5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb

Analysis

max time kernel
140s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/10/2024, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.exe
Size

14.8MB
MD5

1282edf5fcc627e69dbd57f09c32c963
SHA1

1a032c7aa3bfeb63dde3a1f19611a26d79fb88a8
SHA256

5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb
SHA512

b3f6d993f2d93bd1f1fa84ce925b7dd67073bc6fda4f4b0760199226c013a7d3b4f84e3610157757847ac1865d593f9076a8efde16b664dce9dc9e4d233333d4
SSDEEP

196608:nuPCz+U7EhnZz/zKbtqNh5ih4t0dgtpN4UKJsG3Idk8r9nRRRNOMkru4XFUtf4tY:nZzkt1/2btio9d4NqiTk6zNbSu48QQi+

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
1268	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp

Loads dropped DLL 9 IoCs

pid	Process
1268	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp
1268	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp
1268	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp
1268	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp
1268	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp
1268	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp
1268	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp
1268	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp
1268	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 1268	1048	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.exe	86
PID 1048 wrote to memory of 1268	1048	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.exe	86
PID 1048 wrote to memory of 1268	1048	5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.exe	86

C:\Users\Admin\AppData\Local\Temp\5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.exe
"C:\Users\Admin\AppData\Local\Temp\5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\is-C59N1.tmp\5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-C59N1.tmp\5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp" /SL5="$90070,15116467,144384,C:\Users\Admin\AppData\Local\Temp\5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-C59N1.tmp\5a6548eb7c92c3b069bf2b2f96b6aac7419a62e83ae4d5a41236330750daf1fb.tmp

Filesize
1.1MB

MD5
a62bda7f5dda159ece162d60a5f6bbed

SHA1
5f0559e603043332d808222b0751388a9cf05818

SHA256
e554592293395c223dc5f993795bd4a5fbf8def096054282b3741f7e227043a2

SHA512
aed8f7417ac2b2cadebdf039a7b7030ea3fb7b802e7463fe8dd9016f68f1c85065360a1caf0da56dbbcbc3b510c9de9acdc22dbafb87096586a22cc1302003d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D45B0.tmp\CheckBox.png

Filesize
1KB

MD5
b7d4c7fd2e1d5fa7fce1a8a8a1581b9d

SHA1
853b4cf14ebdfe23312ed19fad567f7d08560151

SHA256
f944f62d64956e63105fc2645c878901c447122060c20c22f4e6eb929c26cfe5

SHA512
3bf1a5b1a799cacae3d5075affec8edaddce58a46cbbbaf88118d64b1e6b64ff8bdcabfa5c2b63086a35414bbd5230756fd52807fa0df9a5bdefc880d44bcb13

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D45B0.tmp\CloseBtn.png

Filesize
1KB

MD5
96e7e5849af19a2b5626df65771d2e9c

SHA1
92dd1e54622ec3e0757d5112ab6176f39170d382

SHA256
910a3b79c743b30f61df1da9c85d466915ceb31767c5e6ff315b332c8f57bfad

SHA512
5004e68ba1dcbb866ad90027b33dbabea5ced2810cfcffa53c0db6d0b7bc82304d9303c929aa43d4b32a0495af531343b86f4ab6a022dbba0354b76a1b7e5d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D45B0.tmp\CommonBtn.png

Filesize
7KB

MD5
593394f776971eadde458a1d05ac611e

SHA1
61e4b3f48b676fc89a6eff4b1fcaf1788fa8d9d6

SHA256
ee9a06d34a7902e91445515d93ef03d8a9f7242c5385a0beb108bc6f33b43e4a

SHA512
daf96c6ff639144c5a755b7d4895ad89d3972a1107afabb4eed17724e608cbd0e80971ad26effb36583506275fbbe61cb3e0d67ca4aca330e7a96ba49da4c262

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D45B0.tmp\FinishBtn.png

Filesize
20KB

MD5
9598c5668212128dd03cfe75f407c4e5

SHA1
06809be1d43850ab21785c3272a6202fd13ccc61

SHA256
8d05cb51ac9a413115c77f80233124819abd9412c55f2dc8789ac2039d41191c

SHA512
d728139018a45d4b32f340fe91f9477d97f1f673627b018c81bdf623a9270a71d56f472ec110ddd02c6766217979c61711ab26fb731196a3c45d71499466a38c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D45B0.tmp\IMGLOCK.dll

Filesize
316KB

MD5
a192795517ddc7b4c88d7d38af249463

SHA1
9b28b910cd7165a60e3c98938a09255af2071ba7

SHA256
26930489f38dff95163ba6840b0b0475998e1df5b9e1e77871b258ab3d0a99fa

SHA512
c802794f9f68c6077b2a5b7b4d27c71bad51124b0b15d2748fd12bb7d9671fa8365c6d7caf3cbcc950a38cd5fe9de52d6ce1207e150c1ad0ab26a98839865673

