2d62eff89296138d0a48f16b6d320af02374769c3c8e76d3b859597b7bd7e89d

Analysis

max time kernel
146s
max time network
126s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 06:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tradingviewx64.exe
Size

111.9MB
MD5

7aef4e7ded2554e1dc538c4c6c9e2307
SHA1

a8cbbcc70512ada6fc608d3e4f6f24459eb94822
SHA256

2d62eff89296138d0a48f16b6d320af02374769c3c8e76d3b859597b7bd7e89d
SHA512

5852e5cc22032eed437725c28fa8e478de14bbb374309df484b77f14569c57a3c061a1c079fa2c4533b8b81614fb0db88fefc807d4e91f88e048a4f60da07fb8
SSDEEP

3145728:Nnn18CR0qRlIt6lDHez7GmRYYYlFLiABFMUalE:dnn+qRl3F+z7GGyFLiUsy

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2516	tradingviewx64.tmp
2724	Locationatio.exe
3004	TradingView.exe

Loads dropped DLL 16 IoCs

pid	Process
2296	tradingviewx64.exe
2516	tradingviewx64.tmp
2516	tradingviewx64.tmp
2516	tradingviewx64.tmp
2724	Locationatio.exe
2724	Locationatio.exe
2724	Locationatio.exe
2724	Locationatio.exe
3004	TradingView.exe
2024	WerFault.exe
2024	WerFault.exe
2024	WerFault.exe
2024	WerFault.exe
2024	WerFault.exe
2024	WerFault.exe
2024	WerFault.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2024	2724	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tradingviewx64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tradingviewx64.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Locationatio.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2516	tradingviewx64.tmp

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2516	2296	tradingviewx64.exe	31
PID 2296 wrote to memory of 2516	2296	tradingviewx64.exe	31
PID 2296 wrote to memory of 2516	2296	tradingviewx64.exe	31
PID 2296 wrote to memory of 2516	2296	tradingviewx64.exe	31
PID 2296 wrote to memory of 2516	2296	tradingviewx64.exe	31
PID 2296 wrote to memory of 2516	2296	tradingviewx64.exe	31
PID 2296 wrote to memory of 2516	2296	tradingviewx64.exe	31
PID 2516 wrote to memory of 2724	2516	tradingviewx64.tmp	33
PID 2516 wrote to memory of 2724	2516	tradingviewx64.tmp	33
PID 2516 wrote to memory of 2724	2516	tradingviewx64.tmp	33
PID 2516 wrote to memory of 2724	2516	tradingviewx64.tmp	33
PID 2724 wrote to memory of 3004	2724	Locationatio.exe	34
PID 2724 wrote to memory of 3004	2724	Locationatio.exe	34
PID 2724 wrote to memory of 3004	2724	Locationatio.exe	34
PID 2724 wrote to memory of 3004	2724	Locationatio.exe	34
PID 2724 wrote to memory of 2024	2724	Locationatio.exe	35
PID 2724 wrote to memory of 2024	2724	Locationatio.exe	35
PID 2724 wrote to memory of 2024	2724	Locationatio.exe	35
PID 2724 wrote to memory of 2024	2724	Locationatio.exe	35

C:\Users\Admin\AppData\Local\Temp\tradingviewx64.exe
"C:\Users\Admin\AppData\Local\Temp\tradingviewx64.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\is-UFDMM.tmp\tradingviewx64.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-UFDMM.tmp\tradingviewx64.tmp" /SL5="$5010A,116532061,737280,C:\Users\Admin\AppData\Local\Temp\tradingviewx64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\TradingView2.5.2.2 P4yLp0OC7\xkxkv\Locationatio.exe
    "C:\TradingView2.5.2.2 P4yLp0OC7\xkxkv\Locationatio.exe" cRYNtfH
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\TradingView2.5.2.2 P4yLp0OC7\TradingView.exe
      "C:\TradingView2.5.2.2 P4yLp0OC7\TradingView.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 572
      4⤵
      Loads dropped DLL
      Program crash
      PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\TradingView2.5.2.2 P4yLp0OC7\ffmpeg.dll

Filesize
2.8MB

MD5
fa552fcf76098ab6a3c5b465aa3f3a57

SHA1
efc7a12b6a0be0c82f1522a277587e5bd201c770

SHA256
03d77ceddbe8eca4b721315e6206d3f001bcd77a9204f5debaa3fb36ed28e28c

SHA512
0edff510cb44d67d7a9eb0c311ace5de4e8093e90ff7f7cd08eb0229aacc562537da774d9f03bb7eaba7660ba8af1bae5b0553bc28a416ca2786bd991841ed12

Download Submit
C:\TradingView2.5.2.2 P4yLp0OC7\xkxkv\MSVCP140.dll

Filesize
438KB

MD5
52e80634c342da2a08cc3a30016f52a9

SHA1
9eec12a666c7e5f8ac56ec40d899b34efa808ad4

SHA256
b3ccb6fb8ef05ee8dcda28b9605ef22c61c80c9ac202450aade5404083d16de5

SHA512
3d0bb234fb78c1b5313d9444914ca7ac4820317f7f445085130b3d29e50d60b51631a70432de1f8378ede087def8c827714e340d82a66dd34fc2ea54410cd491

Download Submit
C:\TradingView2.5.2.2 P4yLp0OC7\xkxkv\VCRUNTIME140.dll

Filesize
88KB

MD5
f50c829cf51a72419af2814cde35d7af

SHA1
df6c27268bd12105546e87763e3f0ebdfb19b317

SHA256
e3d53f9a473cfca3fbf4e476d7e822a70b232dcd90f16bc23fbab7259fe99766

SHA512
f91fd7f1ccda5259fb87ce82cdf8cd912588f89c5a6d20a7b9025810df02b600dbdf913a74f3918143e0831be76c05caed226eb6ca7205753d61626c456ca634

Download Submit
C:\TradingView2.5.2.2 P4yLp0OC7\xkxkv\libcef.dll

Filesize
4.5MB

MD5
4f667d41a25f6550d4adc94b7a03d3fc

SHA1
88079d0d37d384782845e6f316def07a44fe3d59

SHA256
c863077ec43fb53c7276d4fec83235ea5d49090a9e3277dd3720c394c7e56e26

SHA512
ff3e92448c93701f53f53a61d7b4e0fab4b400dd4e7b35cad2b3b95715bcdf1bd0b3e38a08b6ad65cf6a9fc82215106fde57861e566dd8a70122ae52475dc04c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\background_finish.png

Filesize
66KB

MD5
d2b25a8d802a0b2a727e122aca40ea80

SHA1
6879db30f2bd5b934ea2403420f530b911aec87c

SHA256
8df90ff6a16fb4388d1d567e1aead1ce80d01d350aa6266083251c2eb86ca921

SHA512
2442da4870132b3e09e2401723f4b0f9fdcca059fdc28365005d4afc824f8d86efa200c625afdae7ec391c951fbc4d41cb291812627d2f912d8c01c3ed7a7d0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\background_installing.png

Filesize
112KB

MD5
1e0473d1caa3a4474162da89273bd09e

SHA1
6402abd09edbd25948925d7f400969936a60e422

SHA256
324bc1b67be8eb150948fcb1aba74e00abebd09444072535e6dab388a2be12b8

SHA512
f14da42c04f8bd103804881f44bc80783f87629e29a92ef885b1b246049e872c99335f91e100bbd2ba0f8e8ec91452dc38afc5ee70aedd3e2df227cc2166fb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\background_messagebox.png

Filesize
4KB

MD5
d1a4f5ba76b7e7a702f13fbd9bbb76c7

SHA1
2c8e3fbf70f0a89a833c3607fface79a9072d324

SHA256
bcd3b5b4f4fb5a956a6ad14236567dcb1117b621713c50483433d7af1011e724

SHA512
6afc8c206f4cc9969bcc4ba373f05742ea318733891a145ef580f4116170c9fcab4479d8955e58f23d3cf445fdc9ed5eceabd086ce2324fc751f5bbb89d9d578

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\background_welcome.png

Filesize
87KB

MD5
960e21af2daa8dccb8dc89cf78b3d8b7

SHA1
efd1bc476c2c41ab1b8249e98b2033a551408a0a

SHA256
809c540bba99b9f0b8b599e7f5f71920de4e79828fc81c91a517cd73cd05cfb8

SHA512
69859659ccb92816048540dd67a2170ccadd6686045496fa735e104525ee98f3f9351bb48c564117331ffe7db612b98b81c21346681fd8b1dfbc85e88b1558a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\button_browse.png

Filesize
13KB

MD5
d724d25b757d8f203cd6777da8cd17a8

SHA1
51ac4866ba5550c73512a05fa4cccf36beb05a61

SHA256
78114fdef066f771aa842a682f0e71deb06b98a1b065689611814ba165460fc0

SHA512
183b1eccbf901f21ef992df79024b6bd2fa49e5e6599298ddeed9dfdb647d58a6407b519f5eeebc9a2c4eb6c9afb12e80ee5f3233d8ad7f8145496d569737fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\button_cancel.png

Filesize
6KB

MD5
fb8e04322eee99db624e395d969dbc59

SHA1
4ac99299b54c657c0d40679fc6e4f3840638ca58

SHA256
e5a6d0c5f16ca8bebd882dfac1b77336b477ea22f7b22bde72580824dd2d94e9

SHA512
90020fe26f252e4277235eed8f91da5754373f0fdcde0cff6c7bcf8ece5c2ee66c952ef884a69664fe412c55ea9cae1933fad1a0d9c626bdd836e6a177cef0b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\button_close.png

