165b5a81a861e79f1e333226cb8e120023a4df4ba913e62677fdbb43ca212c02

Analysis

max time kernel
92s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
02-09-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SetupShim.exe
Size

133KB
MD5

829f3a3164d7e6b1bd72a2412aefd0df
SHA1

2d656d236ea967245cb0b18d48355e4650863612
SHA256

40f630e6f8838fe6070fce2aef769530033d8bd6b8699e9565468a16f0e3f110
SHA512

7ddf8d47e1bb496fc83f865c92ee3f3b1aef7cfc4cacb63307dcdf931a33f700e8f3b2a225ee273412dd074883e3e389e5b94336cae98db0faa1284abbadfea4
SSDEEP

3072:2N8Hab73bFvqGnVFYvB6T8dhNgeae1U1P7oBVYoHoC8GAjuF6PfaMqVuipKYnTbM:2qs73bEXB7d1IPOopjuF63cKGvM

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

SetupShim.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupShim.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SetupShim.exe

Suspicious use of WriteProcessMemory 2 IoCs

Processes:

SetupShim.exe

description	pid	process	target process
PID 4020 wrote to memory of 2436	4020	SetupShim.exe	SetupFrontEnd.exe
PID 4020 wrote to memory of 2436	4020	SetupShim.exe	SetupFrontEnd.exe

C:\Users\Admin\AppData\Local\Temp\SetupShim.exe
"C:\Users\Admin\AppData\Local\Temp\SetupShim.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4020

C:\Users\Admin\AppData\Local\Temp\SetupFrontEnd.exe
"SetupFrontEnd.exe" "C:\Users\Admin\AppData\Local\Temp\SetupShim.exe"
2⤵
PID:2436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pdnSetupShim.log
Filesize
577B

MD5
67be229517828a8a7c3589a7736a666f

SHA1
09143b5f59103608c61d414f403f3cd79fe5b07c

SHA256
ebc8f1ba1beaaf2b0c98ca252fd6a25b8bb844397618d6139f6a5deb5bcfdcc8

SHA512
252dbd7c7aee33093daa1346654048c15ee1b402b5781cb2e823d414a2f426652e39232e6b3b701472ffca46cdc8c27470f40ebd2e2406eb8d5ebdeaaa764e6d

Download Submit
memory/2436-18-0x00007FFF03063000-0x00007FFF03065000-memory.dmp

Filesize
8KB

Download
memory/2436-19-0x0000015CA4830000-0x0000015CA484A000-memory.dmp

Filesize
104KB

Download
memory/2436-20-0x0000015CA65D0000-0x0000015CA6638000-memory.dmp

Filesize
416KB

Download
memory/2436-21-0x0000015CBEEA0000-0x0000015CBEF80000-memory.dmp

Filesize
896KB

Download
memory/2436-22-0x0000015CBF170000-0x0000015CBF35C000-memory.dmp

Filesize
1.9MB

Download
memory/2436-23-0x0000015CBF020000-0x0000015CBF0B4000-memory.dmp

Filesize
592KB

Download
memory/2436-24-0x0000015CBF550000-0x0000015CBF73E000-memory.dmp

Filesize
1.9MB

Download
memory/2436-25-0x0000015CBF740000-0x0000015CBF83C000-memory.dmp

Filesize
1008KB

Download
memory/2436-26-0x0000015CA6410000-0x0000015CA6411000-memory.dmp

Filesize
4KB

Download
memory/2436-27-0x0000015CBF360000-0x0000015CBF4D8000-memory.dmp

Filesize
1.5MB

Download
memory/2436-28-0x0000015CA6460000-0x0000015CA6480000-memory.dmp

Filesize
128KB

Download
memory/2436-29-0x00007FFF03060000-0x00007FFF03B22000-memory.dmp

Filesize
10.8MB

Download
memory/2436-30-0x00007FFF03060000-0x00007FFF03B22000-memory.dmp

Filesize
10.8MB

Download
memory/2436-31-0x00007FFF03060000-0x00007FFF03B22000-memory.dmp

Filesize
10.8MB

Download
memory/2436-33-0x00007FFF03060000-0x00007FFF03B22000-memory.dmp

Filesize
10.8MB

Download