00be613215d7a969e291b7f1a50b3c67faba732e9e5e3e66bd5856f79d970693

Analysis

max time kernel
142s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10/08/2024, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PowerTCP_Server_ActiveX_Trial.exe
Size

4.0MB
MD5

963645e1e85aa8cb7947fea49bdf7d54
SHA1

7d220c6b33ca0d96bb687824eaeb5e05c6b40066
SHA256

f4eae00462100cca565ea5280ddec2fb3f4a580d6a94ad8c8126b3fae208ac52
SHA512

b2f9423ac77362bb8c276b867d85ef7fc628d44b6a393f97ea65d3eeb0bda436019c952d9396716d01ce6e5ecabacede7a891c2fe08561718d2c3a7fe76abde2
SSDEEP

98304:LQ8qB8H3xSQLb3cbsB/lZh2pXyQ3svNDiKBNHQEiSD3F7x8j4H:LQZBQSQLb3c4B/52pXB3spi8FaUH

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3640	GLB883B.tmp

Loads dropped DLL 5 IoCs

pid	Process
3640	GLB883B.tmp
3640	GLB883B.tmp
3640	GLB883B.tmp
3640	GLB883B.tmp
3640	GLB883B.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLB883B.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerTCP_Server_ActiveX_Trial.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLB883B.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 3640	1912	PowerTCP_Server_ActiveX_Trial.exe	84
PID 1912 wrote to memory of 3640	1912	PowerTCP_Server_ActiveX_Trial.exe	84
PID 1912 wrote to memory of 3640	1912	PowerTCP_Server_ActiveX_Trial.exe	84

C:\Users\Admin\AppData\Local\Temp\PowerTCP_Server_ActiveX_Trial.exe
"C:\Users\Admin\AppData\Local\Temp\PowerTCP_Server_ActiveX_Trial.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Users\Admin\AppData\Local\Temp\GLB883B.tmp
  C:\Users\Admin\AppData\Local\Temp\GLB883B.tmp 4736 C:\Users\Admin\AppData\Local\Temp\POWERT~1.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GLB883B.tmp

Filesize
70KB

MD5
13746e1c94ef9c45ac53ebf543758ed9

SHA1
c9db7b17969f2c73fcc8967299558b37460440f2

SHA256
18597a7735ee61f08dd128ac9358690be620e4ece33492d6edd18ee2ebddf9c8

SHA512
8ec9503d384c5de1a18f95515ff7964f789ae686383d72d5ad47b6734df9f219ae9dd746f790097a4b06d8720b932fabac8edb3ea5f6d67a98575981869e731c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC88D7.tmp

Filesize
150KB

MD5
f3b9bfed127ffc97f63cd8c7ce8bc1a9

SHA1
468425842e3a29a4de6adb03652f02fdafd9fc82

SHA256
9acc324586a37cfa6f862439cfea45acd1378b4880b831cf5cca71389e0c5582

SHA512
671828ffce8660e3326f63f4e6a80941bbacfaa13ded2d58e6ffeacf9501ee66683b70fa4a100bfe7d24aea6fee8c3eda0e9a6c5ecdd792f6febb1981be030ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLF9494.tmp

Filesize
9KB

MD5
0ce392cdcf8714d0b32cb619d8eb5fb1

SHA1
d26f89db5b09c2c990ebc9e8314af7f510299189

SHA256
5f1957ed9d0632ef3225709584ea44d001d579cbcb5ea7ba87384c16fdd18604

SHA512
08039808cfe58643ba732869e98979455663618b436a2fed134c1ca937365ddce0d5b40258a257783ab32a800a1667cc88118d49dc9ff52d59de0fccc6d498dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLK8AEC.tmp

Filesize
44KB

MD5
03a537a2be784dbb334a559347587a8d

SHA1
2bc6ac78a7928468584b38c49fc8191cdf7cd7b8

SHA256
791cbaf92b019d23967483cf97ae1b261754ba1d18ada81d01c50f4dc1e97ac5

SHA512
527eb7bd1ba88dd5c59c65e65a4485cf5524c64c011afad17c81faacab9b9aed32fc25da8fb54582ff828f788e43303b846fb236a3b97f8c29a977b23c154037

Download Submit