Filesize
3KB

MD5
2b29884a02b398ef5b3d4cb2db1e5c34

SHA1
a8f7e6525378b22185a0bd3010d1b86fca1a9c2f

SHA256
789e0fd796fa36c23f053acc85dbcc1c03035f93b92cce76840811d8b898b025

SHA512
9093d8c0910118c3dbc1170b183738530fd7bdace1d0e7f839fcee701a807de17d9c1da5d2b9da06ac7ec9b0c89db99f3461c4ae5c553a52c22cfb413ee41883

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\button_customize_setup.png

Filesize
10KB

MD5
9fd5cf39cb1d65a7dd9fc7396fc03550

SHA1
41179665031dc8031197ee7450fc49b3efba052f

SHA256
adf67d4817b7061ef2ceb74375e1216908df908b4da839a70c275c66f4130193

SHA512
a951745de5fe3925add368eeaf57e6e67a7fa021df2289a3e6b64313890f60fc1a7e5aee49fa489cf268b63cad27c0d78daee1679a518aab4b25bcb9c8498a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\button_finish.png

Filesize
15KB

MD5
ad97fd4c6b284c686ad23f3212d7389c

SHA1
4e82f8151a7b58f7a9afa8d6f6db97684c78c2a9

SHA256
411caa8d2b27c64c092d0e673e4ae06fdef0d7d50e31dfb1b3b3f51d38cc2253

SHA512
cff27c4b705ac0bd44cc58d58496d54477da8bbc9ed6b4ad1ff5c05940654c1ad35be8d8ef6f136f5e9e96789b9ed62a2b0c83daef28c18f3224ea5a368ed86d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\button_license.png

Filesize
11KB

MD5
410c7780e6700028ab373f9efe75f728

SHA1
4c6eb2e50b83e2bc8f58aa0b643a549028b16603

SHA256
16f20688f713c3bee746bd0d745f843c99f6c360f71b44aa5713f9d5fae2cf75

SHA512
0e63f245dc8e8799376b3f7e33da5a2f40e3788b7e1541e07e8e171b91c6e4dd0a0f9bca0a02cd6d4e34618bcc112bea29d2d99e19e44aac3a8ad5029e9ef790

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\button_minimize.png

Filesize
3KB

MD5
53377fd010771582b62621793237d97c

SHA1
7028bce353330e3fc2cfe0e3c94a9cb7c1f116e7

SHA256
7967738a3a3bd46f2c128eb9d66183c93dbb56cf51e08aa439162f999fc952a1

SHA512
a62a7813d60429b7532797f53878acac02975bd13524c496626219180f498033127870659cc96f4fecbcd67976140b904443e93d3a193d149027906f5dcb15d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\button_ok.png

Filesize
6KB

MD5
558e7219fc377b63365513c4e017cf24

SHA1
ac508857ab9657abc0f731ff09712bbafadd1f0b

SHA256
43818ff077e39e82519171f9525ba3be84e584252d42946733a07a3f39455466

SHA512
dfdec62bf1e1cf0f6f0eb9c825e75bcf1d7eacb7925acf8b4e19fd4f382cb95e8e01c14fde3cc58c9e47d26b296c34dfb469c42d1aa67670ad511a3698ee31f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\button_setup_or_next.png

Filesize
16KB

MD5
f759680e272b5fc9e60738b7dbbbc623

SHA1
defcdd008ddb3a3d5e4da4824f6114649c2e2c23

SHA256
ea9a1ac0057cf97ff422d306526ea3d73345673bd82f4fdffc2c4313fdb74b31

SHA512
cb2dc79e28edeaaa415653165e23c21236a6535bec6737349d5e9af69e5f92531d1c7da9ff55df10a09bc7731ab15fd4385d6436e78dd7a00792a0848c54eac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\button_uncustomize_setup.png

Filesize
10KB

MD5
aa5886c0e8b173955df656efbcbc00d4

SHA1
a05b410e756d4b2b6c30a448a55777691c55b2dd

SHA256
7b4577498af66c8f3b2e69f65a36306395826fbfd21c8e8b227ab760c793b5d1

SHA512
15d74e888d5490478da9b5e429509cb864fdbc7ac0ad368353b5043fd07923e2d7ead94907ccb458b84f19022d8be1def8bed5c58866d20181206792be7b49a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\checkbox_RunApp.png

