9cc115b0e4a690b1d82a0e4ada34defb19c1bd246a45ba56295a3fbde0abe158

Analysis

max time kernel
144s
max time network
147s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/08/2024, 16:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GSClient_Setup_CS_1_6.exe
Size

263.1MB
MD5

c7067a7d7a096da7f12c5b0577ce1eda
SHA1

1c989db53e9a3e6c38e4a4d44a8dd572f6a31e5d
SHA256

9cc115b0e4a690b1d82a0e4ada34defb19c1bd246a45ba56295a3fbde0abe158
SHA512

f64b6f53386abd4455d9df2db49ecf980f9358c3ad0b79cc553e66404421d98f23d28272c2275362ad95fe84b0ef6389be0dcff575f8497bcb63feb3bf0b5823
SSDEEP

6291456:7UMXs+AiZ+VZXO+R/juaKFG3CX6whYIHxZJPN7kkI8u:QCGzO+R7wG3CKwhpxNIRL

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1096	GSClient_Setup_CS_1_6.tmp

Loads dropped DLL 2 IoCs

pid	Process
2444	GSClient_Setup_CS_1_6.exe
1096	GSClient_Setup_CS_1_6.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GSClient_Setup_CS_1_6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GSClient_Setup_CS_1_6.tmp

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp
1096	GSClient_Setup_CS_1_6.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2444 wrote to memory of 1096	2444	GSClient_Setup_CS_1_6.exe	30
PID 2444 wrote to memory of 1096	2444	GSClient_Setup_CS_1_6.exe	30
PID 2444 wrote to memory of 1096	2444	GSClient_Setup_CS_1_6.exe	30
PID 2444 wrote to memory of 1096	2444	GSClient_Setup_CS_1_6.exe	30
PID 2444 wrote to memory of 1096	2444	GSClient_Setup_CS_1_6.exe	30
PID 2444 wrote to memory of 1096	2444	GSClient_Setup_CS_1_6.exe	30
PID 2444 wrote to memory of 1096	2444	GSClient_Setup_CS_1_6.exe	30

C:\Users\Admin\AppData\Local\Temp\GSClient_Setup_CS_1_6.exe
"C:\Users\Admin\AppData\Local\Temp\GSClient_Setup_CS_1_6.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Users\Admin\AppData\Local\Temp\is-D70P2.tmp\GSClient_Setup_CS_1_6.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D70P2.tmp\GSClient_Setup_CS_1_6.tmp" /SL5="$400EC,275247376,249344,C:\Users\Admin\AppData\Local\Temp\GSClient_Setup_CS_1_6.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-D70P2.tmp\GSClient_Setup_CS_1_6.tmp

Filesize
1.2MB

MD5
8e42b787972ceab134ed881797801a4c

SHA1
5bf3a7e93ff12fde20dfef9d2669e48f46afc955

SHA256
b0ccd219bf17a4e3f489f9cdacfcf7db1bed5680952e552b050b89ed62032d7c

SHA512
296ff18c493a9c070ca19965003481b01dae6bd8227f3b36d296540f6a710c5d094f9f0f5df79291be1382d862ebc99d5f982c4a7f210b2e789ef9396dc8bfdb

Download Submit
\Users\Admin\AppData\Local\Temp\is-NT927.tmp\VclStylesInno.dll

Filesize
3.0MB

MD5
b0ca93ceb050a2feff0b19e65072bbb5

SHA1
7ebbbbe2d2acd8fd516f824338d254a33b69f08d

SHA256
0e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246

SHA512
37242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2

Download Submit
memory/1096-37-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-34-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-52-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-67-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-73-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-72-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-71-0x0000000003510000-0x0000000003511000-memory.dmp

Filesize
4KB

Download
memory/1096-70-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-69-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-33-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-66-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-65-0x00000000034F0000-0x00000000034F1000-memory.dmp

Filesize
4KB

Download
memory/1096-64-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-63-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-62-0x00000000034E0000-0x00000000034E1000-memory.dmp

Filesize
4KB

Download
memory/1096-61-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-60-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-59-0x00000000034D0000-0x00000000034D1000-memory.dmp

Filesize
4KB

Download
memory/1096-58-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-57-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-56-0x0000000003370000-0x0000000003371000-memory.dmp

Filesize
4KB

Download
memory/1096-55-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-54-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-53-0x0000000003360000-0x0000000003361000-memory.dmp

Filesize
4KB

Download
memory/1096-51-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-50-0x0000000003350000-0x0000000003351000-memory.dmp

Filesize
4KB

Download
memory/1096-48-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-47-0x0000000003340000-0x0000000003341000-memory.dmp

Filesize
4KB

Download
memory/1096-46-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-43-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-42-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-41-0x0000000003320000-0x0000000003321000-memory.dmp

Filesize
4KB

Download
memory/1096-39-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-38-0x0000000003310000-0x0000000003311000-memory.dmp

Filesize
4KB

Download
memory/1096-8-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1096-36-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-12-0x0000000002F60000-0x000000000327A000-memory.dmp

Filesize
3.1MB

Download
memory/1096-35-0x0000000003300000-0x0000000003301000-memory.dmp

Filesize
4KB

Download
memory/1096-68-0x0000000003500000-0x0000000003501000-memory.dmp

Filesize
4KB

Download
memory/1096-32-0x00000000032F0000-0x00000000032F1000-memory.dmp

Filesize
4KB

Download
memory/1096-31-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-30-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-29-0x00000000032E0000-0x00000000032E1000-memory.dmp

Filesize
4KB

Download
memory/1096-27-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-26-0x00000000032D0000-0x00000000032D1000-memory.dmp

Filesize
4KB

Download
memory/1096-24-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-23-0x00000000032C0000-0x00000000032C1000-memory.dmp

Filesize
4KB

Download
memory/1096-22-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-21-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-20-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/1096-19-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-18-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-17-0x00000000032A0000-0x00000000032A1000-memory.dmp

Filesize
4KB

Download
memory/1096-16-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-15-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-14-0x0000000003290000-0x0000000003291000-memory.dmp

Filesize
4KB

Download
memory/1096-49-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-45-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-44-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/1096-40-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-28-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-25-0x0000000003390000-0x00000000034D0000-memory.dmp

Filesize
1.2MB

Download
memory/1096-81-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1096-80-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1096-90-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1096-82-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1096-83-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1096-85-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1096-84-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/1096-86-0x0000000000400000-0x000000000054C000-memory.dmp

Filesize
1.3MB

Download
memory/2444-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2444-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2444-77-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download