55ff23173fd9a290f2d8a8821bad30e41be053f755e609ca568f315a9395e6a2

Analysis

max time kernel
38s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

absetup42.rar
Size

4.1MB
MD5

1e966c8b75ed5be8ba01bc9af3551fc1
SHA1

72dfd7ea793f824843d5434ac713584f1366ac13
SHA256

13cdeaca73ff9befeb4fda4e68a9e73bd264d13ade4e2e3f8e459b974586dcf1
SHA512

201e3c89558689a4e92375a6f416d54aa48b2ff2baf1fd8adb65be3eda23e0d110875c118d9bf744a707a7e6864c9f3a7c8b8e32b9a24963061c1fd6d591c301
SSDEEP

98304:F+j46QHpulKcYM6a6qMuFBMaCxPxgoA6LhwzdDuAALJ:FQculKc36g9LCxP86LjLJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1720	Exlan_setup_v3.1.2.exe
4736	Exlan_setup_v3.1.2.exe

Loads dropped DLL 12 IoCs

pid	Process
1720	Exlan_setup_v3.1.2.exe
4668	WerFault.exe
4668	WerFault.exe
4668	WerFault.exe
4668	WerFault.exe
4668	WerFault.exe
4736	Exlan_setup_v3.1.2.exe
5408	WerFault.exe
5408	WerFault.exe
5408	WerFault.exe
5408	WerFault.exe
5408	WerFault.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4668	1720	WerFault.exe	31
5408	4736	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exlan_setup_v3.1.2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exlan_setup_v3.1.2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1720	Exlan_setup_v3.1.2.exe
1708	7zFM.exe
4736	Exlan_setup_v3.1.2.exe
1708	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1708	7zFM.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	1708	7zFM.exe
Token: 35	1708	7zFM.exe
Token: SeSecurityPrivilege	1708	7zFM.exe
Token: SeDebugPrivilege	1720	Exlan_setup_v3.1.2.exe
Token: SeDebugPrivilege	1720	Exlan_setup_v3.1.2.exe
Token: SeSecurityPrivilege	1708	7zFM.exe
Token: SeDebugPrivilege	4736	Exlan_setup_v3.1.2.exe
Token: SeDebugPrivilege	4736	Exlan_setup_v3.1.2.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1708	7zFM.exe
1708	7zFM.exe
1708	7zFM.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1720	1708	7zFM.exe	31
PID 1708 wrote to memory of 1720	1708	7zFM.exe	31
PID 1708 wrote to memory of 1720	1708	7zFM.exe	31
PID 1708 wrote to memory of 1720	1708	7zFM.exe	31
PID 1708 wrote to memory of 1720	1708	7zFM.exe	31
PID 1708 wrote to memory of 1720	1708	7zFM.exe	31
PID 1708 wrote to memory of 1720	1708	7zFM.exe	31
PID 1720 wrote to memory of 4668	1720	Exlan_setup_v3.1.2.exe	32
PID 1720 wrote to memory of 4668	1720	Exlan_setup_v3.1.2.exe	32
PID 1720 wrote to memory of 4668	1720	Exlan_setup_v3.1.2.exe	32
PID 1720 wrote to memory of 4668	1720	Exlan_setup_v3.1.2.exe	32
PID 1708 wrote to memory of 4736	1708	7zFM.exe	33
PID 1708 wrote to memory of 4736	1708	7zFM.exe	33
PID 1708 wrote to memory of 4736	1708	7zFM.exe	33
PID 1708 wrote to memory of 4736	1708	7zFM.exe	33
PID 1708 wrote to memory of 4736	1708	7zFM.exe	33
PID 1708 wrote to memory of 4736	1708	7zFM.exe	33
PID 1708 wrote to memory of 4736	1708	7zFM.exe	33
PID 4736 wrote to memory of 5408	4736	Exlan_setup_v3.1.2.exe	34
PID 4736 wrote to memory of 5408	4736	Exlan_setup_v3.1.2.exe	34
PID 4736 wrote to memory of 5408	4736	Exlan_setup_v3.1.2.exe	34
PID 4736 wrote to memory of 5408	4736	Exlan_setup_v3.1.2.exe	34

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\absetup42.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Users\Admin\AppData\Local\Temp\7zOCA6F24D6\Exlan_setup_v3.1.2.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCA6F24D6\Exlan_setup_v3.1.2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 680
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:4668
- C:\Users\Admin\AppData\Local\Temp\7zOCA694C07\Exlan_setup_v3.1.2.exe
  "C:\Users\Admin\AppData\Local\Temp\7zOCA694C07\Exlan_setup_v3.1.2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 648
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:5408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
memory/1720-56-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-24-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-18-0x0000000005610000-0x000000000571E000-memory.dmp

Filesize
1.1MB

Download
memory/1720-19-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-28-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-82-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-58-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-78-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-76-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-72-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-70-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-68-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-66-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-64-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-62-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-1195-0x00000000026B0000-0x000000000272E000-memory.dmp

Filesize
504KB

Download
memory/1720-1196-0x0000000002610000-0x000000000265C000-memory.dmp

Filesize
304KB

Download
memory/1720-54-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-80-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-17-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/1720-60-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-52-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-50-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-48-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-46-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-44-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-42-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-40-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-38-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-36-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-34-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-32-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-30-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-26-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-12-0x0000000000BD0000-0x00000000010BC000-memory.dmp

Filesize
4.9MB

Download
memory/1720-22-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-20-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-74-0x0000000005610000-0x0000000005718000-memory.dmp

Filesize
1.0MB

Download
memory/1720-1197-0x0000000005190000-0x00000000051E4000-memory.dmp

Filesize
336KB

Download
memory/4736-1215-0x0000000000F30000-0x000000000141C000-memory.dmp

Filesize
4.9MB

Download