Filesize
18KB

MD5
d940cc6ffe0711645658760a85fd7205

SHA1
34d0bece8d647c23cf22d736ab5d07c0514ffabe

SHA256
87ebac7c4c2120f7e12be062da1c225c7b180aabc2682a6be3ae18f3cdd5198c

SHA512
a89197a2b18bdc9955b11fe2fce449c5ff6c5cd2d6f53af75c9a0494018a6fc59ef7f1bec2c494520970967606a79072e77853d6d0c76393de50d684a54b3614

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\checkbox_license.png

Filesize
27KB

MD5
e1ca6a42984d8b7ededb48a3f7133791

SHA1
b1c13e402f939ac9f00a795482a6f4b80b27a5bd

SHA256
023cca5e5bbab5aed27e5290d91a14573a0178d8cfaac73d402221c78c5f013d

SHA512
80a93ae1ffc67593faa28c8043135d92b6cc4bddc830a285c2e176c09450b391b4189e9bb060fb93002c236e69f4c48a247946b8169bb97c6b3f42ee07e45d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\progressbar_background.png

Filesize
283B

MD5
04dca3926efaa3851fd98aecb4315ef8

SHA1
8d431629c573a370df73741ad010463af635b8bd

SHA256
648c2e85e064672bb47b3750215470e1b7ea3e4217f777c6faa35446d449b4cf

SHA512
a54930c6a019236eb2ef3b38fe214f5a57645ca58c5896dd702256254279842413c9f4c7e8d60418f270a94f80ca7246a5d3a433503048ebd07ef7d5ddd774c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\progressbar_foreground.png

Filesize
286B

MD5
2205f8b79ffdd37af080e444c424e513

SHA1
95294bf76c00cf8677119a204046182887c0ec8d

SHA256
d2ce48f668bfeee1500c9aaafba2cfbc8ee7c3c34ec2afec3140aa1d5ff22b57

SHA512
1be8de0c734e96bd81664b74c40cc1e174c9cad93ed3a6af403be3f32c227faeaee02398108e3a87a7a56cbfac963f996de2bc9495024f47715ecc3dbeca7c83

Download Submit
\TradingView2.5.2.2 P4yLp0OC7\xkxkv\Locationatio.exe

Filesize
214KB

MD5
6f05c7139f30b31ee958e6c094d0a937

SHA1
e9bf442774cac309f764d2e0f555b51ad4fa6b8e

SHA256
b75ad8f58bf0a308b5236738955911580bbba08b795691caa3f74610b793a63b

SHA512
8c1a4e4f7d35c559c14aa9aa5aef288a749703b7214e4b09540a1b81e2c0a78495d3e24dfe698f1ef441be34ccf73f498350f29b09be48b2f5f27cf77790929d

Download Submit
\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\botva2.dll

Filesize
37KB

MD5
67965a5957a61867d661f05ae1f4773e

SHA1
f14c0a4f154dc685bb7c65b2d804a02a0fb2360d

SHA256
450b9b0ba25bf068afbc2b23d252585a19e282939bf38326384ea9112dfd0105

SHA512
c6942818b9026dc5db2d62999d32cf99fe7289f79a28b8345af17acf9d13b2229a5e917a48ff1f6d59715bdbcb00c1625e0302abcfe10ca7e0475762e0a3f41b

Download Submit
\Users\Admin\AppData\Local\Temp\is-I84LR.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
\Users\Admin\AppData\Local\Temp\is-UFDMM.tmp\tradingviewx64.tmp

Filesize
2.9MB

MD5
98b7cf9b201cf50427f4cb026cdf6816

SHA1
590eb3992bba240cf26dbbdd9c073e63a6e0017f

SHA256
44588a21ad39a55592f5825b5b74cfc3ebd1dee6d97b0df95b0296fb3f3d49c9

SHA512
2f02d7028848982c2e36f68abec747c07954b039a650d6dbc4226f93983520bfbc93be5313e4e720f967df2a40008b8487355aa697515292bd7923b0b2f27c8e

Download Submit
memory/2296-0-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2296-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/2296-459-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2296-332-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2516-338-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2516-53-0x00000000037D0000-0x00000000037DF000-memory.dmp

Filesize
60KB

Download
memory/2516-60-0x0000000003960000-0x0000000003975000-memory.dmp

Filesize
84KB

Download
memory/2516-334-0x00000000037D0000-0x00000000037DF000-memory.dmp

Filesize
60KB

Download
memory/2516-457-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2516-8-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2516-335-0x0000000003960000-0x0000000003975000-memory.dmp

Filesize
84KB

Download
memory/2516-333-0x0000000000400000-0x00000000006F5000-memory.dmp

Filesize
3.0MB

Download
memory/2724-461-0x00000000004F0000-0x000000000097D000-memory.dmp

Filesize
4.6MB

Download
memory/2724-478-0x00000000004F0000-0x000000000097D000-memory.dmp

Filesize
4.6MB

Download