d7c1861490c04999007c7b0a461b0ff008008960de3cc68fbd5605f1dad682f5

Analysis

max time kernel
95s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/09/2024, 23:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$TEMP/toolbar.exe
Size

1.3MB
MD5

a04dfaa39af875e13512c26cf957a229
SHA1

6bf3f56946de48ad29a8ebb36940c5e9feb17b5c
SHA256

0527347868aa9122a9a0b128f01e9cefd2ba1ff4afe779cd5267246457295e5e
SHA512

ffafe495369993f706dd1595294079ff61d58d9880a65bbb6bd50f87284dd91e8e344b3fd3450976ff7570f67a572aaf3a268b3fe26529ad97e39452f8103c02
SSDEEP

24576:tknpMms4RFrIrihffVSPrhiWgFpfC7FjSSf0mQmtwXghDQk:tkBmr4VSPr4Fc7FWS04wwh0k

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3704	GLBA3A2.tmp

Loads dropped DLL 5 IoCs

pid	Process
3704	GLBA3A2.tmp
3704	GLBA3A2.tmp
3704	GLBA3A2.tmp
3704	GLBA3A2.tmp
3704	GLBA3A2.tmp

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GLBSINST.%$D	GLBA3A2.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	toolbar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GLBA3A2.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4596 wrote to memory of 3704	4596	toolbar.exe	83
PID 4596 wrote to memory of 3704	4596	toolbar.exe	83
PID 4596 wrote to memory of 3704	4596	toolbar.exe	83

C:\Users\Admin\AppData\Local\Temp\$TEMP\toolbar.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\toolbar.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Users\Admin\AppData\Local\Temp\GLBA3A2.tmp
  C:\Users\Admin\AppData\Local\Temp\GLBA3A2.tmp 4736 C:\Users\Admin\AppData\Local\Temp\$TEMP\toolbar.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GLBA3A2.tmp

Filesize
70KB

MD5
1de1b348b2a64694f39e90b1eddfc910

SHA1
ead9a61cfc3d805e94d2c513fc745bf0868298f3

SHA256
c66ea345cb128242f5a21dab4f15d75e6203d908fc994af7a2c47a6e4c983f55

SHA512
15d49aafe822d205767d34d7182d871bbafb574d7ea3ad458b5420b23e3eb41cf637649358c7529ff433057590b0835d068640cc202409e67889e5718e6f217b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLCA42F.tmp

Filesize
161KB

MD5
8c97d8bb1470c6498e47b12c5a03ce39

SHA1
15d233b22f1c3d756dca29bcc0021e6fb0b8cdf7

SHA256
a87f19f9fee475d2b2e82acfb4589be6d816b613064cd06826e1d4c147beb50a

SHA512
7ad0b2b0319da52152c2595ee45045d0c06b157cdaaa56ad57dde9736be3e45fd7357949126f80d3e72b21510f9bf69d010d51b3967a7644662808beed067c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\GLFAFFB.tmp

Filesize
10KB

MD5
3b2e23d259394c701050486e642d14fa

SHA1
4e9661c4ba84400146b80b905f46a0f7ef4d62eb

SHA256
166d7156142f3ee09fa69eb617dd22e4fd248aa80a1ac08767db6ad99a2705c1

SHA512
2b792296dffa4e43bc85295dc7691bd29762ce5d9d5eafaa74e199e6a8e5b24aa85d0a1b27776d4719a49b0d29abcf6f240746a209528e608b596b560e5a3b88

Download Submit