1687311b4e7a3720be20490e8ed6cc772a32336a7bed8896e475b8ec616c6b81

Resubmissions

11-09-2024 13:13

240911-qf3rsasemc 6

05-09-2024 13:15

240905-qhfd9sscrh 6

Analysis

max time kernel
140s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-09-2024 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Greenshot-INSTALLER-1.2.10.6-RELEASE.exe
Size

1.7MB
MD5

c16f86882d5a102ed7a0fbbc0874d102
SHA1

4e3ac7a53f0f368b9218bf717162d5e073a0f7df
SHA256

1687311b4e7a3720be20490e8ed6cc772a32336a7bed8896e475b8ec616c6b81
SHA512

90b7aac54467b266a9dd9ce7c83a156d3d99f7aeb1ad0e3e2ef5516b38270112dae07892e3e80765c3508484e3ee66e7439db0512a63b48f64e6b15e83285f67
SSDEEP

49152:Cjt17kLz5P3mucJZCliSAbFXHrZy0HCxgdjmyZ3xog:AjkLlP2bClDC9Fjd

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2464	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp

Loads dropped DLL 1 IoCs

pid	Process
2464	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Greenshot-INSTALLER-1.2.10.6-RELEASE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2920 wrote to memory of 2464	2920	Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	83
PID 2920 wrote to memory of 2464	2920	Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	83
PID 2920 wrote to memory of 2464	2920	Greenshot-INSTALLER-1.2.10.6-RELEASE.exe	83

C:\Users\Admin\AppData\Local\Temp\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe
"C:\Users\Admin\AppData\Local\Temp\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920
- C:\Users\Admin\AppData\Local\Temp\is-F6Q2K.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-F6Q2K.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp" /SL5="$6027A,1293027,131584,C:\Users\Admin\AppData\Local\Temp\Greenshot-INSTALLER-1.2.10.6-RELEASE.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-F6Q2K.tmp\Greenshot-INSTALLER-1.2.10.6-RELEASE.tmp

Filesize
1.1MB

MD5
d1a078992e232919ea834226aea627a8

SHA1
53f5af8c06721ef5b62f56037e3b57dc4b517eaf

SHA256
655da9c7f64ef8f0f48160c76b8dc5443aaba63e8c6b3534a266e9cd5a18489f

SHA512
e056370322e58725961c024d1f322d31066bffd8b8d77f80fc14d2b5861788ef00e5ebc3fa6f51a6b0a94bdb02e8fffea48926716275754dd77bbe0fb8e221f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L2K9C.tmp\isxdl.dll

Filesize
121KB

MD5
48ad1a1c893ce7bf456277a0a085ed01

SHA1
803997ef17eedf50969115c529a2bf8de585dc91

SHA256
b0cc4697b2fd1b4163fddca2050fc62a9e7d221864f1bd11e739144c90b685b3

SHA512
7c9e7fe9f00c62cccb5921cb55ba0dd96a0077ad52962473c1e79cda1fd9aa101129637043955703121443e1f8b6b2860cd4dfdb71052b20a322e05deed101a4

Download Submit
memory/2464-6-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2464-14-0x0000000000400000-0x000000000052F000-memory.dmp

Filesize
1.2MB

Download
memory/2920-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2920-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2920-12-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download