238bb5eac0449a8a05b28ce605cd638f1e70ff843b99c2453e36b451d6ffb218

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Diva-146-Winstaller.exe
Size

33.0MB
MD5

908bd2a2b3f9db23de9e89c80bf90cea
SHA1

401287aa321e8b8ac0510aecf0edf09287ae0f5d
SHA256

238bb5eac0449a8a05b28ce605cd638f1e70ff843b99c2453e36b451d6ffb218
SHA512

c15f917ef97e04af7007b4c0fe1a6fbfaa7d5fe6003496b7ab00cd90349fcf68567a8f131936972e144e7617a9ccadeb5dfab8bb2241b2403c0ea70e87e02227
SSDEEP

786432:Sv1ejxhKdRKMWytYl9KA0JdZJf6mjZWgdb:1XElNte9KA0TZZ6MZWgdb

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2320	Diva-146-Winstaller.tmp

Loads dropped DLL 3 IoCs

pid	Process
2200	Diva-146-Winstaller.exe
2320	Diva-146-Winstaller.tmp
2320	Diva-146-Winstaller.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diva-146-Winstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Diva-146-Winstaller.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2320	Diva-146-Winstaller.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2320	2200	Diva-146-Winstaller.exe	30
PID 2200 wrote to memory of 2320	2200	Diva-146-Winstaller.exe	30
PID 2200 wrote to memory of 2320	2200	Diva-146-Winstaller.exe	30
PID 2200 wrote to memory of 2320	2200	Diva-146-Winstaller.exe	30
PID 2200 wrote to memory of 2320	2200	Diva-146-Winstaller.exe	30
PID 2200 wrote to memory of 2320	2200	Diva-146-Winstaller.exe	30
PID 2200 wrote to memory of 2320	2200	Diva-146-Winstaller.exe	30

C:\Users\Admin\AppData\Local\Temp\Diva-146-Winstaller.exe
"C:\Users\Admin\AppData\Local\Temp\Diva-146-Winstaller.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\is-RAGHD.tmp\Diva-146-Winstaller.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-RAGHD.tmp\Diva-146-Winstaller.tmp" /SL5="$D0150,33516112,899072,C:\Users\Admin\AppData\Local\Temp\Diva-146-Winstaller.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-KKE1N.tmp\Diva.dll

Filesize
12.4MB

MD5
238014c960d0f7f361f6d7bdc7172089

SHA1
db7bf0d2f183c05788dfa997c86ec313fd53cca6

SHA256
c35917aae56899f570aa9495b596df85a39b477839bcee4e8794a5e4052457bf

SHA512
a55c407b3ca644a458177df074729add6022457521acc4320e0b078244864f483d82d1b76721db8534b94eebfcab27252ac23119535d086f23a83bc6bfcf04ff

Download Submit
\Users\Admin\AppData\Local\Temp\is-KKE1N.tmp\SetupUtils.dll

Filesize
81KB

MD5
48557473e909c3bd449175c7e23f54e9

SHA1
49e395bc501943a742aed2698dd1883729e6065c

SHA256
87497c9871aa474fcd9faee86f806d7294764d084c110da00e087b5bf38ce438

SHA512
ec3c99f0fa0cd81aaa3cf8450742c26e31c40f3a22c7d5ba64f097ad469255bef6b31ae6e7207c8876c726fe3757902ca8d7094c9b19c432eb269ebc5397904a

Download Submit
\Users\Admin\AppData\Local\Temp\is-RAGHD.tmp\Diva-146-Winstaller.tmp

Filesize
3.1MB

MD5
94886ca6658b3a1acf424f622f40aaca

SHA1
3b04ffb6f21391cd09c171a46df1449ed5aa2fdc

SHA256
6d2c509c0364b5f92829e4610a5f8f5f8a1ee1e4fffaa93ae41a370839adaddd

SHA512
a2b9fcbd63ec2047ccb34248c3bc7e9a71efd711d1dc5f3bfc745c82194e86fc74def015904525245dd435567811b8294fbda25be5dd493d99a008b03cce3e42

Download Submit
memory/2200-0-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2200-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2200-18-0x0000000000400000-0x00000000004E9000-memory.dmp

Filesize
932KB

Download
memory/2320-8-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2320-16-0x00000000037F0000-0x000000000380E000-memory.dmp

Filesize
120KB

Download
memory/2320-20-0x00000000037F0000-0x000000000380E000-memory.dmp

Filesize
120KB

Download
memory/2320-19-0x0000000000400000-0x0000000000724000-memory.dmp

Filesize
3.1MB

Download
memory/2320-26-0x00000000037F0000-0x000000000380E000-memory.dmp

Filesize
120KB

Download