7684d97524795299a22680a9118a856db05b95442d6375004643ab155c14112b

Analysis

max time kernel
93s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7684d97524795299a22680a9118a856db05b95442d6375004643ab155c14112b.exe
Size

2.1MB
MD5

6bab90369cd2642631b54430b8665826
SHA1

e7ab456252f720b923e4d1436814621dcc942543
SHA256

7684d97524795299a22680a9118a856db05b95442d6375004643ab155c14112b
SHA512

7d02311638f9c875bfc145306c10564e75ef722187dde2888edf4f3c43de7507d9ca98dcb4330b862e0443654d81a36457416c647e5bbefa1f20e15f72c1b032
SSDEEP

49152:fHzjmuuAnMcqfhtXXWdCwgrCTAz42v9INsEIU3B7uRNroff5Y+O:fHzjCdfad7W42lINNX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5656	NFWCHK.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7684d97524795299a22680a9118a856db05b95442d6375004643ab155c14112b.exe

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\Desktop\MuiCached	7684d97524795299a22680a9118a856db05b95442d6375004643ab155c14112b.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
956	7684d97524795299a22680a9118a856db05b95442d6375004643ab155c14112b.exe
956	7684d97524795299a22680a9118a856db05b95442d6375004643ab155c14112b.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 5656	956	7684d97524795299a22680a9118a856db05b95442d6375004643ab155c14112b.exe	82
PID 956 wrote to memory of 5656	956	7684d97524795299a22680a9118a856db05b95442d6375004643ab155c14112b.exe	82

C:\Users\Admin\AppData\Local\Temp\7684d97524795299a22680a9118a856db05b95442d6375004643ab155c14112b.exe
"C:\Users\Admin\AppData\Local\Temp\7684d97524795299a22680a9118a856db05b95442d6375004643ab155c14112b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Public\Documents\iSkysoft\NFWCHK.exe
  C:\Users\Public\Documents\iSkysoft\NFWCHK.exe
  2⤵
  - Executes dropped EXE
  PID:5656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
552B

MD5
6785b2051a6c5295990bcaa7d5cbca73

SHA1
88e80e9616f4ed27d0d5d272d830f3d573152d59

SHA256
70b2da1930975a7f0814c8bfe28ce1349dac4a82a669492ee74b849432f92163

SHA512
784627dec2c279e7a31c73cb410e24ed9174561a8bf4c86015427f07b16eae5c17e2a3da07130db5b6cb4b1181369222f61504a73e7f8290c3d21816c1290fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
22KB

MD5
25f00316b48c4374de36d4d73b117099

SHA1
dd33790830a3c7d93c7d65f1087083e232aa3f76

SHA256
ffb71d45ff8ceba86f0a8cbe88efb2c1bcf7f52b45f4d51d88c141e5a3966b45

SHA512
302ad200125be888f9b7ea7501ea3965d107d29ddacf6e0f21a1b204f31c008f9617bc6babf2d6c6ab2a15d970c1ae518eda175ffd1595b6246658d440ee0d3a

Download Submit
C:\Users\Public\Documents\iSkysoft\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\iSkysoft\NFWCHK.exe.config

Filesize
223B

MD5
5babf2a106c883a8e216f768db99ad51

SHA1
f39e84a226dbf563ba983c6f352e68d561523c8e

SHA256
9e676a617eb0d0535ac05a67c0ae0c0e12d4e998ab55ac786a031bfc25e28300

SHA512
d4596b0aafe03673083eef12f01413b139940269255d10256cf535853225348752499325a5def803fa1189e639f4a2966a0fbb18e32fe8d27e11c81c9e19a0bb

Download Submit
memory/5656-1135-0x00007FFC0DFF5000-0x00007FFC0DFF6000-memory.dmp

Filesize
4KB

Download
memory/5656-1136-0x000000001BF50000-0x000000001BF74000-memory.dmp

Filesize
144KB

Download
memory/5656-1137-0x000000001BF80000-0x000000001BF98000-memory.dmp

Filesize
96KB

Download
memory/5656-1138-0x000000001BFC0000-0x000000001BFE0000-memory.dmp

Filesize
128KB

Download
memory/5656-1139-0x00007FFC0DD40000-0x00007FFC0E6E1000-memory.dmp

Filesize
9.6MB

Download
memory/5656-1140-0x000000001BFE0000-0x000000001C2EE000-memory.dmp

Filesize
3.1MB

Download
memory/5656-1141-0x00007FFC0DD40000-0x00007FFC0E6E1000-memory.dmp

Filesize
9.6MB

Download
memory/5656-1142-0x000000001C7A0000-0x000000001C7E9000-memory.dmp

Filesize
292KB

Download
memory/5656-1143-0x000000001C860000-0x000000001C8C2000-memory.dmp

Filesize
392KB

Download
memory/5656-1144-0x000000001CDA0000-0x000000001D26E000-memory.dmp

Filesize
4.8MB

Download
memory/5656-1145-0x000000001D310000-0x000000001D3AC000-memory.dmp

Filesize
624KB

Download
memory/5656-1146-0x000000001C730000-0x000000001C738000-memory.dmp

Filesize
32KB

Download
memory/5656-1147-0x000000001D7E0000-0x000000001D81E000-memory.dmp

Filesize
248KB

Download
memory/5656-1149-0x00007FFC0DD40000-0x00007FFC0E6E1000-memory.dmp

Filesize
9.6MB

Download