a95cfd1c0c0d981b5b41e486e6481e24839fa665c8c2c8c61a5e7512d1a47f5d

Analysis

max time kernel
142s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 06:05

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

phpdesigner2007_setup.exe
Size

17.3MB
MD5

ff5b1275e8322ce3a5004ada4a6820b7
SHA1

aff52c0032bb46f43f7eb12adeb6429e3187068d
SHA256

844a9b0a750f76ca23db308519a8034df869474ad2256837548b2b93cc7afa4a
SHA512

2267b337e0f27475dd7e23efaffe88c942d142ce86f6afcd31a656dd7b89911218cb4c612d49288ff6b2b7f5975195f7e2a3a268756d5676dfd8b933c6b804fc
SSDEEP

393216:aCVLLNcEXemCI+zYK+Ck2WDotH/XiW02Ew0euzj9CtFg8e:aCVPNcvIa+Ck8tfX2njIt8

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3580	is-LCA1V.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	phpdesigner2007_setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-LCA1V.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4640 wrote to memory of 3580	4640	phpdesigner2007_setup.exe	85
PID 4640 wrote to memory of 3580	4640	phpdesigner2007_setup.exe	85
PID 4640 wrote to memory of 3580	4640	phpdesigner2007_setup.exe	85

C:\Users\Admin\AppData\Local\Temp\phpdesigner2007_setup.exe
"C:\Users\Admin\AppData\Local\Temp\phpdesigner2007_setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Users\Admin\AppData\Local\Temp\is-5JS3I.tmp\is-LCA1V.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-5JS3I.tmp\is-LCA1V.tmp" /SL4 $701D8 "C:\Users\Admin\AppData\Local\Temp\phpdesigner2007_setup.exe" 17866375 52736
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-5JS3I.tmp\is-LCA1V.tmp

Filesize
658KB

MD5
f627721a34c13a5307779a498e8f6519

SHA1
9e54ec07e780eb1ccbbd61bb1a24238e46c01e18

SHA256
13c6a795a259a9731d5c00f35e6eeeeae840423d3e1783fd6c75509a3b7cb348

SHA512
c2dc88b441539b8827f0ef2a4c6b404cebaa5452d884d0174a2447347a462552f47a9d6521ecfa660cd9f0e0771fc192438865dcda305ab373c6f9a0c694aecc

Download Submit
memory/3580-8-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/3580-14-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/4640-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4640-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/4640-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download