57f9da48f1cfe47d500c9a45623d639f9a4dfb2f5cc9b62730ab9eb7dde5eca0

Analysis

max time kernel
16s
max time network
18s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/Toolbar.exe
Size

2.6MB
MD5

bed7d057903131569907ce3b4e1bffdb
SHA1

745879801884d48b9ee9f92cde9a4f270a5ba0bd
SHA256

53484c59e5fcf1c22328cad79a54ca84c6503f17c4b6e5edc8ff53c12228b7e3
SHA512

ecf29408783b93b3405bac661327915503e862ad6b88b9669b31ab5963427da4b41da5b612e22c261671dc272a5930708e3f30b893974d297eaa8959bab2911f
SSDEEP

49152:z3kpJV4IcHWgV3Kvul+0eQxYGzkJLQsq0EpKDA8VbjSYt2JdDkeCN0cYw7Jb4RqA:YsWg4vX0ZuJpTbDFJt2JdDkeCF/li3x

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
332	GLB9E33.tmp

Loads dropped DLL 4 IoCs

pid	Process
2204	Toolbar.exe
332	GLB9E33.tmp
332	GLB9E33.tmp
332	GLB9E33.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLB9E33.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Toolbar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLB9E33.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 332	2204	Toolbar.exe	29
PID 2204 wrote to memory of 332	2204	Toolbar.exe	29
PID 2204 wrote to memory of 332	2204	Toolbar.exe	29
PID 2204 wrote to memory of 332	2204	Toolbar.exe	29
PID 2204 wrote to memory of 332	2204	Toolbar.exe	29
PID 2204 wrote to memory of 332	2204	Toolbar.exe	29
PID 2204 wrote to memory of 332	2204	Toolbar.exe	29

C:\Users\Admin\AppData\Local\Temp\$TEMP\Toolbar.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\Toolbar.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\GLB9E33.tmp
  C:\Users\Admin\AppData\Local\Temp\GLB9E33.tmp 4736 C:\Users\Admin\AppData\Local\Temp\$TEMP\Toolbar.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\GLB9E33.tmp

Filesize
70KB

MD5
cc169cc690478443cbfcf835b21fb301

SHA1
24d10364f89ef17802aa945101526005faa1a339

SHA256
34ef744d3602adf924752955d7ea488f2a3cc814918b37945669fe90edc9e4c1

SHA512
f6c0cd6b88b106177e17285773217f872e04085e84392968cfa937bba61417139bad221c9219eb93c145a3121eb877b942c7ef98e93ada7655f2d264cd552f95

Download Submit
\Users\Admin\AppData\Local\Temp\GLC9E52.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
\Users\Admin\AppData\Local\Temp\GLFAA19.tmp

Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit