4f0a08478300923d48202ceb900ba9a2fd720b7dff8fcb5af958206c86d3c3a1

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PlatoYoutubeDownloader.exe
Size

4.2MB
MD5

798f87de516b2e48cb23f5846e7fdb8a
SHA1

f3788a673f192f4f18bd2c34b27ede5f6410a381
SHA256

864eb37318c723095603f19c22e902b4c24d205a314a992845a59f3ae3d2efcf
SHA512

9457904c56c70e6361834e67885506e8949052bed80eb418fba0fc647eae15161fd3166ff72aff5b7aaaf25608fba5c372596ae0ca9b7ac4fe2b888d4f24c2f6
SSDEEP

98304:5qVL7WtS9QiW3rlx6XcM+ARzZ8TPqfKAQcjBHdJQsOrj6BEv:AVf79QitXt+AZZISfScjBcsOkU

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	is-2LVGU.tmp

Executes dropped EXE 2 IoCs

pid	Process
1956	is-2LVGU.tmp
4484	crverify.exe

Loads dropped DLL 2 IoCs

pid	Process
4484	crverify.exe
1956	is-2LVGU.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PlatoYoutubeDownloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	is-2LVGU.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crverify.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4484	crverify.exe
4484	crverify.exe
4484	crverify.exe
4484	crverify.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4484	crverify.exe
4484	crverify.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 1956	3624	PlatoYoutubeDownloader.exe	82
PID 3624 wrote to memory of 1956	3624	PlatoYoutubeDownloader.exe	82
PID 3624 wrote to memory of 1956	3624	PlatoYoutubeDownloader.exe	82
PID 1956 wrote to memory of 4484	1956	is-2LVGU.tmp	83
PID 1956 wrote to memory of 4484	1956	is-2LVGU.tmp	83
PID 1956 wrote to memory of 4484	1956	is-2LVGU.tmp	83

C:\Users\Admin\AppData\Local\Temp\PlatoYoutubeDownloader.exe
"C:\Users\Admin\AppData\Local\Temp\PlatoYoutubeDownloader.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Users\Admin\AppData\Local\Temp\is-BK19G.tmp\is-2LVGU.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-BK19G.tmp\is-2LVGU.tmp" /SL4 $9016A "C:\Users\Admin\AppData\Local\Temp\PlatoYoutubeDownloader.exe" 4163640 65536
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Users\Admin\AppData\Local\Temp\is-7CTGF.tmp\crverify.exe
    "C:\Users\Admin\AppData\Local\Temp\is-7CTGF.tmp\crverify.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CSMB68E.tmp

Filesize
152KB

MD5
f3d97ec757d024ab5c61ebf5b160ffd0

SHA1
0c2dd856392100a708d001d519468ff4cc930b93

SHA256
9a51aaca7f67bf7e4b3a2bd203723620c63e04870a8a3eb601c0ffdf5c901749

SHA512
9c55a7ee6af16b42e34eb668e4f7b475bb4e81b84596fcbbee2a7c36f49d3d9edd8394aa7af3b0bafabdd2247dbd412bed4ea71250c49e339692bb758f7ceb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-7CTGF.tmp\crverify.exe

Filesize
232KB

MD5
29b8e3b307c864596c85fcb2887a9109

SHA1
ebe2723044af8fc4628a317eae7d06545746e84c

SHA256
5a93f4e174ecdf4ae5398c94b660640b9f5f18562c78cb64f409956d39e24289

SHA512
eeb01fdc6e561aa5299da8ffa1743a2f6f38a97166b84d9e04211a26e1dfe6df7582f08dc5e724fa3890982d7ca355d2eb79026035936b377cc41ebd80ab8bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-BK19G.tmp\is-2LVGU.tmp

Filesize
665KB

MD5
a80e455b7f857c3dc74250397511675a

SHA1
8e1a9fb22bd1b0653878ad2ae9902f26d375d6cf

SHA256
f42703cec4a0012e6fd04d96058b5942a3ce694573d8b36a555c5be070fb5954

SHA512
b26143e4e45908b1996a404a6d2de26ee2748374284ad263357edee8becc978361e3179d413e2b925fae9adaef9de35fe3fcdef0739b048834c0913bebdcbdf1

Download Submit
memory/1956-8-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1956-30-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1956-33-0x0000000075D20000-0x0000000075EC0000-memory.dmp

Filesize
1.6MB

Download
memory/1956-34-0x00000000763A0000-0x00000000763C4000-memory.dmp

Filesize
144KB

Download
memory/3624-0-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/3624-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/3624-31-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download