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D45B0.tmp\ISTask.dll

Filesize
66KB

MD5
86a1311d51c00b278cb7f27796ea442e

SHA1
ac08ac9d08f8f5380e2a9a65f4117862aa861a19

SHA256
e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d

SHA512
129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D45B0.tmp\MinBtn.png

Filesize
1KB

MD5
0348efb1cb0d30dff711e4700398fd15

SHA1
4e5b7b72969ac62e0ae6032930bb71367a8e2258

SHA256
48bc6e1264b4aaacdce930d8fa19a9dc6f1975bc5e57188a342e1ae5b9731eda

SHA512
8a0aa1bfbe379d212a4eb3b834464a379cc4d63784729241203a532354b55acb810f2d8a3d743daeee24137cdad56a0a029f370868fd3bd0c7633c0d493c3b99

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D45B0.tmp\ProgressBackground.png

Filesize
3KB

MD5
7f603f018af24a2ffa8b22d9128dd97c

SHA1
9206b68df644238ca730f676ab48a4672a860955

SHA256
73fe481bcf70c98ccedf06237183da9c2f5ffe6ef1a2ee77cbf21d24c17b009f

SHA512
df80273ecc5d244f17541f7e3230b7e05d43c17edcef9e1ea9fa79ac74bb6d88d156cc650314a573158f28a57195e703752c0161c3bc201814e8ce5c2e012e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D45B0.tmp\SafeDSK.dll

Filesize
340KB

MD5
037466491c7103c2b3acbafa30917cbc

SHA1
902a23303d1da6c80a83cc070a89c455c5a854f9

SHA256
fe45cea8a2cd329d8473966f34c549c9ac39306e5e6a1c243d3877fcbded0084

SHA512
d1457445f916c4acb537b441c856c7442db6b565a825444470c21ef378b96b25e439e59949052e1c50d01d950ad27216ba713fdd29d6182f693f2c1e1dc3f83b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D45B0.tmp\botva2.dll

Filesize
32KB

MD5
295832fa6400cb3407cfe84b06785531

SHA1
7068910c2e0ea7f4535c770517e29d9c2d2ee77b

SHA256
13e372c4d843603096f33603915c3f25d0e0d4475001c33ce5263bfcd1760784

SHA512
50516f9761efd14641f65bd773cfdd50c4ab0de977e094ba9227796dc319d9330321c7914243fc7dc04b5716752395f8dac8ccdfdb98ba7e5f5c1172408ce57b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D45B0.tmp\innocallback.dll

Filesize
63KB

MD5
1c55ae5ef9980e3b1028447da6105c75

SHA1
f85218e10e6aa23b2f5a3ed512895b437e41b45c

SHA256
6afa2d104be6efe3d9a2ab96dbb75db31565dad64dd0b791e402ecc25529809f

SHA512
1ec4d52f49747b29cfd83e1a75fc6ae4101add68ada0b9add5770c10be6dffb004bb47d0854d50871ed8d77acf67d4e0445e97f0548a95c182e83b94ddf2eb6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D45B0.tmp\install.png

Filesize
20KB

MD5
f1cceb528bfc25d1dd6dba7f09fdc4e1

SHA1
d738ebc349fbec4f3d073a3a456e0a8a53786cea

SHA256
9dbb6fa024d10ad210bd8e2aff7cdc0a58455c529cea70e3e744c31cb59b36b5

SHA512
e9a8a0c9e17ce002e3e28effb1fcdd3c07b855c3c3adece7bc21607e0d2bd458062ae4914d197ca2e4ccb7656c5fa626512db8bf509851345396171fcea03394

Download Submit
memory/1048-134-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1048-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1048-2-0x0000000000401000-0x0000000000410000-memory.dmp

Filesize
60KB

Download
memory/1268-83-0x00000000069D0000-0x00000000069E5000-memory.dmp

Filesize
84KB

Download
memory/1268-55-0x0000000003490000-0x000000000349D000-memory.dmp

Filesize
52KB

Download
memory/1268-29-0x00000000033D0000-0x00000000033E6000-memory.dmp

Filesize
88KB

Download
memory/1268-22-0x0000000003360000-0x00000000033B0000-memory.dmp

Filesize
320KB

Download
memory/1268-7-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1268-135-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1268-138-0x00000000069D0000-0x00000000069E5000-memory.dmp

Filesize
84KB

Download
memory/1268-137-0x0000000003490000-0x000000000349D000-memory.dmp

Filesize
52KB

Download
memory/1268-136-0x00000000033D0000-0x00000000033E6000-memory.dmp

Filesize
88KB

Download
memory/1268-140-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/1268-148-0x00000000069D0000-0x00000000069E5000-memory.dmp

Filesize
84KB

Download
memory/1268-147-0x0000000003490000-0x000000000349D000-memory.dmp

Filesize
52KB

Download
memory/1268-146-0x00000000033D0000-0x00000000033E6000-memory.dmp

Filesize
88KB

Download