrypt_00...00.exe

windows7-x64

6

dffde400ad...3d.exe

windows7-x64

10

dircrypt.deobf.exe

windows7-x64

10

dma locker 4.0.exe

windows7-x64

9

downloader.js

windows7-x64

10

dump.mem.exe

windows7-x64

6

e0ff79cc94...ss.exe

windows7-x64

7

e37dc428ec...ad.vbs

windows7-x64

1

e5df2d114c...8a.exe

windows7-x64

10

e6c4ae4709...ss.exe

windows7-x64

7

e77df2ce34...2d.exe

windows7-x64

7

e8e07496df...d2.exe

windows7-x64

ea8292721a...1e.exe

windows7-x64

5

eaa857c95f...er.dll

windows7-x64

1

ed3a685ca6...91.exe

windows7-x64

9

edffa07d66...9d5.js

windows7-x64

10

encrypter.exe

windows7-x64

10

encryptor_...81.exe

windows7-x64

9

f002618c01...35.apk

windows7-x64

3

f213e54c85...ea.exe

windows7-x64

1

f2c8eee2cd...3f.exe

windows7-x64

10

f31bfe95e3...7_.exe

windows7-x64

9

f6a8d7a429...da.exe

windows7-x64

10

f915110765...da.exe

windows7-x64

7

fb8823e949...-0.dll

windows7-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-11-2024 03:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ErrorFileRemover.exe

  • Size

    2.4MB

  • MD5

    dbfbf254cfb84d991ac3860105d66fc6

  • SHA1

    893110d8c8451565caa591ddfccf92869f96c242

  • SHA256

    68b0e1932f3b4439865be848c2d592d5174dbdbaab8f66104a0e5b28c928ee0c

  • SHA512

    5e9ccdf52ebdb548c3fa22f22dd584e9a603ca1163a622db5707dbcc5d01e4835879dcfd28cb1589cbb25aed00f352f7a0a0962b1f38b68fc7d6693375e7666d

  • SSDEEP

    49152:6kAG2QGTC5xvMdgpdb1KRHGepUu2cGbqPs9+q2HRPTnFVSLE:6kAjQGTCnvMmpYQqPNRPTnF4Y

Score
10/10
discoverypersistence

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Loads dropped DLL 15 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 19 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe
    "C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\ErrorFileRemover.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:332
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Modifies WinLogon for persistence
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 91FCA096E9815CD9B2DDDC81DB3C4D89
      2⤵
      • Loads dropped DLL
      • Blocklisted process makes network request
      • System Location Discovery: System Language Discovery
      PID:2856
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F32920C7D79FD0332ECF56DFAB7671C1 M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76b742.rbs
    Filesize

    99KB

    MD5

    68868f9d1ad6e2dddd1aad3f66f62668

    SHA1

    3cea29a1aefacd0406c8277015cd517a233b0546

    SHA256

    b234b704e45afa04508d7caa0d2b5b0772404dfb18ee937a2c51895c24efb419

    SHA512

    07b4c7b1dbca1132dbb0527668c2839f42e95978e858c68e89a64d64d7834f1fa544cc4fc5a26dd9e7c51453356913f7f61b28312d14b74fd99ac5769cf0a5d0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
    Filesize

    84B

    MD5

    d0f43025bcb51b8542157891fbff7bcb

    SHA1

    011867edd0eccb2223da7e33f3fdd8e9c1ca971a

    SHA256

    b4a64e286bf98a2ed635acec953d610c8c0925b20f92b58a74e222b8db4cd8bc

    SHA512

    e90616e2bfab8ffd265d08d9fb42e4b67ec902aad85425b783b96a95fd923bc99b053f469daf2af68320d81e014d0f80a303b2ab186de24412f0c9d9e2dbf004

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\tracking.ini
    Filesize

    84B

    MD5

    9204d4ac381c76eda8e6a20396652c0c

    SHA1

    8fcc3745cd97e152c559a9bdb686d28bb2cda40e

    SHA256

    1b72e84a6430d2eaaef5441983dca3c9197d4637d92338581703b0fb2edd4cae

    SHA512

    e5ecb464f75b72d57af975609f0a5581341f7210c756aa06bfe2a538765ea0fbba2c6d9f74943dcaad471e277806a27fb89f5c4b8a9bddaf1e5593eccb02c83a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{C16ED1F4-75AC-449F-A6FF-AA0C5C5A5AE1}.session
    Filesize

    4KB

    MD5

    b38c73894bf72d5b0991c02c94a85d97

    SHA1

    90cd3a4a6d188ec88641bf54bab5f1cf1a8534cc

    SHA256

    9f8a45d502be1810429d079043900b71d07e6664e91a5582fca5a6c3f962ad51

    SHA512

    09a1b9d9b67d78fe2b4ed05700e8f9ac1cd7bbec2b7cf81e90ddd6a24c46f72ee3c6be656d57779478f4437a7b0b5bfd8f692b12148b06fa02ead8c1828953bf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{C16ED1F4-75AC-449F-A6FF-AA0C5C5A5AE1}.session
    Filesize

    763B

    MD5

    e7148990bb8aa3f3a8902c7760dddd98

    SHA1

    c95931ba96e8524ef9c49adcaf58ba4b8c751dfc

    SHA256

    11e2f1da6b896e1957bfebc05a867f21d1c926796e87974cca47b991569d5bc7

    SHA512

    86a5e1d420d857425ac8fa8bd1cd91d448079cc5554c951718578aca7a0963623ed08385e040786cdba23c6d0ea88ee78e09154f2f3952f6527eaf83ab358a4a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{C16ED1F4-75AC-449F-A6FF-AA0C5C5A5AE1}.session
    Filesize

    1KB

    MD5

    270e0497dd1c77971e1cbdfff4cb3546

    SHA1

    ba73a814b6e5a0e3668d515fe13c40dc4fe7af11

    SHA256

    b9742c7106cce494564fc99e38292d0fa1d70260acc446f829afba6a457806a4

    SHA512

    9a5d7ecc99a3f56fd82b26780aa0a7edb7efd21df0f81de1d67d5bf11b85bfac7d9bb38a34cf38b0286649f0ac6d4b741755bc1ef4d097f194004e4c5103a42c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{C16ED1F4-75AC-449F-A6FF-AA0C5C5A5AE1}.session
    Filesize

    1KB

    MD5

    153e36f0d8ed21fea59b2bb0a8bd1bd2

    SHA1

    1d064ed90dcab8490d11c6d94fd70b0726a89ca6

    SHA256

    cf139269f46938e37eae848deed87cd414c3c6b8aa3c0417fbeb94c8c5303d9a

    SHA512

    9db79b04cf8458bdb91e171d4cf89ab24e4aaff93e9529623d0ae4a57f653467e6f65f6923fcf53944a77f080337b720556003496289aefe9005e5ade695e82f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{C16ED1F4-75AC-449F-A6FF-AA0C5C5A5AE1}.session
    Filesize

    2KB

    MD5

    9a66f8e8b7a97485fea2360f606b4e70

    SHA1

    5310f0468e126baa5b4aadd96f3ddcc9a1a96d7f

    SHA256

    0076b55753adf84ac56ade270c0aab483e7a422ba00eae75d3368d3850419832

    SHA512

    7f134cce242addebb58584198c68f2ac47e3885eecfffad7963fbcb0abf81ad3e22d26855673cf0fd1c267485e209d0ac196fd61f0673b413775a2c6587f04b1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{C16ED1F4-75AC-449F-A6FF-AA0C5C5A5AE1}.session
    Filesize

    3KB

    MD5

    e330f0a57dd081ffec39e655305f9b54

    SHA1

    eab296ac752c9e8f9e130dcb611b6d091ca67884

    SHA256

    4f651c557671b8f069f8a82db4e1a3a50f65536ffcbf36d5aac63503e61efb1f

    SHA512

    dda55922d4aa0c4b78222424f2e89878263239b7d17cddcfb74ae34a5cbd0cf6ff46832fd2082eaacd0a5ce029618c3da52c47758cf2b33d016368ef3481438e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{C16ED1F4-75AC-449F-A6FF-AA0C5C5A5AE1}.session
    Filesize

    3KB

    MD5

    8e4cacafb64ac84b2929b111047a1fc3

    SHA1

    e3f6392c991fe19d2df2853ee7b4a0e4f72a5d3e

    SHA256

    5d8f84f1738440dd7326bf8e19b5c172ce4e5114d9f8954c8fe629a77249551d

    SHA512

    1262c0d103da5d467c5b74968e5a688e80822a8d034fc0ddad75fd93fff6dfe37594667a5e980728e94795d0650864c77860e9f09f6c1bf08d11aa093842265d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AdvinstAnalytics\Error file remover\1.0.0.0\{C16ED1F4-75AC-449F-A6FF-AA0C5C5A5AE1}.session
    Filesize

    3KB

    MD5

    e3c1f08299a8bd4e13fca12cb2dc2628

    SHA1

    2a0d3edfe79595b1c4039d2a57a9060662f0845b

    SHA256

    b9c11dae8edfeb201268a64d7aa8f43b3f9779d3f27a797aef8fe216a3369b13

    SHA512

    d3d492f12155068bf9ae668d53b68b83a209909309b715c83da07d66ffb1e46ae898895f4dd8723890a811991943e2365b598d1c61d6c88d79863e040bb889dd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Error file remover.msi
    Filesize

    1010KB

    MD5

    27bc9540828c59e1ca1997cf04f6c467

    SHA1

    bfa6d1ce9d4df8beba2bedf59f86a698de0215f3

    SHA256

    05c18698c3dc3b2709afd3355ad5b91a60b2121a52e5fcc474e4e47fb8e95e2a

    SHA512

    a3ae822116cddb52d859de7ffc958541bb47c355a835c5129aade9cc0e5fba3ff25387061deb5b55b5694a535f09fe8669485282eb6e7c818cc7092eb3392848

