ca7d1365e934b3bd122ab8b0dbd24ef5e0c52471cfca15921555fc6b244e9ab6

Resubmissions

09/08/2024, 13:08

240809-qddpwavcqf 4

09/08/2024, 13:04

240809-qa6w9a1bqr 4

09/08/2024, 13:01

240809-p88m3a1bnk 4

Analysis

max time kernel
63s
max time network
64s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09/08/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Core-Temp-setup-v1.18.1.0.exe
Size

1.2MB
MD5

176642114ee7a82e0486bf5fac5777c0
SHA1

f4329a1afc37f143ba1d39d9670ca4b1acd61c23
SHA256

ca7d1365e934b3bd122ab8b0dbd24ef5e0c52471cfca15921555fc6b244e9ab6
SHA512

dab12f11066bad3dcb2d6dfe599cdeab135ec8a69ba42fe157bf887c2c9ffea5615ac3661f5e011fb0ebf396930c9be84b1ee7987056189d0457f7a053a7a5dd
SSDEEP

24576:686STfiCBXodcnZ+EshXP0QoZI0HGLeA8X2x/Us6oqK91BoQ9uZUR+zZdBq:oKBT+T0DA8XtnSpV9u1y

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Core Temp\is-ILF8C.tmp	Core-Temp-setup-v1.18.1.0.tmp
File opened for modification	C:\Program Files\Core Temp\unins000.dat	Core-Temp-setup-v1.18.1.0.tmp
File created	C:\Program Files\Core Temp\CoreTemp.ini	Core Temp.exe
File opened for modification	C:\Program Files\Core Temp\CoreTemp.ini	Core Temp.exe
File created	C:\Program Files\Core Temp\unins000.dat	Core-Temp-setup-v1.18.1.0.tmp
File created	C:\Program Files\Core Temp\is-C4VEO.tmp	Core-Temp-setup-v1.18.1.0.tmp
File created	C:\Program Files\Core Temp\is-0OFC6.tmp	Core-Temp-setup-v1.18.1.0.tmp
File created	C:\Program Files\Core Temp\is-LARHM.tmp	Core-Temp-setup-v1.18.1.0.tmp
File opened for modification	C:\Program Files\Core Temp\CoreTemp.ini	Core Temp.exe
File opened for modification	C:\Program Files\Core Temp\CoreTemp.ini	Core Temp.exe
File opened for modification	C:\Program Files\Core Temp\Core Temp.exe	Core-Temp-setup-v1.18.1.0.tmp
File created	C:\Program Files\Core Temp\is-RNC22.tmp	Core-Temp-setup-v1.18.1.0.tmp

Executes dropped EXE 4 IoCs

pid	Process
2472	Core-Temp-setup-v1.18.1.0.tmp
1028	Core Temp.exe
756	Core Temp.exe
4300	Core Temp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Core-Temp-setup-v1.18.1.0.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Core-Temp-setup-v1.18.1.0.exe

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "14"	LogonUI.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2842058299-443432012-2465494467-1000_Classes\Local Settings	Core-Temp-setup-v1.18.1.0.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2472	Core-Temp-setup-v1.18.1.0.tmp
2472	Core-Temp-setup-v1.18.1.0.tmp

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found
660	Process not Found

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2472	Core-Temp-setup-v1.18.1.0.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
756	Core Temp.exe
4300	Core Temp.exe
5016	LogonUI.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 2472	3540	Core-Temp-setup-v1.18.1.0.exe	81
PID 3540 wrote to memory of 2472	3540	Core-Temp-setup-v1.18.1.0.exe	81
PID 3540 wrote to memory of 2472	3540	Core-Temp-setup-v1.18.1.0.exe	81
PID 2472 wrote to memory of 1616	2472	Core-Temp-setup-v1.18.1.0.tmp	85
PID 2472 wrote to memory of 1616	2472	Core-Temp-setup-v1.18.1.0.tmp	85
PID 2472 wrote to memory of 1616	2472	Core-Temp-setup-v1.18.1.0.tmp	85
PID 2472 wrote to memory of 1028	2472	Core-Temp-setup-v1.18.1.0.tmp	86
PID 2472 wrote to memory of 1028	2472	Core-Temp-setup-v1.18.1.0.tmp	86

