b738c41b8edaed371228bc720f93e0ae5948084e62738dbd2f7d5de2ddfe2a3b

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08-08-2024 20:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GetGoDMWebInstaller.exe
Size

1.2MB
MD5

aed283d0b46486c01632fb3084b38d3b
SHA1

78d8fe507340ffc7fc61924b91410bb8dc08e327
SHA256

b738c41b8edaed371228bc720f93e0ae5948084e62738dbd2f7d5de2ddfe2a3b
SHA512

463a1851fb5c87261cd3f72e7154fd31461166d12e7b482cf651bd800cc1662555b18e38962f7678796a2f4198654571fbded5e3e061f4695861b4cce1033346
SSDEEP

24576:6UUfyV/OwlPEZTHBGR3JXlxXnr4s8cdckgrD+XWNW8LQSK:68/rlPEhURZVF4sDxgr08PLK

Score

6^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

Processes:

GetGoWIClient.exeGetGo Download Manager.exe

pid	Process
2264	GetGoWIClient.exe
2776	GetGo Download Manager.exe

Loads dropped DLL 5 IoCs

Processes:

GetGoDMWebInstaller.exeGetGoWIClient.exeGetGo Download Manager.exe

pid	Process
2244	GetGoDMWebInstaller.exe
2264	GetGoWIClient.exe
2776	GetGo Download Manager.exe
2776	GetGo Download Manager.exe
2776	GetGo Download Manager.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

GetGoDMWebInstaller.exeGetGoWIClient.exeGetGo Download Manager.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetGoDMWebInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetGoWIClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GetGo Download Manager.exe

NSIS installer 2 IoCs

installer

Processes:

resource	yara_rule
behavioral1/files/0x0005000000019db1-30.dat	nsis_installer_1
behavioral1/files/0x0005000000019db1-30.dat	nsis_installer_2

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

GetGo Download Manager.exe

pid	Process
2776	GetGo Download Manager.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

GetGoWIClient.exe

pid	Process
2264	GetGoWIClient.exe
2264	GetGoWIClient.exe
2264	GetGoWIClient.exe
2264	GetGoWIClient.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

GetGoDMWebInstaller.exeGetGoWIClient.exe

description	pid	Process	procid_target
PID 2244 wrote to memory of 2264	2244	GetGoDMWebInstaller.exe	30
PID 2244 wrote to memory of 2264	2244	GetGoDMWebInstaller.exe	30
PID 2244 wrote to memory of 2264	2244	GetGoDMWebInstaller.exe	30
PID 2244 wrote to memory of 2264	2244	GetGoDMWebInstaller.exe	30
PID 2244 wrote to memory of 2264	2244	GetGoDMWebInstaller.exe	30
PID 2244 wrote to memory of 2264	2244	GetGoDMWebInstaller.exe	30
PID 2244 wrote to memory of 2264	2244	GetGoDMWebInstaller.exe	30
PID 2264 wrote to memory of 2776	2264	GetGoWIClient.exe	32
PID 2264 wrote to memory of 2776	2264	GetGoWIClient.exe	32
PID 2264 wrote to memory of 2776	2264	GetGoWIClient.exe	32
PID 2264 wrote to memory of 2776	2264	GetGoWIClient.exe	32
PID 2264 wrote to memory of 2776	2264	GetGoWIClient.exe	32
PID 2264 wrote to memory of 2776	2264	GetGoWIClient.exe	32
PID 2264 wrote to memory of 2776	2264	GetGoWIClient.exe	32

C:\Users\Admin\AppData\Local\Temp\GetGoDMWebInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\GetGoDMWebInstaller.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Users\Admin\AppData\Local\Temp\GetGoWIClient.exe
  C:\Users\Admin\AppData\Local\Temp\GetGoWIClient.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\GetGo Download Manager.exe
    "C:\Users\Admin\AppData\Local\Temp\GetGo Download Manager.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cancel_D.jpg

Filesize
1KB

MD5
5ba37131ef857b73b5c96974f48b19b6

SHA1
144b6773ca268ef3c4b244e6869378e89d92d1e6

SHA256
603fc391e5d1ab42cd5f90f97387c5f826884b4ae172d2440211ce9cb97bed86

SHA512
2abcf072f63755ee1ae0e45d44a1d210ca6e03d6fab9127dc3ac89a349f579a322e20dd1173fe4c24d9a7000215248b8021a393f7075aba6b74904cd68eb2dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cancel_H.jpg

Filesize
1KB

MD5
435e6ac835b79a7605a41170b6edb4fe

SHA1
0b9c06cc9cb6dcbdb81f74a8fdb8e45a942f6590

SHA256
50cb841c6b29c908b918e776cf06f958fd3786c4d0263a75a3d88f367a415ed0

SHA512
2ed313d0dc2f3ac14e41049c096e43e79ead41ff4bd5e5b3d6e8855db9ccc754fe5c9981f0322849cffa8fc1a320ed3e527ee68632aaafe692038c2a5f7ad83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cancel_N.jpg

Filesize
1KB

MD5
edaab1e4e632fec8ec1c5ca10ee2999b

SHA1
5d5ae7d2ea7050e1e59dd0e4c8cb8354f8e111c9

SHA256
1a29fa4258e422ec0bcd61f717f576fcbfa0ed8aa8da68ae3e5e858e2b74f915

SHA512
4b2c7a4df4ddaa3256b8217839ec17acb031772ccb87cb5163689a6c5be63ea08ed40f950ba53a9dadc09346ac861164a5bb1685f79978d5ddd4dc1e8025bfbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\CheckD.jpg

Filesize
882B

MD5
641fece5fca722326fafecc9b4c4ac9f

SHA1
1c70afba5278264122006fe90d23bb661b62ff81

SHA256
ce2fb82b4c8764966b2ffcaa55aff40d9348c17730eda1cec8c671db786d9775

SHA512
141e7ea455738ecb6930e7c0c40f443e0e593b7dcbd2e8cccdeaa8753c6eaa02dc0261683220d5101722543674aed393bf0ed1220c6e3a11a728c2f4cb587969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Close_H.jpg

Filesize
969B

MD5
bfe21fe40e26676e101c4452df80aa4e

SHA1
3a3c8a9050ad940dfb3aa8029371ef5196397d2e

SHA256
262620de5619ab5000bb248c47001ae6daa117d5d26d3bd0743d35798bcf6f16

SHA512
dad4ec8f89b1936b4c9c4c16eef527ead061fcf653cb3eaa88a2e6fc240872e1f95b66491aa1c967f3e1406f39b5c321d9fd4ab5c7dd0bba3468b41a58c721cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Close_N.jpg

Filesize
965B

MD5
3108beb9806d74cae4f0f43f9539beee

SHA1
24f31ba6779e1bdfdaf80413dd77d6122a10a838

SHA256
68b82c4d13aa96c19342fe36c118fa2c94a813a49b8d5915fb4253230afa082d

SHA512
9358f752fd53dd5d2b5970defd43d3c36f238dce1f79388e69d9fb37bff7c3b00bff538aef9dbb5e72171592da0831048787cb25e138b3a95eaa28e688f4b337

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetGoWebInstaller.xml

Filesize
2KB

MD5
c6a71d2a5027b3585bc79f2f0988af0a

SHA1
e33059c3f8feec22c443e38c5e0dde5ed334503f

SHA256
55a3531de1213474ea73b1b9e45dde783d05c8f948057ed4b5a2b590742132da

SHA512
5101f460f32ede2f2e2e924d0ca0c1cedecc33c3f1b1a4dc15fd76217b9c1d495c63b6b42d2f4a5b986d349db60488473cd1c8af8f6cf8b95adb51e9a9c24b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GetGoWebInstallerString.ini

Filesize
2KB

MD5
c4d265ce2577f49e9d9d28db6370ac6d

SHA1
71866f579d6ba26f488ee6761b29577725582fa1

SHA256
d3d08c8f634bbfc68f418eb85ec19d7092cbe3e5a0246445d50835b344c27fce

SHA512
19e9d1a1c62d3f3f780dbbe492233b3e1ab6e19293f02155ca9fd32766558fb226296f7238e9626408aa7a81cb7e563ca901480b150e76080c5f57294a95d16f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MainWndBkg.jpg

