4f0a08478300923d48202ceb900ba9a2fd720b7dff8fcb5af958206c86d3c3a1

General

Target

PlatoYoutubeDownloader.exe
Size

4.2MB
MD5

798f87de516b2e48cb23f5846e7fdb8a
SHA1

f3788a673f192f4f18bd2c34b27ede5f6410a381
SHA256

864eb37318c723095603f19c22e902b4c24d205a314a992845a59f3ae3d2efcf
SHA512

9457904c56c70e6361834e67885506e8949052bed80eb418fba0fc647eae15161fd3166ff72aff5b7aaaf25608fba5c372596ae0ca9b7ac4fe2b888d4f24c2f6
SSDEEP

98304:5qVL7WtS9QiW3rlx6XcM+ARzZ8TPqfKAQcjBHdJQsOrj6BEv:AVf79QitXt+AZZISfScjBcsOkU

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
816	is-1GLOI.tmp
2352	crverify.exe

Loads dropped DLL 7 IoCs

pid	Process
2148	PlatoYoutubeDownloader.exe
816	is-1GLOI.tmp
816	is-1GLOI.tmp
816	is-1GLOI.tmp
816	is-1GLOI.tmp
2352	crverify.exe
816	is-1GLOI.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PlatoYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-1GLOI.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crverify.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2352	crverify.exe
2352	crverify.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
816	is-1GLOI.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2352	crverify.exe
2352	crverify.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 816	2148	PlatoYoutubeDownloader.exe	30
PID 2148 wrote to memory of 816	2148	PlatoYoutubeDownloader.exe	30
PID 2148 wrote to memory of 816	2148	PlatoYoutubeDownloader.exe	30
PID 2148 wrote to memory of 816	2148	PlatoYoutubeDownloader.exe	30
PID 2148 wrote to memory of 816	2148	PlatoYoutubeDownloader.exe	30
PID 2148 wrote to memory of 816	2148	PlatoYoutubeDownloader.exe	30
PID 2148 wrote to memory of 816	2148	PlatoYoutubeDownloader.exe	30
PID 816 wrote to memory of 2352	816	is-1GLOI.tmp	31
PID 816 wrote to memory of 2352	816	is-1GLOI.tmp	31
PID 816 wrote to memory of 2352	816	is-1GLOI.tmp	31
PID 816 wrote to memory of 2352	816	is-1GLOI.tmp	31

C:\Users\Admin\AppData\Local\Temp\PlatoYoutubeDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\PlatoYoutubeDownloader.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\is-VU2MC.tmp\is-1GLOI.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-VU2MC.tmp\is-1GLOI.tmp" /SL4 $30146 "C:\Users\Admin\AppData\Local\Temp\PlatoYoutubeDownloader.exe" 4163640 65536
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Local\Temp\is-1AVMO.tmp\crverify.exe
    "C:\Users\Admin\AppData\Local\Temp\is-1AVMO.tmp\crverify.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\CSMC523.tmp

Filesize
152KB

MD5
f3d97ec757d024ab5c61ebf5b160ffd0

SHA1
0c2dd856392100a708d001d519468ff4cc930b93

SHA256
9a51aaca7f67bf7e4b3a2bd203723620c63e04870a8a3eb601c0ffdf5c901749

SHA512
9c55a7ee6af16b42e34eb668e4f7b475bb4e81b84596fcbbee2a7c36f49d3d9edd8394aa7af3b0bafabdd2247dbd412bed4ea71250c49e339692bb758f7ceb38

Download Submit
\Users\Admin\AppData\Local\Temp\is-1AVMO.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-1AVMO.tmp\crverify.exe

Filesize
232KB

MD5
29b8e3b307c864596c85fcb2887a9109

SHA1
ebe2723044af8fc4628a317eae7d06545746e84c

SHA256
5a93f4e174ecdf4ae5398c94b660640b9f5f18562c78cb64f409956d39e24289

SHA512
eeb01fdc6e561aa5299da8ffa1743a2f6f38a97166b84d9e04211a26e1dfe6df7582f08dc5e724fa3890982d7ca355d2eb79026035936b377cc41ebd80ab8bd5

Download Submit
\Users\Admin\AppData\Local\Temp\is-VU2MC.tmp\is-1GLOI.tmp

Filesize
665KB

MD5
a80e455b7f857c3dc74250397511675a

SHA1
8e1a9fb22bd1b0653878ad2ae9902f26d375d6cf

SHA256
f42703cec4a0012e6fd04d96058b5942a3ce694573d8b36a555c5be070fb5954

SHA512
b26143e4e45908b1996a404a6d2de26ee2748374284ad263357edee8becc978361e3179d413e2b925fae9adaef9de35fe3fcdef0739b048834c0913bebdcbdf1

Download Submit
memory/816-9-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/816-31-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/2148-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2148-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2148-32-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing