1d443652e90ef6bf2621a5103a5f063c91112db61a070bc54ce3292e2d145c76

Analysis

max time kernel
1791s
max time network
1496s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
27/07/2024, 13:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

2.3MB
MD5

2f8b840baee8068d9c2d2403d4a66053
SHA1

11342c24e4186c9b50655fd368b4e0526a41a571
SHA256

1d443652e90ef6bf2621a5103a5f063c91112db61a070bc54ce3292e2d145c76
SHA512

9d850a0dc32004a39874e001afb87de1cd9c0109dbcc60efd7e026fb3647ad2acf4168b4723d7a5ed6f9228f29090f2c6f41411cec9f7660deac9f9b74545d13
SSDEEP

49152:BC2guWj1GHvHREHHj+x8aiGDkX/6NRSj9ZepsWm6My5/:BCRJGPA+eGDkX/6/mFWPMu/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1148	setup.tmp

Loads dropped DLL 9 IoCs

pid	Process
1148	setup.tmp
1148	setup.tmp
1148	setup.tmp
1148	setup.tmp
1148	setup.tmp
1148	setup.tmp
1148	setup.tmp
1148	setup.tmp
1148	setup.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4188 wrote to memory of 1148	4188	setup.exe	81
PID 4188 wrote to memory of 1148	4188	setup.exe	81
PID 4188 wrote to memory of 1148	4188	setup.exe	81

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4188
- C:\Users\Admin\AppData\Local\Temp\is-POUBM.tmp\setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-POUBM.tmp\setup.tmp" /SL5="$50228,1976141,278528,C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-J2EQ2.tmp\Button0.bmp

Filesize
17KB

MD5
fd21d8c6cd2f3dcb7204e32ea4aeb7b2

SHA1
c52a52ba53e47e604e7b096e2b87526a0235c690

SHA256
88397432a185f033105cf9eac099c1bcba22851f414e18646ea85ebc9d170d38

SHA512
6420539366ce304b1b675042c7ab5c465b8a178cb718f185504a62236860369f3c1e44c6226284f750de1602a6960d450728545e66cde8adb307ab2edd29fb69

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J2EQ2.tmp\Button1.png

Filesize
9KB

MD5
371fe7ec669cc46c63fb24665662cce6

SHA1
0bc54ae452e1f7bf1cbef34cab64cb2be007b2bc

SHA256
19de14f39dcf61101e08b6c80a4eaaab123ce403655339726e2b3df5503cb1bf

SHA512
d64b131f02ea1a7e6169be8622ccec275c82eac343c04479fe34e232aa402c41fbbe51c70eefbb5e55e3a5a378d1eac55c3b116c910adddb94d922fb1bf2420e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J2EQ2.tmp\Button2.png

Filesize
25KB

MD5
42ccfbcc4989c0044f30dbca4544a9c3

SHA1
7221749a0750fd87815e2822b0ca2ebbc2fa82e8

SHA256
ed98bebbff88e986a5a19e1041551d15144cbc20526db2f12e95dc133b42b27e

SHA512
0297e4a120c8ef7613c2728134658d807739e90bc5504b2238844560f37dff1801eb92089336bc66df592c60c8152b0bb8aca402d16a2420d3c630d314b39212

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J2EQ2.tmp\Button3.png

Filesize
5KB

MD5
ba0c253e14a0f1dff75ffa2c0cf442d7

SHA1
7a299bffea701c319f9b5348d61d8c9eebc247db

SHA256
4300e55a0e51dab2f9ddd0a15d037b62bea53b4f79adfc0716ba0c64a471f82b

SHA512
39532d40c2a2a1be61cf2e9980edd434341595deb27ee7bd489bcda8184bc615a1ae739f602683c2b66aabeb4ef076d667fc24437e33373f1326b42cf28d34b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J2EQ2.tmp\CallbackCtrl.dll

Filesize
4KB

MD5
f07e819ba2e46a897cfabf816d7557b2

SHA1
8d5fd0a741dd3fd84650e40dd3928ae1f15323cc

SHA256
68f42a7823ed7ee88a5c59020ac52d4bbcadf1036611e96e470d986c8faa172d

SHA512
7ed26d41ead2ace0b5379639474d319af9a3e4ed2dd9795c018f8c5b9b533fd36bfc1713a1f871789bf14884d186fd0559939de511dde24673b0515165d405af

