dc5328c987a32c4618929b3721d4d546e74d15b5e1c77ceef23a8bd04a8fa912

Analysis

max time kernel
136s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/Toolbar.exe
Size

1.5MB
MD5

3376e8753c6558dd32042132a0df1f9b
SHA1

f5a168d2ab5571f3bdbd22a0f56d5d5c04b73772
SHA256

dde7c5888ea15b4ae388ef659ea615fde140602cf77e68d88a5cee1c8104f65e
SHA512

d76d187df3a9fe902473cf4510d3c896cc8c02123bb4d50cbbaf86e9152a14e45566ba87567e4c3f0d2f91d3555fee3cfe5db63a04f1eca3600636c565bc9314
SSDEEP

24576:maku/MDVYFk4J0ds+lGJFAxqRK43dAa1JGTwNp8I+Ii/MhnlA51YADVIxZCFWtvV:xkVVYOUYsgGbdrdAa1JGTgWIysAZIfCg

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3460	GLB6C80.tmp

Loads dropped DLL 5 IoCs

pid	Process
3460	GLB6C80.tmp
3460	GLB6C80.tmp
3460	GLB6C80.tmp
3460	GLB6C80.tmp
3460	GLB6C80.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLB6C80.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Toolbar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLB6C80.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3460	1980	Toolbar.exe	91
PID 1980 wrote to memory of 3460	1980	Toolbar.exe	91
PID 1980 wrote to memory of 3460	1980	Toolbar.exe	91

C:\Users\Admin\AppData\Local\Temp\$TEMP\Toolbar.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\Toolbar.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\GLB6C80.tmp
  C:\Users\Admin\AppData\Local\Temp\GLB6C80.tmp 4736 C:\Users\Admin\AppData\Local\Temp\$TEMP\Toolbar.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4012 /prefetch:8
1⤵
PID:3952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GLB6C80.tmp

Filesize
70KB

MD5
5d9508a82f68bfeef5b64c81d112f230

SHA1
cc11cf9e98fe9d9372a1f84d63f1c409e3666a58

SHA256
f3dae5dd0f4726e46f7e24139717fae72cafc89fc8d5f6e12ec7440254c1dd20

SHA512
a2e89c745976a358a7610743de218cbca1f16426ab818ce5f13efed7cebb7342c538a779e05f7914c803a7d3f119f9eb8d0a668c9eac80ded4b5ec0389b0f09a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLC6D7A.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLF7965.tmp

Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit