580a232eb87da0f8536e3e267318eb3d99ded46fe61631408b091cd497c60b42

Resubmissions

05/10/2024, 02:55

241005-detfha1fkp 10

05/10/2024, 02:52

241005-dcxedavhnh 10

05/10/2024, 02:44

241005-c8mdls1cjk 4

05/10/2024, 02:43

241005-c7pgksvfjf 4

Analysis

max time kernel
33s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 02:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

drfone_setup_full3824.exe
Size

2.4MB
MD5

d083de3cd489927464db90cebf1a6e59
SHA1

ee2b6ec10a5eeebc882302c4976d6edbc427b274
SHA256

580a232eb87da0f8536e3e267318eb3d99ded46fe61631408b091cd497c60b42
SHA512

89a31707b86804adc02bec5a36c277610d88862634325b0c9c2072d95dbe57491a4ef7b16b2c187fcb284831f969877ffd53253951d89c581af1ea1c48743970
SSDEEP

49152:IvSzkJnOyQpABa+VsNbwzPhTzoL6Y0fxfNrBhf0uzkf+:Iqzkbkbhwz2Lb0fxfNrJ

Score

4^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3688	NFWCHK.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drfone_setup_full3824.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\Desktop\MuiCached	drfone_setup_full3824.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4076	drfone_setup_full3824.exe
4076	drfone_setup_full3824.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 3688	4076	drfone_setup_full3824.exe	82
PID 4076 wrote to memory of 3688	4076	drfone_setup_full3824.exe	82

C:\Users\Admin\AppData\Local\Temp\drfone_setup_full3824.exe
"C:\Users\Admin\AppData\Local\Temp\drfone_setup_full3824.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  C:\Users\Public\Documents\Wondershare\NFWCHK.exe
  2⤵
  - Executes dropped EXE
  PID:3688

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\d67e770523f1422f8518653d55ecdaeb /t 4944 /p 4076
1⤵
PID:2144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
2KB

MD5
274750b6974dfe65de0dff60358eed16

SHA1
214df6afd00100c28ba8f4b51750d4e0a945e183

SHA256
e3c42f41b40f735be63a29dd577bf83595db63e70e5a937188907a9689281b44

SHA512
1e5b3208b8ad280b90667d5763590da78f267e042ddd57461b175e16f1aebfc5d49c33a9817b799d8a809946df62639ecfa8a14eb4b8397af510b93b7b99b546

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
546B

MD5
4abd32e623cdaea2f1e36c6b822aaf44

SHA1
924b68060593466e0312ef3b6b2a5f9516978d8d

SHA256
e262cf4ee5b38c5dfa5ad6e2456328d89bb0b41b6f4d348e28e0bd50fe70fec4

SHA512
ee22ecb371ac1aa569c007e9d29c9bd987cc06e5ccea854110108758dc55564d17428a58538823dfb2bb1008c3a6867b83512822f36c5e4ebb46538e80e56972

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
945B

MD5
bd9b6646a78d21dc32a2fefeef9f63a1

SHA1
de2b99d03e0b95e379104ea833d9d38244d6ec5b

SHA256
ded00fcdb1c2977d69923ec6ac93785f3c0d0f015063c4bc18cf69336243966d

SHA512
1398612d6d8b8459c39d612e222b645368cef32c729daade07eeffa5c7f4891b8e8cf14f775bfab69521da8cd61de0333d448dfb00022ed79c2769b834d462ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
2KB

MD5
39c6145a21df59ab004f6701c070f5a0

SHA1
1f3e0d4c4e51fb4784ec1fc89122dde5a81e259f

SHA256
0dd0df178ca4efe17092f68de79131d5eb0543c8a8188233a4a0cfb708e64bba

SHA512
bfa92da8a783339994ad3c15f0d6e615a9dde45e5d6204a227b2adb0ea435d0b80b092eeee39b3016e7da677dbb3cf7cad43465f0d03237bd02a8019335bc3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
4KB

MD5
4b2d25d5d0dbde971437a0865c5ddb99

SHA1
cfe0c1e8cc0e5f80534f96b8e0bcb06027f095a1

SHA256
a0de39f65bc72b37bee5d700b0db9a094bce225edf0b3868bbc5670915bae76f

SHA512
a051b13cece9b6d629817193a05fddc95af0a6e780e40c0dac639d432d786e873aec668ac133c6f834930d99b3f6e8b55b0e61a4e94b645a36a48b779b62f8f7

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
223B

MD5
5babf2a106c883a8e216f768db99ad51

SHA1
f39e84a226dbf563ba983c6f352e68d561523c8e

SHA256
9e676a617eb0d0535ac05a67c0ae0c0e12d4e998ab55ac786a031bfc25e28300

SHA512
d4596b0aafe03673083eef12f01413b139940269255d10256cf535853225348752499325a5def803fa1189e639f4a2966a0fbb18e32fe8d27e11c81c9e19a0bb

Download Submit
memory/3688-1140-0x00007FFDBC5C0000-0x00007FFDBCF61000-memory.dmp

Filesize
9.6MB

Download
memory/3688-1143-0x000000001C400000-0x000000001C462000-memory.dmp

Filesize
392KB

Download
memory/3688-1138-0x00007FFDBC5C0000-0x00007FFDBCF61000-memory.dmp

Filesize
9.6MB

Download
memory/3688-1136-0x000000001BAF0000-0x000000001BB14000-memory.dmp

Filesize
144KB

Download
memory/3688-1139-0x000000001BB60000-0x000000001BB80000-memory.dmp

Filesize
128KB

Download
memory/3688-1141-0x000000001BB80000-0x000000001BE8E000-memory.dmp

Filesize
3.1MB

Download
memory/3688-1142-0x000000001C340000-0x000000001C389000-memory.dmp

Filesize
292KB

Download
memory/3688-1137-0x000000001BB20000-0x000000001BB38000-memory.dmp

Filesize
96KB

Download
memory/3688-1144-0x000000001C940000-0x000000001CE0E000-memory.dmp

Filesize
4.8MB

Download
memory/3688-1145-0x000000001CEB0000-0x000000001CF4C000-memory.dmp

Filesize
624KB

Download
memory/3688-1146-0x000000001C2D0000-0x000000001C2D8000-memory.dmp

Filesize
32KB

Download
memory/3688-1147-0x000000001D280000-0x000000001D2BE000-memory.dmp

Filesize
248KB

Download
memory/3688-1149-0x00007FFDBC5C0000-0x00007FFDBCF61000-memory.dmp

Filesize
9.6MB

Download
memory/3688-1135-0x00007FFDBC875000-0x00007FFDBC876000-memory.dmp

Filesize
4KB

Download