Analysis
-
max time kernel
31s -
max time network
44s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-08-2024 21:23
Static task
static1
Behavioral task
behavioral1
Sample
23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe
Resource
win10v2004-20240802-en
General
-
Target
23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe
-
Size
2.4MB
-
MD5
1a8c0d5ded7f399be1b43d1b6c3a6692
-
SHA1
12c882aea0cbe460d04f838bdf9b44c57f0aa36e
-
SHA256
23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506
-
SHA512
20a3600b1ca50e1c8acd42375c3c6cd102b8fb305eb431c2b083da1068c9400cd310b36413c193f6dd5b3b19572a4cc242116a9748e9b396caa696c578d9754e
-
SSDEEP
49152:zvSzkJnOyQpABa+VsNbwzPhTzoL6Y0fxfNrBUf0uzkf:zqzkbkbhwzmLb0fxfNr
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1836 NFWCHK.exe -
Loads dropped DLL 1 IoCs
pid Process 1104 23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Control Panel\Desktop\MuiCached 23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main 23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1104 23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe 1104 23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1104 wrote to memory of 1836 1104 23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe 30 PID 1104 wrote to memory of 1836 1104 23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe 30 PID 1104 wrote to memory of 1836 1104 23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe 30 PID 1104 wrote to memory of 1836 1104 23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe"C:\Users\Admin\AppData\Local\Temp\23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe2⤵
- Executes dropped EXE
PID:1836
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5162f4652a9330f2c6321b504c1fa059e
SHA1aad51bcf9a486b407d37afc5d31c16d64b100844
SHA256a637981b7ad2e597c1e2eb36e992a0c83fd1df1b98825e91705b1ba3819be8c5
SHA51286db280ee332a8bed9a68e99caeff6a7e5784927737f48fd2065f21b90e91f2015b46c6d5b9d7944e4d2fa65458c4e9ea14c9e921bdd8e1bf7c1bdae022ce68f
-
Filesize
2KB
MD568853280c69d05daa4da78d2a1a509de
SHA1d8550cc1568c9f6742177d30dc765883acad5c49
SHA2567b49f0830751e099369e9ac04ff448c9562b395bb9e56ac0f5e57920bb83957e
SHA5125ce7429aafbd4a80c566508714a5ce643d569a86ada6ee9a3db63634eb9925c86d66a3fbe94430f450a7e2788264b797de7c33b4287d25eab60c66d7ebc65fd7
-
Filesize
223B
MD55babf2a106c883a8e216f768db99ad51
SHA1f39e84a226dbf563ba983c6f352e68d561523c8e
SHA2569e676a617eb0d0535ac05a67c0ae0c0e12d4e998ab55ac786a031bfc25e28300
SHA512d4596b0aafe03673083eef12f01413b139940269255d10256cf535853225348752499325a5def803fa1189e639f4a2966a0fbb18e32fe8d27e11c81c9e19a0bb
-
Filesize
7KB
MD527cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a