76848c6d29900ed86720672327180b6e63a3e7a9fa9e85c47d069b8ef9083e2b

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Kurulum.exe
Size

1.1MB
MD5

81830aef740855018f52662bac924d08
SHA1

6b8531858328d27aef9a9b24bfc5ffaffcab4b48
SHA256

1b1818c3ca030ab0f7e70c77d55eeef862df649526554e9dae234277a09eb3f1
SHA512

e9c66802ee22c393c4dee1332f2457eba838983d3bca16fbd8f0f54cc9b5cc5f95afb3f29ac56cdf61ca313cf1f1976a2d0b2f342d30483e6d1822569e1baa7a
SSDEEP

24576:/dJqC3LCwiUh/WLTMlpGcVEI776+TmS7lxD3Tvy6F+cdz4jxF0U5A:/dtLCwiURWXMT4I4SZhTv/fGxFI

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation	Kurulum.exe

Executes dropped EXE 1 IoCs

pid	Process
3640	MsgPlusSetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kurulum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsgPlusSetup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3640	MsgPlusSetup.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 3640	1492	Kurulum.exe	82
PID 1492 wrote to memory of 3640	1492	Kurulum.exe	82
PID 1492 wrote to memory of 3640	1492	Kurulum.exe	82

C:\Users\Admin\AppData\Local\Temp\Kurulum.exe
"C:\Users\Admin\AppData\Local\Temp\Kurulum.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Users\Admin\AppData\Local\Temp\msgpl_8570.tmp\MsgPlusSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\msgpl_8570.tmp\MsgPlusSetup.exe" /SetupWrapper
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\msgpl_8570.tmp\MsgPlusSetup.exe

Filesize
1.5MB

MD5
ef629ad3f56db1da0f07f61495c8ba82

SHA1
b6e35da622f667d9d3c743ea44555b6c0a34bd96

SHA256
84350d607f786fa73c3659f578ec19d039436b21df45cce888f686c600873e7d

SHA512
998932b1fff799b1b624204439e5c99b9968521134184909c238d34bf11a468daaf66589b10748a95f18ca12ff65ed30f26252eabd7fa2f4d703b1ec3984b451

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Arabic.ini

Filesize
12KB

MD5
c76814e2b7b3c7338731625eb6b00320

SHA1
ff4523de4b34c31475a6c1f7a4b057c81b8019ae

SHA256
516df5e95d96cb1f8d67a0ffbf86b6b8457172315e28858ea75d441e22d7d912

SHA512
4d082fbef93bc3d9dfba878a6bf1dd7ac1eab810e54b7e3fdb0318524b9f249fa170a48bedd93d619071f80cd4e52cef2f2e9ce6a240678c3b33b5d5d60eda9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_ChineseSimplified.ini

Filesize
10KB

MD5
5688c4739d7626a82c24f5f82a4854ae

SHA1
ac6730554ef23493daa7df9f717511d71f285418

SHA256
8029a378e80bc86ed00b4b12221dc44f3fd818618d89045344eba881f6c73089

SHA512
339f8b27124d16fce0a8fa2b23b9f2f2245735dc2287162ddf17099232f231940881b2061b88602c83cbe7fc3c9278bde4da6e5b9f8e9c3b4349d45936689904

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_ChineseTraditional.ini

Filesize
10KB

MD5
5a8c1d67644f6fb0b9b329f7ed4419d9

SHA1
1224361f81d144bc6c519c98e4020e12f0d4032b

SHA256
ee4253c92018cecf7154042867a0a8feaa3e00e2c9da6c2f5682297ffd4839aa

SHA512
4b9451c234322387532a363a2ae6e4443d60eb729f7d134330e0040825db6688c89fa2dacb15c8854c67653f9d0a7bfd5e6640c71daeca8af8cd644c6581dd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Danish.ini

Filesize
16KB

MD5
bdb7b8adf80486c7d6aaeccdc3a51aee

SHA1
e92ec76039127472130b536f87027d0c842754e7

SHA256
6d25ab53c582e22693e7943263ee18c7045573027a7fdc32513daf3e6eb646c4

SHA512
b3c4cb26fd03413040bda032a221c8ce1bb17772ee74eaa3c3ee4a33c75b65ed728a608baabdacd98ca0b462e50e7df3a6ac484eaa5042f96f4cc3be2d8f69d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Default.ini

