4c1fc6a16f378978da7c35f36525a4397a983255020fb709d0ad8cbe3f1e38e5

Analysis

max time kernel
95s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PL/setup331.exe
Size

2.0MB
MD5

2486b7f5f41d592ec4781b54cd828f70
SHA1

604009984d2f335a969ab447a61beec8661a99fe
SHA256

aa0a01e35fe2110068e1934eb568f5d3a41abe4b73a64a045f9a9ab8e085114c
SHA512

116cee6490ae2b631b0457c0ae328f88df74bff3b8f2b47652366cf125d22fc910733859825ed181ae547a664c15e5358c95cdd6b874c43cc426303bfd841370
SSDEEP

49152:3rBfJXAEYCT6v3vX/1AkJxopk7lDiQCv3e6rNx:3rBfKEYd3v+Ioi7Rg5x

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup331.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	setup331.exe

Loads dropped DLL 2 IoCs

Processes:

regsvr32.exe

pid process

3976 regsvr32.exe
3976 regsvr32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
3976	regsvr32.exe
3976	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

setup331.exeregsvr32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup331.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

setup331.exe

description	pid	process	target process
PID 4820 wrote to memory of 3976	4820	setup331.exe	regsvr32.exe
PID 4820 wrote to memory of 3976	4820	setup331.exe	regsvr32.exe
PID 4820 wrote to memory of 3976	4820	setup331.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe
"C:\Users\Admin\AppData\Local\Temp\PL\setup331.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" -s MYQXM.k
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MYQXM.k

Filesize
1.8MB

MD5
942afe4b6c981193fda8ede7a57fd5bb

SHA1
62e6bb30e5a02920a3bbb1dffa7bd90d699afcd6

SHA256
99128a36e75d6739f15b1c5e8b40b5afe57740e6bf3d573c8636b26f78b2fb88

SHA512
2089221b9d554e51b016415b7e07c65ee0d76b1d3136a9424a98212ca812cb8d263d716d79cc4addca40f2c67df25ad642dfa903b6a641afba219bd9fc797955

Download Submit
memory/3976-5-0x0000000002100000-0x00000000022CA000-memory.dmp

Filesize
1.8MB

Download
memory/3976-6-0x0000000002930000-0x0000000002A5E000-memory.dmp

Filesize
1.2MB

Download
memory/3976-7-0x0000000002B90000-0x0000000002CB9000-memory.dmp

Filesize
1.2MB

Download
memory/3976-8-0x0000000002100000-0x00000000022CA000-memory.dmp

Filesize
1.8MB

Download
memory/3976-9-0x0000000002930000-0x0000000002A5E000-memory.dmp

Filesize
1.2MB

Download
memory/3976-10-0x0000000002CC0000-0x0000000002D7D000-memory.dmp

Filesize
756KB

Download
memory/3976-11-0x0000000002D80000-0x0000000002E29000-memory.dmp

Filesize
676KB

Download
memory/3976-12-0x0000000002D80000-0x0000000002E29000-memory.dmp

Filesize
676KB

Download
memory/3976-14-0x0000000002D80000-0x0000000002E29000-memory.dmp

Filesize
676KB

Download
memory/3976-15-0x0000000002D80000-0x0000000002E29000-memory.dmp

Filesize
676KB

Download
memory/3976-17-0x0000000004D20000-0x0000000004DC2000-memory.dmp

Filesize
648KB

Download
memory/3976-16-0x0000000002E30000-0x0000000004D1F000-memory.dmp

Filesize
30.9MB

Download
memory/3976-18-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/3976-20-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/3976-21-0x0000000004DD0000-0x0000000004E6C000-memory.dmp

Filesize
624KB

Download
memory/3976-23-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/3976-25-0x0000000000430000-0x0000000000434000-memory.dmp

Filesize
16KB

Download
memory/3976-31-0x0000000002B90000-0x0000000002CB9000-memory.dmp

Filesize
1.2MB

Download