1b80d636fb9204b3974d0d9ed88f1e342a1ad198b0f1caf4e37e25198b126d2f

Analysis

max time kernel
119s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 12:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1e737a49148aed5080271296c44018b0N.exe
Size

239KB
MD5

1e737a49148aed5080271296c44018b0
SHA1

4b7a35e72e8e9334fac287770f7b8c90cb5b7003
SHA256

1b80d636fb9204b3974d0d9ed88f1e342a1ad198b0f1caf4e37e25198b126d2f
SHA512

cf89a40d62d6dfacd1a85cebe296320e8f0daf15eaa15293e811257433f3f6dcbd1751128beea26a50cfcb13eac13c8157eba6fd37bbecb40e53c3cc7c27399a
SSDEEP

6144:LZ+11mDid7De9NVS22E+bKN2ja89j2By98H/:9uZa9NcEJNp8F2ByiH/

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4500	FGet.exe
3184	FGet.exe
1208	FGet.exe

Loads dropped DLL 7 IoCs

pid	Process
264	1e737a49148aed5080271296c44018b0N.exe
264	1e737a49148aed5080271296c44018b0N.exe
264	1e737a49148aed5080271296c44018b0N.exe
264	1e737a49148aed5080271296c44018b0N.exe
264	1e737a49148aed5080271296c44018b0N.exe
264	1e737a49148aed5080271296c44018b0N.exe
264	1e737a49148aed5080271296c44018b0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1e737a49148aed5080271296c44018b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FGet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FGet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FGet.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 4500	264	1e737a49148aed5080271296c44018b0N.exe	82
PID 264 wrote to memory of 4500	264	1e737a49148aed5080271296c44018b0N.exe	82
PID 264 wrote to memory of 4500	264	1e737a49148aed5080271296c44018b0N.exe	82
PID 264 wrote to memory of 3184	264	1e737a49148aed5080271296c44018b0N.exe	89
PID 264 wrote to memory of 3184	264	1e737a49148aed5080271296c44018b0N.exe	89
PID 264 wrote to memory of 3184	264	1e737a49148aed5080271296c44018b0N.exe	89
PID 264 wrote to memory of 1208	264	1e737a49148aed5080271296c44018b0N.exe	92
PID 264 wrote to memory of 1208	264	1e737a49148aed5080271296c44018b0N.exe	92
PID 264 wrote to memory of 1208	264	1e737a49148aed5080271296c44018b0N.exe	92

C:\Users\Admin\AppData\Local\Temp\1e737a49148aed5080271296c44018b0N.exe
"C:\Users\Admin\AppData\Local\Temp\1e737a49148aed5080271296c44018b0N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264
- C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exe
  C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exe http://www.windows7screensavers.com/installer_writelog.php?Initial|Puid=lDYhd66aGDk1ebPt|userSABBREVCTRYNAME=USA|originalsite=ezthemes|BuildNbr=lDYhd66aGDk1ebPt|File=1e737a49148aed5080271296c44018b0N.zip|Revision=20130606_dlQUE|is64B=Y C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\S_1e737a49148aed5080271296c44018b0N.zip.ini /q /r
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exe
  C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exe http://www.ezthemes.com/installer_writelog.php?Initial|Puid=lDYhd66aGDk1ebPt|userSABBREVCTRYNAME=USA|originalsite=ezthemes|BuildNbr=lDYhd66aGDk1ebPt|File=1e737a49148aed5080271296c44018b0N.zip|Revision=20130606_dlQUE|is64B=Y C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\S_1e737a49148aed5080271296c44018b0N.zip.ini /q /r
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3184
- C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exe
  C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exe http://www.themexp.org/country_err.php?A|ezthemes.com||USA C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\E_1e737a49148aed5080271296c44018b0N.zip.ini /q /r
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\FGet.exe

Filesize
52KB

MD5
aee371b287d879be8e0e861fb380b1f7

SHA1
265d7bba1a96decafde9d0946d0b8f46f70990b1

SHA256
798add076e955c92841dd403ababac33e6bd86d85cab93816a16d1b5e5925573

SHA512
fb6042b5c09768945760da537f2710f05966765a6b7400737ec4ac4b48e241a2e06c6b7e7f20db361265e81beac18500b690534a6c6a4d0b2027093ab9b47814

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\S_1e737a49148aed5080271296c44018b0N.zip.ini

Filesize
2KB

MD5
e53fdf76753edcd8773ab17ae968bfd6

SHA1
4bea38cd83442080bdf51cd1db206715f9198955

SHA256
3d70ce95eb1eb78620cc57fe1a6a479e6f2d70508bf813238e573863df000d6e

SHA512
f168878f0d1047ce3775a511ee5cffed3afc7a47081304b4c884b6099dace99a17e473b727f5afcc87b0e0c1df461439f821b2dbcf341f94b9c206e8487c7888

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\bottom.ole

Filesize
7KB

MD5
87e059eb1c6893d2d140fe4a78998afa

SHA1
d1258e30c873323d6d82e1fa7382ee784026522a

SHA256
0817f18dc700acc341aaff9fd44a749ecdd71ac252a9f5b86a06265fc047b313

SHA512
f490fae0b7853e5b0a76e61c7804781215673fe5730866ac90872f5a6f4cbf67256ce7cd3b5bc1f62d103fab373d4cece6fc143a2716936f44a04f798343b935

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\linker.dll

Filesize
7KB

MD5
8b1a528ab4dbb024442b42d7a0fedead

SHA1
95d45da81fe6d595147c18dfbd8e63915825c16a

SHA256
75db16ea26ec8c6e728f4a99b737c8b3a6548b4c6b47fbe20286683df4745574

SHA512
9ed39f5a657dfcd04f3d9ec5592a826e9120128056ca17495b267355452cffd247d35a051edb810fd7647bbbcbea30844a426ea18c5bfdabedc792a172aa4d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\pwgen.dll

Filesize
16KB

MD5
a555472395178ac8c733d90928e05017

SHA1
f44b192d66473f01a6540aaec4b6c9ac4c611d35

SHA256
82ae08fced4a1f9a7df123634da5f4cb12af4593a006bef421a54739a2cbd44e

SHA512
e6d87b030c45c655d93b2e76d7437ad900df5da2475dd2e6e28b6c872040491e80f540b00b6091d16bc8410bd58a1e82c62ee1b17193ef8500a153d4474bb80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nszA9CE.tmp\top.ole

Filesize
2KB

MD5
5d46dd89b53379f0c5b460d3de63f0ab

SHA1
f83a3a531b63f26f856cf7d85ecb7d61e30e64d0

SHA256
46b1f8824f6aa1227416ecb692a31f70af880c4ae6e60fa23fc2f3e59a5d5373

SHA512
f9c9157191cb9d9a41c6d1ffc4e61d119c0c6264395f9e1a05edbff1a3335987eb71bd14ceb9506a579d8fafdf81645ff82316506ef63f0bffa42e7865bbb829

Download Submit