Filesize
18KB

MD5
117f2b8017b8d461e733aee634bfd013

SHA1
97a067bdc9ac697838a7808bad5174ec5a3be32a

SHA256
b924c11aa58273c7b9b1e169497a6527cb9a3a38cbafbd6780af6a0c5c801d0b

SHA512
ff282e18a36895f0eb788973dc1ecdc6096125ca1895cf479f00cf7b8098775fe11cd181628c08dabd7d816580b7d76d32a17beee62573293108c0620934f9ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Dutch.ini

Filesize
20KB

MD5
85465c046c59827e04c2c10ff62304a3

SHA1
2c18033e3cb0420b1fa1f201252cbfef8a9d92a7

SHA256
02dfcf4d7235fb3a5959a1cc59013a7d54a0d189af08b0e5d6dfd692a47ba515

SHA512
5dd818981c7e4f686e9565dc7e4245c262e6f9f154373c17b16edaf4f884002f4c9cf9de3346d70613eb3b0b73927fea5710efe11b4067dde34d2974611699a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Estonian.ini

Filesize
17KB

MD5
4d82aa08fe624bb82185de06b6aaf915

SHA1
02b99bab5ca151f445a58d5add8802dc0698f19a

SHA256
5e10fc4e5b433654407e6cab8c9597b95770a64e60a29ad01f2ccbba7b12e978

SHA512
1a020c68ac79ed6fe50516534477a02d83c5207ec83bc9b9060bfcd25cfcbd3adf6de7bc334c76199568eb450aafd5395c4b3b8153bf2edddeef858adfb7f47a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Finnish.ini

Filesize
16KB

MD5
105d3313694b54e57234fe1b128e2017

SHA1
e0b58943264cd3fb33f376cfb51a766475aaa256

SHA256
e2fd4da63904630c0528844b63f00812b44a9fd4769826727ca52d9575dc7a5b

SHA512
a779689030ed16127f8f95cab336aa0fe9395b2d7c314d957edac4faa22035f587c021b70dcd91312bde4aee4749ee7e0e83108dd8a4b3e2ac3eec983cb7f545

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_French.ini

Filesize
17KB

MD5
530c0c0fe27fc2bb1808561799c190d2

SHA1
397c005b69678a2598ce667be26a22dc6d0eb341

SHA256
02cd813d8174032510512d46f07f8523e5a3cfd65f816b9181c90187c34ab63f

SHA512
0576042ae27e27ddd0f14377a351b6c50c1cf13cd034ea9bfb634c9ff6447050aab15d0bc3498b4e0fc56336cf9548db2d9d122382a39e066387fd0045cc5241

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_German.ini

Filesize
18KB

MD5
a7aa345c9fdac2451051528d2f0b11f3

SHA1
06400fd288a8caa5c35c053f434ee4cb52adf441

SHA256
9514a68e06c1a4d17ee68ec335aab50e600e4c15a53d619a974e9909be853e59

SHA512
ef27da3a1095380bb443efe87b5f39017b932f69a8f7487c7f1ed3f7055791f3a1ac2aae7109c3a95ac9721e483c3c2a20d5a2fdd95d953d7705ad5cd8f10d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Hungarian.ini

Filesize
15KB

MD5
bac7e4007b650800f4c098c491fd92aa

SHA1
94a9a33cc08ccd0a103c57f2f94b02f9854363a8

SHA256
996e7686c27d046a46f77c6dd0850f1746b478b0076077e6602f1babf7523d48

SHA512
a949412fd0a2342c2c1ee71e149937f553cbc2b9337d4adcfba51e658a4b5f5ef936450960c5751178ecd776efe9c4659ced7e35c0d9dcc0c20cb475f6514970

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Italian.ini

Filesize
18KB

MD5
364ee07346f589adbafb8b318ee8e018

SHA1
b7eab33695844f8a4abe00557a87546fc183646f

SHA256
964bb1ec03967abe4b95a8a297a3ee9939170c3012c6cdb8d2118749b03af863

SHA512
605d737eacb34fd335e461d6446699d3ca4b6963580e51408ffd43858872259a4dfa0889d76ca095a0476bdc8dad821fa6d23771c9509a4ebaf302a0d67ff3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Japanese.ini

Filesize
13KB

MD5
dfb7f16bfeea159680d30f137586f600

SHA1
738416a104cdf319c710d8017865afb2a2b8fe76

SHA256
3e55649d9aa61dcb3b916e5c8ef84a2f2b479cf081906e9eb125c70cd02666c6

SHA512
f0c6a746136d49ceed0d555c37cdec2b978c7dc6070c2d224fc23ad24468534e90c1649bcdf18b68c004e81e1162ee5868220949d5f46b23bc8b405e98fc126d

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Norwegian.ini

Filesize
16KB

MD5
d4a3d4477241ee65d24230de73eec50f

SHA1
ce653ec761c918f9c8651ab24ca5e7db226cf9b9

SHA256
bfc43cadd00832a8dcaa7f11e62032dae62d4b5371b88c313a065ea25551c8fb

SHA512
e86170c5494dd470b5e6917bed5c9b139a60b06e8b30765d4093ba727e09e9d38a08114694006d3940458164157dd6036499071ef52e28fd91ffdb43a765b218

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Portuguese.ini

Filesize
18KB

MD5
7a57df0813d35d8b529e7be58b2886ad

SHA1
42b71e62e14480a1a2245f4d962c3465913a17ee

SHA256
baac1ff4c2e3f9cf5dcb97daee5fe0e146c9d9dbadec8827e5c5e19cfe3512e3

SHA512
d7b551cd1468cd447652de6b1a12ec5a01a5bf701e1080847650340fea30724acd9b2411241fb011639ae8cfefa0cd42691f7c66763aecef302b7a2f44860f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_PortugueseBrazilian.ini

Filesize
18KB

MD5
c3612397d41ba42244b8832a8f951be5

SHA1
115639861cde06da95646906d96c6f2739f874f9

SHA256
924b9c2d85d6e8fc8449c9863d8ddb60815d81ad9de6f804ac4740507c1d9dd2

SHA512
bad57a28cf111f8f1e6f85a2a11d3d74edf1bb8466fbeab69fb3781a1616926b082dc294e599dd1af7a87e8d9f4faf42179dd10210fbf2a66690477b24d20c0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Russian.ini

Filesize
16KB

MD5
897534c865ca0e692b6b1f925af402ca

SHA1
a5f9258c56053fd0527790368e73acc41ed517a9

SHA256
e5bf1e5e573d70da508f137a96100b38eb0a44d235d106668d10ee69c80ce9a6

SHA512
3a119a3f3450529dd49aefe33e41a30619605fc41f93379b3f5c72e2e35fd0a8fbf5a8b2da8d859dab1798b23c88deeb9971f74397dcf70d35f8116bc86d23fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Spanish.ini

Filesize
18KB

MD5
522f3af815fa30b2b345b9066b9f18a5

SHA1
4b1ab59991ca57ff7c45587000f2322d5bf9ae30

SHA256
f203b0580b97d504bc8e3a5baa779100bfe3fba7c8b526b34ba95351af15c218

SHA512
5c518e37ed39dcf2febe586fd0917b9c07cbe9d6deb973bb151106983e3e071937b43e02d4e9c81b125ea7cd85e6bb7342da5e4d50bb666bd0af3da955856f81

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Swedish.ini

Filesize
16KB

MD5
e200e79939bd161b8a0d0b7a82135a44

SHA1
ec10e3c7c4c94713c3caac80729b50551f0f0648

SHA256
7d824236a5b6a8ec41b26341e1afe011c377ca2155af3b2c2aa0b68f37427c60

SHA512
19f082ccb56a46a2e5abf127d0fce1f5c888b024486509c3c0730d4bb65b2c74a000b013713a808983be37616359a3e0d88c933b6c678e7feebea9cca9589511

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Thai.ini

Filesize
17KB

MD5
7db3fe2270a323faf4f64b2ac8287fb5

SHA1
635811f08444e5c1069844db8c678f729260926c

SHA256
61016191bc493b0bf3eb89d29132ac9b2371b6d6dd265670d5aed82234bb309c

SHA512
314e6226796dd0455a9282d2c1f8b7ddbd95ba9c7b153dea952b943947bc600850dfd39ae37b20f2a97b91b027524fb068e7c4e7f8be8e68b8780b3ddddda7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\msgpl_b426.tmp\Lng_Turkish.ini

Filesize
17KB

MD5
0856163beefc1c04caa1f75d8feb8fbf

SHA1
5283aa0405b67a3d35b7ff9dbd45ae914b1d259d

SHA256
e5b01800eb0653422104ad7a58b0c54be06f4f7e16568b87b122e1b1d3b976ac

SHA512
4e65543a421316cebf4f71f067894bc18214859fbb00683a1cefb17f331e6b53f51c19ebbe974897ec2edb9397813a5bcd22ffa39af0f50d974b46f5608826c9

Download Submit
memory/3640-157-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download
memory/3640-165-0x0000000003970000-0x0000000003971000-memory.dmp

Filesize
4KB

Download