a65b33e1d570e7d8685b6ec02d50b5f0f9eadd77b35f54a400cb5f077f36223b

Analysis

max time kernel
592s
max time network
445s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 13:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

SetupExitLag-5.7.4-x64.exe
Size

72.9MB
MD5

4253af8c7a5590a7a61b0bdb83e6ccfc
SHA1

9aa2ceb1f9a564bd586f920eba42eeea41ec7e12
SHA256

a65b33e1d570e7d8685b6ec02d50b5f0f9eadd77b35f54a400cb5f077f36223b
SHA512

b946ecdb78a1bd4ca817686989f2df58d9e5ddb022a56b7c8527c07a3479cb22551014889116ee6e91e517a5904adb3cbe103708fb83c650f60a1aa43504b3fa
SSDEEP

1572864:XDe4sp/3BWCJkCu+WsD8aBApHOAAwewQDtRfKyE:XD0RJ9ul8ApZeRtRf/E

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2024	SetupExitLag-5.7.4-x64.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupExitLag-5.7.4-x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupExitLag-5.7.4-x64.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2640 wrote to memory of 2024	2640	SetupExitLag-5.7.4-x64.exe	87
PID 2640 wrote to memory of 2024	2640	SetupExitLag-5.7.4-x64.exe	87
PID 2640 wrote to memory of 2024	2640	SetupExitLag-5.7.4-x64.exe	87

C:\Users\Admin\AppData\Local\Temp\SetupExitLag-5.7.4-x64.exe
"C:\Users\Admin\AppData\Local\Temp\SetupExitLag-5.7.4-x64.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\is-82CBM.tmp\SetupExitLag-5.7.4-x64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-82CBM.tmp\SetupExitLag-5.7.4-x64.tmp" /SL5="$D003E,75552511,799744,C:\Users\Admin\AppData\Local\Temp\SetupExitLag-5.7.4-x64.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-82CBM.tmp\SetupExitLag-5.7.4-x64.tmp

Filesize
3.0MB

MD5
4c8bed9ac667b64fa434ccd16a3a0828

SHA1
26ab6e26ef108dd25844b8d523dab36aa8046634

SHA256
864fb02a9635476c8a31e3e57fdfe01380b9cce006fb07f4e7f438455178e4c2

SHA512
0bdbfc49dcf18ae91f3caf9b65f1e870d2a0f1d4d34b80a3238e530d400f74e67c45b9ddb8fa1bf3eb0640da4f62113b5388ee3f47e11ea16d8bfb45524a92a5

Download Submit
memory/2024-6-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2024-9-0x0000000000400000-0x000000000070C000-memory.dmp

Filesize
3.0MB

Download
memory/2640-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2640-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/2640-8-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download