4b101d1da22f52eaf0a2d19c7f23f242e2d4037a3908be25c93e6162eff6b0cd

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 18:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fsolauncher-1.12.1-prod.21.exe
Size

91.8MB
MD5

082f607cdc99fd3aefaf25661b13831d
SHA1

10f3b02fb7b3b6f3c75728448d3ca54eaf8207c6
SHA256

4b101d1da22f52eaf0a2d19c7f23f242e2d4037a3908be25c93e6162eff6b0cd
SHA512

bdf06883da2717cc23d9047c81dac550e3fba4b5d7db8ee1b18feebf0b95ab076b0203292d12cbe10a739038985fe7c16cd2d2a8ed746e847acfb507ad4f2aa8
SSDEEP

1572864:azQN8edbBCnwxLHHAqhedBfdHH3/DEM0cf6WWH4J0sy3rbIlmWMPlDqjFoODgBPg:QQOedow9HHveL13/I4f3q7bIIPYaQgB4

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4112	fsolauncher-1.12.1-prod.21.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsolauncher-1.12.1-prod.21.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fsolauncher-1.12.1-prod.21.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 4112	2508	fsolauncher-1.12.1-prod.21.exe	93
PID 2508 wrote to memory of 4112	2508	fsolauncher-1.12.1-prod.21.exe	93
PID 2508 wrote to memory of 4112	2508	fsolauncher-1.12.1-prod.21.exe	93

C:\Users\Admin\AppData\Local\Temp\fsolauncher-1.12.1-prod.21.exe
"C:\Users\Admin\AppData\Local\Temp\fsolauncher-1.12.1-prod.21.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\is-OT3RP.tmp\fsolauncher-1.12.1-prod.21.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-OT3RP.tmp\fsolauncher-1.12.1-prod.21.tmp" /SL5="$802C2,95346210,788992,C:\Users\Admin\AppData\Local\Temp\fsolauncher-1.12.1-prod.21.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-OT3RP.tmp\fsolauncher-1.12.1-prod.21.tmp

Filesize
3.0MB

MD5
c297af2848e2ca4889e67401cc8a9231

SHA1
4b34371fcf7e606871f93eb3d58efde9396a1775

SHA256
09cf326ddba4f01172067fe6181e08cc697087344b5cc3fe9fc5ee0e4503e8b3

SHA512
47eeba6798fad63d3dc190c0e7bd1a0e63790ead0ddfcac4d7f45891e1bd5fb7b386adab6d8dca8a001daa4ca884e013839290fe4d3e9956ddd9b889c9ad2548

Download Submit
memory/2508-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2508-0-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/2508-9-0x0000000000400000-0x00000000004CF000-memory.dmp

Filesize
828KB

Download
memory/4112-7-0x0000000000400000-0x0000000000702000-memory.dmp

Filesize
3.0MB

Download
memory/4112-10-0x0000000000400000-0x0000000000702000-memory.dmp

Filesize
3.0MB

Download