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\Windows Logoff Sound.wav
    Filesize

    724KB

    MD5

    bab1293f4cf987216af8051acddaf97f

    SHA1

    00abe5cfb050b4276c3dd2426e883cd9e1cde683

    SHA256

    bc26b1b97eeb45995bbd5f854db19f994cce1bb9ac9fb625eb207302dccdf344

    SHA512

    3b44371756f069be4f70113a09761a855d80e96c23c8cd76d0c19a43e93d1a159af079ba5189b88b5ee2c093099a02b00ea4dc20a498c9c0c2df7dc95e5ddd49

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\0A01606\fatalerror.exe
    Filesize

    24KB

    MD5

    e579c5b3c386262e3dd4150eb2b13898

    SHA1

    5ab7b37956511ea618bf8552abc88f8e652827d3

    SHA256

    e9573a3041e5a45ed8133576d199eb8d12f8922bbe47d194fef9ac166a96b9e2

    SHA512

    9cf947bad87a701f0e0ad970681767e64b7588089cd9064c72bf24ba6ca0a922988f95b141b29a68ae0e0097f03a66d9b25b9d52197ff71f6e369cde0438e0bb

    Download Submit

  • C:\Windows\Installer\MSIBD20.tmp
    Filesize

    128KB

    MD5

    7e6b88f7bb59ec4573711255f60656b5

    SHA1

    5e7a159825a2d2cb263a161e247e9db93454d4f6

    SHA256

    59ff5bc12b155cc2e666bd8bc34195c3750eb742542374fc5e53fb22d11e862f

    SHA512

    294a379c99403f928d476e04668717cdabc7dc3e33bcf6bcad5c3d93d4268971811ff7303aa5b4b2ed2b59d59c8eba350a9a30888d4b5b3064708521ac21439c

    Download Submit

  • C:\Windows\Installer\MSIBD6F.tmp
    Filesize

    312KB

    MD5

    aa82345a8f360804ea1d8d935f0377aa

    SHA1

    c09cf3b1666d9192fa524c801bb2e3542c0840e2

    SHA256

    9c155d4214cebda186647c035ada552963dcac8f88a6b38a23ea34f9ecd1d437

    SHA512

    c051a381d87ba933ea7929c899fb01af2207cb2462dcb2b55c28cff65596b27bdb05a48207624eeea40fddb85003133ad7af09ca93cfb2426c155daea5a9a6db

    Download Submit

  • \Users\Admin\AppData\Roaming\Windows\Error file remover 1.0.0.0\install\decoder.dll
    Filesize

    126KB

    MD5

    3531cf7755b16d38d5e9e3c43280e7d2

    SHA1

    19981b17ae35b6e9a0007551e69d3e50aa1afffe

    SHA256

    76133e832c15aa5cbc49fb3ba09e0b8dd467c307688be2c9e85e79d3bf62c089

    SHA512

    7b053ba2cf92ef2431b98b2a06bd56340dad94de36d11e326a80cd61b9acb378ac644ac407cf970f4ef8333b8d3fb4ff40b18bb41ec5aee49d79a6a2adcf28fd

    Download Submit

  • \Windows\Installer\MSIB7AB.tmp
    Filesize

    180KB

    MD5

    d552dd4108b5665d306b4a8bd6083dde

    SHA1

    dae55ccba7adb6690b27fa9623eeeed7a57f8da1

    SHA256

    a0367875b68b1699d2647a748278ebce64d5be633598580977aa126a81cf57c5

    SHA512

    e5545a97014b5952e15bb321135f65c0e24414f8dd606fe454fd2d048d3f769b9318df7cfb2a6bf932eb2bf6d79811b93cb2008115deb0f0fa9db07f32a70969

    Download Submit

  • \Windows\Installer\MSIB933.tmp
    Filesize

    88KB

    MD5

    4083cb0f45a747d8e8ab0d3e060616f2

    SHA1

    dcec8efa7a15fa432af2ea0445c4b346fef2a4d6

    SHA256

    252b7423b01ff81aea6fe7b40de91abf49f515e9c0c7b95aa982756889f8ac1a

    SHA512

    26f8949cad02334f9942fda8509579303b81b11bc052a962c5c31a7c6c54a1c96957f30ee241c2206d496d2c519d750d7f6a12b52afdb282fa706f9fee385133

    Download Submit

  • \Windows\Installer\MSIBCF0.tmp
    Filesize

    96KB

    MD5

    3cab78d0dc84883be2335788d387601e

    SHA1

    14745df9595f190008c7e5c190660361f998d824

    SHA256

    604e79fe970c5ed044517a9a35e4690ea6f7d959d21173ebef45cdd3d3a22bdd

    SHA512

    df6b49f2b5cddebd7e23e81b0f89e4883fc12d95735a9b3f84d2f402f4996c54b5fdea8adb9eaa98e8c973b089656d18d6b322bd71cb42d7807f7fa8a7348820

    Download Submit