23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506

General

Target

23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe
Size

2.4MB
MD5

1a8c0d5ded7f399be1b43d1b6c3a6692
SHA1

12c882aea0cbe460d04f838bdf9b44c57f0aa36e
SHA256

23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506
SHA512

20a3600b1ca50e1c8acd42375c3c6cd102b8fb305eb431c2b083da1068c9400cd310b36413c193f6dd5b3b19572a4cc242116a9748e9b396caa696c578d9754e
SSDEEP

49152:zvSzkJnOyQpABa+VsNbwzPhTzoL6Y0fxfNrBUf0uzkf:zqzkbkbhwzmLb0fxfNr

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4180	NFWCHK.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\Desktop\MuiCached	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2860	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe
2860	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2860 wrote to memory of 4180	2860	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe	87
PID 2860 wrote to memory of 4180	2860	23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe	87

C:\Users\Admin\AppData\Local\Temp\23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe
"C:\Users\Admin\AppData\Local\Temp\23542ca9447a9fb28583d229b22ad4f6cf1a71b4bc332c4fdbc0746963f67506.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860
- C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  2⤵
  - Executes dropped EXE
  PID:4180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
2KB

MD5
07968479588dee4745545f6b7f599a71

SHA1
1909cc1acdc66b2406af5c3b1fb218c30213c2a0

SHA256
53838ba7ee830ffe03bc7b680293dc176ae61d5ff64221760c8b47385331bd2d

SHA512
e4c117a9418f0c371cc4bb131a5976e439023b92284514714236badca318828f2cb1725637e7ebdd9fd845c2e58279ad0316e26f43d7037a727dac36cb432608

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
688B

MD5
0774f993c472308fc582bde01cf02e1b

SHA1
d8d8b83f982253ab3c0a6499ba7f4b15c07492e7

SHA256
2f9013ae3b86557f17d2e80892f271c79c768bff89e0e7e3e5ef43d7008873fa

SHA512
5f51191777a8720a722b258e3822e5869287b275804a900616440f7d1c77fef7bff7080b4744455f7d5c37d487d8735fecad99b819fd7d21ff745fcdbe250d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
6KB

MD5
79a2d050edf9107e2c40eb9a7d99b62f

SHA1
e250c840c9c98ebd5a014a52de69b0509e1e3900

SHA256
e970fafdc9bc1741db36ca87dacc48f2b7de6e78e3997da4d3ad1f88557082f3

SHA512
788ddc993b239605cc017d380400e794ad71bb2c64642bbbdeaa602c6e9c7812d75b938931428bb3796888858dd3a337439752369bf8e870ebe412934ea5ccb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
5KB

MD5
de4ef08b17a725a2b97988aea54d6f40

SHA1
6c58c2e8c0d9521b662b5757ab914cb6bd3c082e

SHA256
7b33f037b2738c80fe44f5457ab02628b43de28bcde8e6dc2bd5030bfa9c0670

SHA512
090d595b0cc298303924f7883d5d7e7da4a143d76c7e9bc777bfd09a386755537a6313fd2697a914b01dc082dab45319b23c040cd11b0ebd4928926fddc7db32

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
223B

MD5
5babf2a106c883a8e216f768db99ad51

SHA1
f39e84a226dbf563ba983c6f352e68d561523c8e

SHA256
9e676a617eb0d0535ac05a67c0ae0c0e12d4e998ab55ac786a031bfc25e28300

SHA512
d4596b0aafe03673083eef12f01413b139940269255d10256cf535853225348752499325a5def803fa1189e639f4a2966a0fbb18e32fe8d27e11c81c9e19a0bb

Download Submit
memory/4180-1140-0x00007FF9FDB00000-0x00007FF9FE4A1000-memory.dmp

Filesize
9.6MB

Download
memory/4180-1143-0x000000001BC50000-0x000000001BCB2000-memory.dmp

Filesize
392KB

Download
memory/4180-1138-0x00007FF9FDB00000-0x00007FF9FE4A1000-memory.dmp

Filesize
9.6MB

Download
memory/4180-1139-0x000000001B3B0000-0x000000001B3D0000-memory.dmp

Filesize
128KB

Download
memory/4180-1137-0x000000001B370000-0x000000001B388000-memory.dmp

Filesize
96KB

Download
memory/4180-1141-0x000000001B3D0000-0x000000001B6DE000-memory.dmp

Filesize
3.1MB

Download
memory/4180-1142-0x000000001BB90000-0x000000001BBD9000-memory.dmp

Filesize
292KB

Download
memory/4180-1136-0x000000001B320000-0x000000001B344000-memory.dmp

Filesize
144KB

Download
memory/4180-1144-0x000000001C190000-0x000000001C65E000-memory.dmp

Filesize
4.8MB

Download
memory/4180-1145-0x000000001C700000-0x000000001C79C000-memory.dmp

Filesize
624KB

Download
memory/4180-1146-0x000000001BB20000-0x000000001BB28000-memory.dmp

Filesize
32KB

Download
memory/4180-1147-0x000000001CBD0000-0x000000001CC0E000-memory.dmp

Filesize
248KB

Download
memory/4180-1149-0x00007FF9FDB00000-0x00007FF9FE4A1000-memory.dmp

Filesize
9.6MB

Download
memory/4180-1135-0x00007FF9FDDB5000-0x00007FF9FDDB6000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing