5422f8faf9edb5476ae1d87135ad0f05d582137ce3e28130d5bdcc624ec96313

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23-08-2024 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Setup.exe
Size

1.7MB
MD5

83e004d06f4b75f6a8b7b1d5344b8e03
SHA1

4113606b7cc5767d0ffd44fc113f8c2174ae932d
SHA256

5422f8faf9edb5476ae1d87135ad0f05d582137ce3e28130d5bdcc624ec96313
SHA512

1d46a49a586a63d6e064ce5ed359136ef1ba9f47c707a8ba062f96e1fb4a168447828fdde327e7bdae4ee5dc829b51acaf08bff1f2eb7b25b67cf26bc201273c
SSDEEP

24576:04nXubIQGyxbPV0db26sTk94nHFqK3X/aoBTmWuNe979dUfWtrifkIVIMUQpcumY:0qe3f6cVnH4K3XlKWuNq79d0q3IVnHl

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2432	Setup.tmp

Loads dropped DLL 1 IoCs

pid	Process
852	Setup.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2432	Setup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2432	Setup.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2432	852	Setup.exe	31
PID 852 wrote to memory of 2432	852	Setup.exe	31
PID 852 wrote to memory of 2432	852	Setup.exe	31
PID 852 wrote to memory of 2432	852	Setup.exe	31
PID 852 wrote to memory of 2432	852	Setup.exe	31
PID 852 wrote to memory of 2432	852	Setup.exe	31
PID 852 wrote to memory of 2432	852	Setup.exe	31

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\is-D8ICO.tmp\Setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-D8ICO.tmp\Setup.tmp" /SL5="$400E0,949248,0,C:\Users\Admin\AppData\Local\Temp\Setup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\is-D8ICO.tmp\Setup.tmp

Filesize
3.1MB

MD5
91033c09d48b90e0c6b44e6261450489

SHA1
c9021b39f00cc56f21ba078a3ff6d2987ab23708

SHA256
3f94e494c8b9550ca0974f340e4a33803bcea139e72334ea53a853cd444cf84e

SHA512
b2a03ecb390b0303f262895220d07ea4e1003fc965221769a4f8296d2c94fd1ba59c3df556908b85bb295648e6df1f9599b89958b47108d32f267ee4e3c4d66b

Download Submit
memory/852-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/852-0-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/852-13-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/2432-8-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2432-14-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download
memory/2432-16-0x0000000000400000-0x000000000072F000-memory.dmp

Filesize
3.2MB

Download