Analysis
-
max time kernel
101s -
max time network
102s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-08-2024 08:00
Static task
static1
Behavioral task
behavioral1
Sample
44b5649cee545a7547ffab25c2819020N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
44b5649cee545a7547ffab25c2819020N.exe
Resource
win10v2004-20240802-en
General
-
Target
44b5649cee545a7547ffab25c2819020N.exe
-
Size
1.9MB
-
MD5
44b5649cee545a7547ffab25c2819020
-
SHA1
a80da29b907bb88edadf324860c6635451ebb5c5
-
SHA256
6e900c88de00dedd963a7bb90946d97258c7249f083248aa2d2f426ea7a29e12
-
SHA512
462b1a9f709858825c148e207c0cacddf8b402edc88ddaaecf472cf5e0df5c23f3d9e83b7030b0a0e640720de500d79999123f99ad3ee1f47c02d4f2cca48241
-
SSDEEP
49152:CvSzkJnOyQpABa+VsNbwzPhTzAGN9L7j0f0uzkf:CqzkbkbhwzKGNN
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1440 NFWCHK.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 44b5649cee545a7547ffab25c2819020N.exe -
Modifies Control Panel 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\Desktop\MuiCached 44b5649cee545a7547ffab25c2819020N.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 860 44b5649cee545a7547ffab25c2819020N.exe 860 44b5649cee545a7547ffab25c2819020N.exe -
Suspicious use of WriteProcessMemory 2 IoCs
description pid Process procid_target PID 860 wrote to memory of 1440 860 44b5649cee545a7547ffab25c2819020N.exe 88 PID 860 wrote to memory of 1440 860 44b5649cee545a7547ffab25c2819020N.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\44b5649cee545a7547ffab25c2819020N.exe"C:\Users\Admin\AppData\Local\Temp\44b5649cee545a7547ffab25c2819020N.exe"1⤵
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Public\Documents\Wondershare\NFWCHK.exeC:\Users\Public\Documents\Wondershare\NFWCHK.exe2⤵
- Executes dropped EXE
PID:1440
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
546B
MD5c56033405697b727df4efaf01434fb9b
SHA130cfa23d05d77ae65f69e00f59750547ffd971c8
SHA256cb6fd4f10cfcd2cec4df9a70121f5a06649489b93c83ccaca4c15e2ee0fb0c16
SHA51214ddbb6bef36a2df138fa32e4ecbdb6d827384306c8917580886cb48338c09c104d79f5e7f6d7794cb267a956252b3542277eb269ae28b03ee4071a1cc917ac7
-
Filesize
945B
MD51406dc19d55c20d9e8c2b75bbeb7b46b
SHA187531558a9efadb0f15b097011cf8d28455c9cdc
SHA256d98424a45da831f74ed0b4b17b04c8eac5addfe3d01c0dd6588edd60a0e6dc6b
SHA512d213723032abed6981527e8c0799eb28925b6e87dcb9c5f1b05da7ce97a3c536157e197bfa165c093b313b83d8a32d679a81ceade32e651e3a277c6ea2afec44
-
Filesize
4KB
MD5a48b9c278d4fee32cf5cae4e5d99628b
SHA1bc4df883d18b1c7269bbd5c14699a22cdb4e7f84
SHA256ebf301decf1b9ffc92d22d08e330467dae348919137876cf60f460912724c0be
SHA512787ed31c9b5f24323fdb78748ca394dd2e8cab211c16c885b99c57e77d2e56efd4f42f74ca0526f2087bd79a69e17130c15bda49ace18f33b6db39771a5e6a1f
-
Filesize
7KB
MD527cfb3990872caa5930fa69d57aefe7b
SHA15e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f
SHA25643881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146
SHA512a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a
-
Filesize
223B
MD55babf2a106c883a8e216f768db99ad51
SHA1f39e84a226dbf563ba983c6f352e68d561523c8e
SHA2569e676a617eb0d0535ac05a67c0ae0c0e12d4e998ab55ac786a031bfc25e28300
SHA512d4596b0aafe03673083eef12f01413b139940269255d10256cf535853225348752499325a5def803fa1189e639f4a2966a0fbb18e32fe8d27e11c81c9e19a0bb