Filesize
51KB

MD5
4c87798f5288521e51a1b25419897f5d

SHA1
81bf149608d57457472bc6d8b18efb6271698420

SHA256
9bd5b11d5353950338a5566120123821b6c756f682078b21421826dd851ddd60

SHA512
bedbd54045123868aa850fc03d5fc76c47c666be35c97943b0d90cfd41bdd4e84c18b661fbdfbf7cd4d6ad245e3f3fb466b9271de473628acae5f5621000a37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Min_H.jpg

Filesize
843B

MD5
841f5cc38c501878915b873f6f6eb1af

SHA1
8735867741a300d037c8360bd02e3fd338a619d8

SHA256
8641fbe5c60480bf22541c7478f483b89ee655bcc2190f5c270fcc436fa9606b

SHA512
c90c13cb61105b90a7f5e932907a7563b8e649e9362a71541bc9dd887ee553a03cea188f20a593def6ef49602f7cf936d6c20e1ddb69a0cdaba087b231936b8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Min_N.jpg

Filesize
747B

MD5
38ad1e24897436fedaebdcb25c2b5bb8

SHA1
ea87f8bf916ca84953eb16ae3d5898212faba367

SHA256
1067c0de3d7e44141ff69e4d5d362276e198bb1f6f6abb8a01421c37b5c2fb08

SHA512
4a691a8838b007500b017278dfedb44b900c93cf9bbd80fe92711919199d4805340a36e11498118fcf8562249d75ab68fa5a27faaab7a7fb0ac62d4958a55623

Download Submit
C:\Users\Admin\AppData\Local\Temp\StatusBkg.jpg

Filesize
1KB

MD5
cf3b67a1cc45d9d414371d4a610aa628

SHA1
c432c8705f20e91fbe918c4731a223df6da1f942

SHA256
13b703a6440319512d7c6177709773020811252e1383102085cad3660255892d

SHA512
d373d9bddd3f9cd58e61ae302fc55c5e7dfc532220d35ba83e630c99075d26bfdfb686bc1fb7b47087009ec383d3f5d721f6642b66774708ac4c65beb7b9ad6a

Download Submit
\Users\Admin\AppData\Local\Temp\GetGo Download Manager.exe

Filesize
4.7MB

MD5
cf3a289d668f965214e31797daac45bb

SHA1
06ed421cb895d294ecc0ad55dcda5718f3eccc92

SHA256
ad64fa0d426a895455755c76f3f8898bb5dea2bb13e9e65b9989b32d8fb3b05e

SHA512
8744efec82bf7beb92fd4acf3726bddde518929096ced0ae1328cc589623ca1ee7758b44ecee4678434072ba216b33f9528131501aa13b1452b6d340037f34db

Download Submit
\Users\Admin\AppData\Local\Temp\GetGoWIClient.exe

Filesize
2.3MB

MD5
fde1847d72ceccceea496380cd878b4c

SHA1
63defcfc407ec98a304ff0bdcb59bd592cb8bdc6

SHA256
b39ecd94f3e37e4c85471f40690c4570cdc8b8d317dfff8e596b3b352a7a5730

SHA512
1cd5c67ea0411d80069906116b0589645aa33f9824489c10d89509693534998c29a4b6ad556c64c3eade99a72a6ed7ecd0d64dd896bdc7cc7414af4dc151d3c9

Download Submit
\Users\Admin\AppData\Local\Temp\nso9262.tmp\AdvSplash.dll

Filesize
6KB

MD5
13cc92f90a299f5b2b2f795d0d2e47dc

SHA1
aa69ead8520876d232c6ed96021a4825e79f542f

SHA256
eb1ca2b3a6e564c32677d0cdc388e26b74ef686e071d7dbca44d0bfa10488feb

SHA512
ff4e6e6e7104568fc85ef3a3f0494a5c7822a4ceaf65c584ad534f08f9a472a8d86f0a62f1f86343c61e2540b2254714b7ea43e4b312ff13d8271ff069386fa3

Download Submit
\Users\Admin\AppData\Local\Temp\nso9262.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nso9262.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit