Overview
overview
10Static
static
100fa48a6368...b6.exe
windows7-x64
100fa48a6368...b6.exe
windows10-2004-x64
10$1/1337/Ex...er.exe
windows7-x64
7$1/1337/Ex...er.exe
windows10-2004-x64
7$1/1337/MinerMega.exe
windows7-x64
10$1/1337/MinerMega.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Analysis
-
max time kernel
136s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-02-2024 05:15
Behavioral task
behavioral1
Sample
0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
0fa48a6368effe6c9373dd34f9f26bf7f0a2050aab330cefc5acc6de5030ecb6.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral3
Sample
$1/1337/ExLoader_Installer.exe
Resource
win7-20231215-en
Behavioral task
behavioral4
Sample
$1/1337/ExLoader_Installer.exe
Resource
win10v2004-20231215-en
Behavioral task
behavioral5
Sample
$1/1337/MinerMega.exe
Resource
win7-20231215-en
Behavioral task
behavioral6
Sample
$1/1337/MinerMega.exe
Resource
win10v2004-20231222-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240215-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20231215-en
General
-
Target
$1/1337/ExLoader_Installer.exe
-
Size
19.8MB
-
MD5
afcb0e5c7c35c05970a74a1aab5fe12e
-
SHA1
42eacb7a9594ee0a6242d3bc3c33b6c60b3fc319
-
SHA256
f1e92828ebf9e2443f36c03a5a66a4fba4bd8744ecf5bbf59fc69c84d7a95d18
-
SHA512
fe62d4b1ec93a21a7b1f80e5f42b17c0c43d794b99e7e87fb6fea86d82ac080d76dcf9a3e96516303ccaf88b8101523a23f5b7f560bd3f4bb2745ac1f71b4dfb
-
SSDEEP
393216:QuTOvTuAnHmMgEMSb6qLdTcmtgt+BDMncawXAKaVnayxZtFDtq:dUTPGMzpbpT8+BInf46VnvHrJq
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ExLoader_Installer.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\International\Geo\Nation ExLoader_Installer.exe -
Executes dropped EXE 1 IoCs
Processes:
ExLoader_Installer.exepid process 2440 ExLoader_Installer.exe -
Loads dropped DLL 6 IoCs
Processes:
ExLoader_Installer.exepid process 2440 ExLoader_Installer.exe 2440 ExLoader_Installer.exe 2440 ExLoader_Installer.exe 2440 ExLoader_Installer.exe 2440 ExLoader_Installer.exe 2440 ExLoader_Installer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
ExLoader_Installer.exepid process 2440 ExLoader_Installer.exe 2440 ExLoader_Installer.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ExLoader_Installer.exeExLoader_Installer.execmd.execmd.exedescription pid process target process PID 4024 wrote to memory of 2440 4024 ExLoader_Installer.exe ExLoader_Installer.exe PID 4024 wrote to memory of 2440 4024 ExLoader_Installer.exe ExLoader_Installer.exe PID 2440 wrote to memory of 4052 2440 ExLoader_Installer.exe cmd.exe PID 2440 wrote to memory of 4052 2440 ExLoader_Installer.exe cmd.exe PID 4052 wrote to memory of 4156 4052 cmd.exe reg.exe PID 4052 wrote to memory of 4156 4052 cmd.exe reg.exe PID 2440 wrote to memory of 1276 2440 ExLoader_Installer.exe cmd.exe PID 2440 wrote to memory of 1276 2440 ExLoader_Installer.exe cmd.exe PID 1276 wrote to memory of 656 1276 cmd.exe reg.exe PID 1276 wrote to memory of 656 1276 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\$1\1337\ExLoader_Installer.exe"C:\Users\Admin\AppData\Local\Temp\$1\1337\ExLoader_Installer.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography /v MachineGuid4⤵
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /C C:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\reg.exeC:\Windows\System32\reg.exe query HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography /v MachineGuid4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exeFilesize
160KB
MD52ead84d84868efb13f8ef2cc9899905a
SHA15b044f580c052eef4c2ab9e3f772446b2280ecde
SHA25603377f1e71e58a58646b9443fa86c8d5e27d5457b08976b07c44a192b210f93b
SHA5122065f2a79afac4fca286550a59cf98fd723e590591fc2272e26d9d1aa83cb21b5bf85cf2e55860d4dd7b313daac094049ab52f04e1fd6be309f17cb4bb7b2e5a
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dllFilesize
499KB
MD5997014621f43f611ba743054bbecccfb
SHA189d5afb7788d9ac3d868ebcc8cb7886c2fb2cf0b
SHA2560bb3b1677c7ca4942b58afb5c9b530a011cc2324e8316d8cc33fb687a243b8ac
SHA5124c7d6dc96bd69523317c0c4a9f5c62cf110ea03c832dc4939a14641bc1e62ca3c7ca90ff0969bf4ee14ac86bab98adec617ee817cda53c94444db87cedb652d1
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\d3dcompiler_47.dllFilesize
125KB
MD51660dbb63a5a2d213a3f4ca01b650065
SHA14db3fd5690c3a07196861af69d8c1bd1f210d5af
SHA2567686f247fd0b29301b06b8593050db8e20a3cd3ac5444e186587258ac5ae4fc4
SHA5123cb364c6bbebec7200bdc4e7c71b6edf50ce127676d4ed409db0ead23c760266c5b403efb6489708578bb572fa72e27c62e444e2d1a547f6748dad4fd88eeb7c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\app.soFilesize
502KB
MD59f6fc72e42f78665a6dd0930d0932c93
SHA111f98715f2ad651907b8eb1b35724aac33ea7eac
SHA2563142987b29b157cce40d9577068a4fd2db92721eb0321b7df9fb211c304fd94f
SHA512ab1f1edd7f80dedaa2035b9e9f17e72b216785c1579b101e3cb42489b6a0b1f6a3d3471fa35a36805847a26111931a5542daaa2b1148df00a8d2652857720387
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\AssetManifest.binFilesize
36KB
MD537319e9e5131c88c5169e044dfd432fb
SHA1f8207003744b2cf6d6ebd6080c9afe5925904a0d
SHA256f50d907a3487cfbff2fe04f6eca8f38c968d52c971c8044a9e9d39286becf735
SHA5123e8750f329f936622e55162003b73a57a808db1a3c408fcabb0a3653c5126b0848e1df1b84bac54406b5c365b8a89cf4c29d41774c97b8c393457e308f994b65
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\FontManifest.jsonFilesize
687B
MD508916680285af6ddf4adbd1dd265487d
SHA1e5fa77912a69248aab08714c5b605df62c469f33
SHA256ef252f80a090c0ae1499c34148c27f3e982100b25c8daa9921d102343383f751
SHA51268c9858777147a6a1c4932c13149aba4bb97453a3aface4c80077a5746ed493c811e36cd89b838e34429e91b1833b1866177b4bfc216129d555f310fe71a108f
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\backgrounds\Warcraft.jpgFilesize
52KB
MD5a48a77f8b3f8f7e6a9661776472b14c0
SHA17118461b780b558939a325a319e8515edbbedef1
SHA2562e58bd1444d8452ba963e877601e8942a1560abdd44c16ed33580148322234ba
SHA512f6a8a2844d872b650fc6342f809198bf078cf2d472c1b43f18529a0216393f6494202ab3b95ffef560fdba4bee7a4c6a85be49d9151cbd52c0c870d65c6e47fe
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\RE.pngFilesize
2KB
MD523f2c7dc04bfe492598bc440f57114af
SHA1c30b386b7138a1d89b90f0e679ef58f4c545ba42
SHA25694a0c4bc3aa825e44d36b0a463f9bfb012c2156392594a8ac6d76b389776e3a9
SHA512edbc28f9f61ad48ac02e1bcb0f862249b5baf352289e068cb5df5552b5e9752a205e7b093b7caedccf4230186659d4b12579433ae8141b5129a5a6cf4c6bc5f2
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\flags\SJ.pngFilesize
2KB
MD5bf25a4249d34f915ec1a246a468290cc
SHA15cc47373c11ff0488929124e18e280c7eb36b232
SHA2560dd0e0a0d72ff4179b11afd5367a72b000de4a5c5ea0362f1f1723f80a3a2d22
SHA512982fbc34c0c0ccad148b6745185af317bbe12215e08c879c6a06a7073d2afbcbc70c4fed9e028cc91a6a1eaa1fece064dbddf415a4b97a799dbfb1debcc02337
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Black.ttfFilesize
159KB
MD535e0e2e7a5b03275ba569a214edbab77
SHA1b341b185db9c7231884558dcdab0124d2f5ed1d0
SHA2562d1149ca6075e3559fa4234107474b3b500bc479baa0bdaa8a99563a587c62f5
SHA512e3d752d8fd5a7306dcf8fc428b72df1668991b7152b66fba41e365cc61626f8ddfc8092dbcbc2b2ef3acea5c09496e83af2a2208cdd5b66e7ff3267b2bf2f0d4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Bold.ttfFilesize
131KB
MD561075e83bdf4a4248e8633856c8a80d8
SHA11b1a751b77aecf2a19bc7d34acc5655674f213c2
SHA2560d3c52db4329a7a7c02c0c8acdb7a140e702c2f6eb286c8d32e7cd54472b37a9
SHA5124a414adc407e887a0ebec79c458ac7b2c04e8e116f4698dd68f3f7c1ee7c29a8044965970249f45af0ed0212fbe368c743a04ce503de84d0ebf91105bf3eb5c0
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-ExtraBold.ttfFilesize
159KB
MD527f7ef17de3691b5cdb9f1ee1ee5cc6a
SHA11c92715c134738f2956bf758181522243c7586dd
SHA256118e237edf796dd76c453e912a4f445816e918bc3ff1d3941b2548c0a8fdfe29
SHA5126d5c68056a37d989f64528c092680416c1300c95471be43ebddff7b579bcae9dfa7f402ab422406bf3a4a3df728b4af1e68e15e385b49221847f48e0bc59f228
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-Medium.ttfFilesize
159KB
MD5b952c3c81ba34b54c66c748ea1e828a7
SHA19d35f805e98f95e72f5d0a4ced7397584d7349be
SHA256f5a6dcd3227d1a75db47a6770e617d8077cba42c146d1d6479ae394431c7d40e
SHA51230ddc9f9fd2916b3ac846cac60c93b5f89057a1369ffd38ccf569a6eba3dff6be10408ad7413257e794e94a46e68e67105fae28f1ce95544485edbe85842a420
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\fonts\Raleway-SemiBold.ttfFilesize
159KB
MD587641f9900d717d6bfbf108b8755868e
SHA175f4fca0d4d80e2b9a62d3283261e933786fb8c1
SHA256564368e49d2d7d65005649278c3e042d6954df5e5dee3874a3b548ad067db0cc
SHA512a319660d6457efd705c291aa5445146f77e2d099ac26be3f48963b9846cb0f3cfaaee1fbd1e9acb5a7ebb74d39b541d00c76fd50932b388cee7ff54da2ef40ac
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\close.svgFilesize
201B
MD57f8d672a2849987b498734dcb90f0c51
SHA1e53b9319bf964c15099080ac5497ee39f8bab362
SHA2564a290648cd1cfaaf1db4909d7552ae8cb83cb0b0e36770e64d153ab07ce6e7d4
SHA512b3ddbf719f42440238c55cee896409179b4562ffe74f607d3640f623c8264c2fd2000b085dfd9a25ffd8ba2166695dcd663efec56cdac679f9993cfb602459d4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\icons\collapse.svgFilesize
195B
MD5ad6092934dc48be9d00331e6f21eb235
SHA129cd8e5478e432b386382caf6ac7b3537b108c33
SHA2562e0eb48ef144b771903a2ee5096ac4305ef43c830d2905f46b0384a07f5f4090
SHA51238254a977c1a74515ed6184b5ebb3b1b3125db4b713a2de69aee9dc54912a9e869fede36423548e9ebf8cfc66e6711738789ee2c33f6f3af74def779eb7e5afd
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\flutter_assets\resources\images\grain.pngFilesize
79KB
MD53577f702479e7f31a32a96f38a36e752
SHA1e407b9ac4cfe3270cdd640a5018bec2178d49bb1
SHA256cc453dfe977598a839a52037ef947388e008e5cdfe91b1f1a4e85afb5509bee2
SHA5121a4a03931ab56c8352382414f55eb25b324e11890d51ba95597dbd867b35db45db5adcefb47d95b3763f413a66e3228e59531bdbd5ba5541469196adb5eb3d70
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data\icudtl.datFilesize
196KB
MD5b7d320dd45aa859ebd83c350d3e13e99
SHA1e6c37b32d483fa52a47dbd01dc9c9b25cb9b2f3b
SHA256c17b63ddbeb0481294e5f5c033faf88967bfd8a6c1faeaf8b6da0d7b4fc47a98
SHA51283692c184c265ef3a99d6c1f3a2bd7eeadbd7597b224051255f45079df354c60e73389b7b3cdc983f8bcd78d80cd5adade6914091db81088540ec1d281fc232c
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dllFilesize
1.2MB
MD5052197821505cd2e2d08c4a9f725198b
SHA11309a08951c8b84b7ce441c30e853985fb9a0bb2
SHA25623a412047482fe9aa63553bc5ccc3f52e091da127bf74159c6689ac1f1cba2c0
SHA512f699581c1a0b828e390a1870669bbca45f18f89300130728f4a2b12225a7f13553d3689f82f0608a2a1c280b823a461065d0b876863ab417fd5d815c851c67fd
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\flutter_windows.dllFilesize
745KB
MD55b2995d73d6ddb675750926605cabdbd
SHA1a4956d4dd0d2a83620364a2991e8f801c88e5e89
SHA256c661adf87b490ab3dfe3314dfe34f636b2bae2334a3cfe4622436e05b7e1699b
SHA512181574f9abd7d04b62f36c9414921dc44540017850a213e4badf471c3b703fe474570d093af3551393bcaadf7702a17875fa07b6070ec6d95646edc04d015dc4
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msvcp140.dllFilesize
554KB
MD59aeacfd60c19fdb1af926ecf7e6eab87
SHA1e18684b140af095c25628fcc599b600b2ef999a9
SHA2567bb664a486e941d0f6004ef1eb48773c7c5f1be5f1cbf1aa5f9819a215863d5d
SHA5128a9654018313ab79af95a92745b4faaa87b62210506bfd788919769878a43efaf6e48494b8b2c7ad6155adebb8b07cae0f06ef734e9042c858478e95e911c656
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140.dllFilesize
94KB
MD5c8e5574247f5a2468f71b53fc0279594
SHA1c28d7c9cad48882beaeed0fba15cbc11fc2f949c
SHA2560373c0cd6856950dee1b1a9e3ddb896099c6c823f6e46dc00802fed19dbd58d0
SHA512d244d3879cbdfd22bd94eb7d4950916b5999d6c012b0287a8807a110f1bc80266049f4d0563b97bb0154bcde7480ffcba07e9f7e66fc2ac20020e3c77792df81
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\vcruntime140_1.dllFilesize
36KB
MD535628f1d136c003699382ea7d489cb16
SHA130dfd392927161182224f0e6b8aace235a00fbea
SHA2560d6f93c5d19530a1623798f936468bc0934c1795545dd000b8812539b3e308cf
SHA512558e6d729d39f25584191804e3b60f8fe8e9e950d58cd8f82eeaecb45c5bc86f2b9e9ac499ddabbee7dfe6a6ac6cb44cf63ced6e8105405ab9b314b5005d9cf5
-
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.jsonFilesize
246B
MD59685c93ae3846dd1bc64c494d5d834b7
SHA15006c1e1d4343c3c49b473eb57ed6347f41cf566
SHA25648282faf58cc86b9b994240949c6c4732ea53467235bb1aa2aaf1387ec62f6a5
SHA51288a5c479d611b18fa17995039b9ea751945110511ffa4ccffd2e614f07e19307bbe81491b44469dd46d62c8df83e109d1e42dd50b3aa6372a6c9ef042e863b88
-
memory/2440-1102-0x0000021106700000-0x0000021106701000-memory.dmpFilesize
4KB
-
memory/2440-1101-0x0000021106860000-0x000002110765D000-memory.dmpFilesize
14.0MB
-
memory/2440-1100-0x0000021106860000-0x000002110765D000-memory.dmpFilesize
14.0MB
-
memory/2440-1099-0x0000021106860000-0x000002110765D000-memory.dmpFilesize
14.0MB
-
memory/2440-1098-0x00000211066F0000-0x00000211066F1000-memory.dmpFilesize
4KB