C:\Users\Admin\AppData\Local\Temp\Core-Temp-setup-v1.18.1.0.exe
"C:\Users\Admin\AppData\Local\Temp\Core-Temp-setup-v1.18.1.0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\is-QJRF1.tmp\Core-Temp-setup-v1.18.1.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QJRF1.tmp\Core-Temp-setup-v1.18.1.0.tmp" /SL5="$80250,868100,121344,C:\Users\Admin\AppData\Local\Temp\Core-Temp-setup-v1.18.1.0.exe"
  2⤵
  - Drops file in Program Files directory
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\Core Temp\Readme.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1616
- - C:\Program Files\Core Temp\Core Temp.exe
    "C:\Program Files\Core Temp\Core Temp.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    PID:1028

C:\Program Files\Core Temp\Core Temp.exe
"C:\Program Files\Core Temp\Core Temp.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:756

C:\Program Files\Core Temp\Core Temp.exe
"C:\Program Files\Core Temp\Core Temp.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4300

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a1a055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Core Temp\Core Temp.exe

Filesize
1015KB

MD5
005727aa95c9f4899ea7673b114d91de

SHA1
ad96a46fe68428dc293db99b53a0593b6bc1d786

SHA256
26259a6f290a799eeb1c7c9b311e528c77e458582f9396d4dfc1c69dd2ad6891

SHA512
9e0dbb00b37e957114b7d74663600e041cad88d1940f4f3489e7eb7c347e51e8ede97ef054f5614f32facb5c6364b724a7781fb9047f190614718e8325952577

Download Submit
C:\Program Files\Core Temp\CoreTemp.ini

Filesize
1KB

MD5
94b56e0809f8b30af3aaae2a68f498b3

SHA1
a37a100fe91c0d9731f325994778d7c7c033451c

SHA256
23f972f8ab3952b2f891a41bd2d151d97016ca7bc9c78df30b1ab376211c66ec

SHA512
99f7142431b98bb09eb57db3437c0fa0ee75817de9c24eb294ce53ff1cd526d96ddf8c3d12d8ed524d9676cc90098c7565004468d205e9cd0d06aaa52c748ca0

Download Submit
C:\Program Files\Core Temp\Readme.txt

Filesize
3KB

MD5
9ab877751224d96448876f7ecf15559f

SHA1
59c910d91a64b2eee54997dc3fc54d8905b7748d

SHA256
abb84cf36bd0e8f39248f5477ca0d427da9b7e3c10b6666254b98d6e06b40e7b

SHA512
5c0684c21d7bb5500f9a1ed44b73b4e48755e5c7eaeebb8fa369a5fd6df2b21db127a76199598b3061a997919a7917116004190f6f0f7bceb5590e0a82baee78

Download Submit
C:\Users\Admin\AppData\Local\Temp\ALSysIO64.sys

Filesize
42KB

MD5
d9aafc513be1c4c57b9f9827e986039c

SHA1
2c688a6e881d35df958cb8ff2e2bd8e21b8461bc

SHA256
7a20ca8f9361eb892257b3693095ffeee61457dc4e22d9b119e3a9f3a1507069

SHA512
200a3df1ad0a18f5547e2f595f412f96d76040fa16de4720f76b305178a2bf9c944d31b5928dc2333d99a72fd617762e87885aa7e56719ccba2e7e593450f6fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QJRF1.tmp\Core-Temp-setup-v1.18.1.0.tmp

Filesize
1.1MB

MD5
34acc2bdb45a9c436181426828c4cb49

SHA1
5adaa1ac822e6128b8d4b59a54d19901880452ae

SHA256
9c81817acd4982632d8c7f1df3898fca1477577738184265d735f49fc5480f07

SHA512
134ff4022571efd46f7a62e99b857ebe834e9916c786345908010f9e1fb90be226b740ddee16ae9290fe45c86be7238c4555e422abe66a461d11545e19734beb

Download Submit
memory/2472-6-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2472-9-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2472-34-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/2472-55-0x0000000000400000-0x000000000052E000-memory.dmp

Filesize
1.2MB

Download
memory/3540-8-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3540-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/3540-1-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3540-56-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download