23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506

Analysis

max time kernel
31s
max time network
44s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
16-08-2024 21:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe
Size

2.4MB
MD5

1a8c0d5ded7f399be1b43d1b6c3a6692
SHA1

12c882aea0cbe460d04f838bdf9b44c57f0aa36e
SHA256

23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506
SHA512

20a3600b1ca50e1c8acd42375c3c6cd102b8fb305eb431c2b083da1068c9400cd310b36413c193f6dd5b3b19572a4cc242116a9748e9b396caa696c578d9754e
SSDEEP

49152:zvSzkJnOyQpABa+VsNbwzPhTzoL6Y0fxfNrBUf0uzkf:zqzkbkbhwzmLb0fxfNr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1836	NFWCHK.exe

Loads dropped DLL 1 IoCs

pid	Process
1104	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\MuiCached	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1104	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe
1104	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 1836	1104	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe	30
PID 1104 wrote to memory of 1836	1104	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe	30
PID 1104 wrote to memory of 1836	1104	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe	30
PID 1104 wrote to memory of 1836	1104	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe	30

C:\Users\Admin\AppData\Local\Temp\23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe
"C:\Users\Admin\AppData\Local\Temp\23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  2⤵
  - Executes dropped EXE
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
9KB

MD5
162f4652a9330f2c6321b504c1fa059e

SHA1
aad51bcf9a486b407d37afc5d31c16d64b100844

SHA256
a637981b7ad2e597c1e2eb36e992a0c83fd1df1b98825e91705b1ba3819be8c5

SHA512
86db280ee332a8bed9a68e99caeff6a7e5784927737f48fd2065f21b90e91f2015b46c6d5b9d7944e4d2fa65458c4e9ea14c9e921bdd8e1bf7c1bdae022ce68f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
2KB

MD5
68853280c69d05daa4da78d2a1a509de

SHA1
d8550cc1568c9f6742177d30dc765883acad5c49

SHA256
7b49f0830751e099369e9ac04ff448c9562b395bb9e56ac0f5e57920bb83957e

SHA512
5ce7429aafbd4a80c566508714a5ce643d569a86ada6ee9a3db63634eb9925c86d66a3fbe94430f450a7e2788264b797de7c33b4287d25eab60c66d7ebc65fd7

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
223B

MD5
5babf2a106c883a8e216f768db99ad51

SHA1
f39e84a226dbf563ba983c6f352e68d561523c8e

SHA256
9e676a617eb0d0535ac05a67c0ae0c0e12d4e998ab55ac786a031bfc25e28300

SHA512
d4596b0aafe03673083eef12f01413b139940269255d10256cf535853225348752499325a5def803fa1189e639f4a2966a0fbb18e32fe8d27e11c81c9e19a0bb

Download Submit
\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit