08aedd6d0cb756a6552378823e29e78c8752ac16fc7afb2a610e552ce5aa6935

Analysis

max time kernel
1800s
max time network
1157s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-09-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

filmora-idco_setup_full1901 (1).exe
Size

1.9MB
MD5

4a2cc9a194b872a64790f14f1d102301
SHA1

f780d19e26ad14cf64c4f068c3ceb4fb193e364c
SHA256

08aedd6d0cb756a6552378823e29e78c8752ac16fc7afb2a610e552ce5aa6935
SHA512

655ea9874604e77f739d577713ff5b320aeaa7094adc35a3c1cb8e0b9aadb8b2228a2be4136be09303bb203ea1448bc95e721a139cac4a116677fad1cccfd0ae
SSDEEP

49152:AuMyzlUH4BZ4zHXVrKipXKwlC7pTAdZ8NTZB45bN1db:AuFzl+3Hp6wleEZ8NLO

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4620	NFWCHK.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	filmora-idco_setup_full1901 (1).exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000\Control Panel\Desktop\MuiCached	filmora-idco_setup_full1901 (1).exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4896	filmora-idco_setup_full1901 (1).exe
4896	filmora-idco_setup_full1901 (1).exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 4620	4896	filmora-idco_setup_full1901 (1).exe	81
PID 4896 wrote to memory of 4620	4896	filmora-idco_setup_full1901 (1).exe	81

C:\Users\Admin\AppData\Local\Temp\filmora-idco_setup_full1901 (1).exe
"C:\Users\Admin\AppData\Local\Temp\filmora-idco_setup_full1901 (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  2⤵
  - Executes dropped EXE
  PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
2KB

MD5
71c8c13612e6d177ed1c747c43a9d190

SHA1
8c63de817a10ab33620863cbe60a74312d30366b

SHA256
38a6a53ffa20ab30aaa331889ae98d7b401194710ae68eb5b590e9305c3e9b86

SHA512
e9bd19f1eadbd255b5f17bccb8cff55c8d5a4eadd087000b8b47928b4faf3329549201d064d9b3a464e57bfdcb733565aaccf4b03d2a84ebe159984971eddb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
4KB

MD5
1da352b7f99fa902766592d050cdc130

SHA1
67008789bc11c0f594e34430d33c64aeea0ec6bc

SHA256
794e71fb9a4d32a72635dbc07e193fb748863be8ee419b7775022c741b262cff

SHA512
c2920d086f541011b1271d1e4dc9c78298c065b7b5fcfe17f4113c71739511d0af35d705c3fc4da9726e94678eaa2a2f30ba26bf2a437836d902147f4a7072b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
6KB

MD5
8176c9572def0df3a709f5318cc59c10

SHA1
d37b99fb1c816e60fc78fe3f9786a3b934bd04d9

SHA256
6fd1688e090a28615baf969e54944e08e2d915df4da3edf6f4fec378fc4af28d

SHA512
878bc78fc1807a3b4834b94c74a430689090807672723443e8bd0792c89570dad6cf3e53623e9533d6341e37e101639e6e3d1cadcfc8afcf90223b9f3b6bbc60

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
223B

MD5
5babf2a106c883a8e216f768db99ad51

SHA1
f39e84a226dbf563ba983c6f352e68d561523c8e

SHA256
9e676a617eb0d0535ac05a67c0ae0c0e12d4e998ab55ac786a031bfc25e28300

SHA512
d4596b0aafe03673083eef12f01413b139940269255d10256cf535853225348752499325a5def803fa1189e639f4a2966a0fbb18e32fe8d27e11c81c9e19a0bb

Download Submit
memory/4620-1137-0x000000001B910000-0x000000001B930000-memory.dmp

Filesize
128KB

Download
memory/4620-1141-0x000000001C190000-0x000000001C1F2000-memory.dmp

Filesize
392KB

Download
memory/4620-1136-0x00007FF84F090000-0x00007FF84FA31000-memory.dmp

Filesize
9.6MB

Download
memory/4620-1134-0x00000000014A0000-0x00000000014C4000-memory.dmp

Filesize
144KB

Download
memory/4620-1138-0x000000001B930000-0x000000001BC40000-memory.dmp

Filesize
3.1MB

Download
memory/4620-1139-0x00007FF84F090000-0x00007FF84FA31000-memory.dmp

Filesize
9.6MB

Download
memory/4620-1140-0x000000001C0D0000-0x000000001C119000-memory.dmp

Filesize
292KB

Download
memory/4620-1135-0x000000001B8D0000-0x000000001B8E8000-memory.dmp

Filesize
96KB

Download
memory/4620-1142-0x000000001C6D0000-0x000000001CB9E000-memory.dmp

Filesize
4.8MB

Download
memory/4620-1143-0x000000001CC40000-0x000000001CCDC000-memory.dmp

Filesize
624KB

Download
memory/4620-1144-0x000000001C060000-0x000000001C068000-memory.dmp

Filesize
32KB

Download
memory/4620-1145-0x000000001D010000-0x000000001D04E000-memory.dmp

Filesize
248KB

Download
memory/4620-1147-0x00007FF84F090000-0x00007FF84FA31000-memory.dmp

Filesize
9.6MB

Download
memory/4620-1133-0x00007FF84F345000-0x00007FF84F346000-memory.dmp

Filesize
4KB

Download