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J2EQ2.tmp\ISDone.dll

Filesize
445KB

MD5
d698a0e730b33864de777c9b35716037

SHA1
12f8df8c6bd05d490b5b4b81ce6fd83375f20152

SHA256
ad5f199e774575c6087c55995123ea4ddddda732531a408105090735f8e3db47

SHA512
d225561c322711d7b55c763a70466fa1cabd2904132646ee9e5191b2005663f8f8560f78f4d3baea81337d2642c2912fd220da8e503b7265b6f0b4cb43cb5682

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J2EQ2.tmp\IsProgressBar.dll

Filesize
154KB

MD5
3aa93aebd65e6816be4829e57f58e0c2

SHA1
37ea752eae1ae3e3630776d26d09b446e86cf83a

SHA256
1e25cf231be401d20c332afc3e399ce4323340612cd8ef4ce344f080aab2c283

SHA512
7ff18e1b3405860fc8880b6c4cd85e15b9b68587436bbb2d3153154f571dd70a0d3f8ec651686478b2f66e7407ce7ab59cb81f35be9f8c8bcb7ab78e4c9de5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J2EQ2.tmp\SDWImage5.png

Filesize
2KB

MD5
140bd17e403c23b9945eb5538468d51e

SHA1
9aa8adbf34d052dfd3a010afe6f964913fd4997f

SHA256
eac59ca2e68d44f2ce9c54c5ff0ae418f756f013f5b5f646f28c054e6ea7cd8c

SHA512
a6feb1d03795b64171b495d750f787a67a1b378c8ce44ca8dcef98f639cbafde7db003ddf6c069f3d04804967da4ca57fd2bdeb4a5ca744b0d55a22f351631df

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J2EQ2.tmp\botva2.dll

Filesize
35KB

MD5
0177746573eed407f8dca8a9e441aa49

SHA1
6b462adf78059d26cbc56b3311e3b97fcb8d05f7

SHA256
a4b61626a1626fdabec794e4f323484aa0644baa1c905a5dcf785dc34564f008

SHA512
d4ac96da2d72e121d1d63d64e78bcea155d62af828324b81889a3cd3928ceeb12f7a22e87e264e34498d100b57cdd3735d2ab2316e1a3bf7fa099ddb75c5071a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J2EQ2.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-POUBM.tmp\setup.tmp

Filesize
1.1MB

MD5
84cc8071f3d854fa57953832d3552b46

SHA1
828db9941f36508f62fdfd379018aea50cb43d5a

SHA256
d22b56278d694e65315db52ea17ae686bacfe270b226c0d371a920c803fdc3e3

SHA512
63b022d50d4c1924501047aec59790b59105f653d5cf41425395e5e99cebf7af3b26204363c01be119c3d2e22b12e8dd5bc9b509b3e74250404c01b1b9823359

Download Submit
memory/1148-24-0x0000000002590000-0x00000000025A5000-memory.dmp

Filesize
84KB

Download
memory/1148-12-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1148-63-0x0000000006E40000-0x0000000006E4E000-memory.dmp

Filesize
56KB

Download
memory/1148-35-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1148-33-0x0000000006C00000-0x0000000006C68000-memory.dmp

Filesize
416KB

Download
memory/1148-34-0x0000000006C00000-0x0000000006C68000-memory.dmp

Filesize
416KB

Download
memory/1148-17-0x0000000006A80000-0x0000000006AF6000-memory.dmp

Filesize
472KB

Download
memory/1148-176-0x0000000006E40000-0x0000000006E4E000-memory.dmp

Filesize
56KB

Download
memory/1148-174-0x0000000002590000-0x00000000025A5000-memory.dmp

Filesize
84KB

Download
memory/1148-175-0x0000000006C00000-0x0000000006C68000-memory.dmp

Filesize
416KB

Download
memory/1148-160-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/1148-164-0x0000000006E40000-0x0000000006E4E000-memory.dmp

Filesize
56KB

Download
memory/1148-163-0x0000000006C00000-0x0000000006C68000-memory.dmp

Filesize
416KB

Download
memory/1148-162-0x0000000002590000-0x00000000025A5000-memory.dmp

Filesize
84KB

Download
memory/1148-161-0x0000000006A80000-0x0000000006AF6000-memory.dmp

Filesize
472KB

Download
memory/1148-173-0x0000000006A80000-0x0000000006AF6000-memory.dmp

Filesize
472KB

Download
memory/4188-0-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4188-159-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/4188-2-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download