55b920c636fdba7c4343d60801d4c0c2bfe29100131963407b85eed9e1a1ea4a

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

texttvieww321.exe
Size

1.3MB
MD5

7dd3986b7546f3f40d22a60aa2ff6023
SHA1

b47f96c5ae85a3ee7c571074208bfaa7a968f673
SHA256

919a696629c2c0dd9679be7630ada2b1e1173da3bce748980b07fa360872f727
SHA512

5d95b02b8c626912ede55080579032aeafa969d3a95f1842570c00e514bc5b0fb1b31825b393148bafad99f05406d97458d93e79cc12bbff91b6d2c9a151626d
SSDEEP

24576:iAOcZXp0wL/6dqr+LXTcpsBIUkjPV99npuezy71oporahr:ocb6EcjAsBIUkj9fZe6Gs

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	texttvieww321.exe

Executes dropped EXE 1 IoCs

pid	Process
4676	qhsgapmlc.pif

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4676 set thread context of 4572	4676	qhsgapmlc.pif	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1872	4572	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	texttvieww321.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qhsgapmlc.pif

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 4676	1996	texttvieww321.exe	83
PID 1996 wrote to memory of 4676	1996	texttvieww321.exe	83
PID 1996 wrote to memory of 4676	1996	texttvieww321.exe	83
PID 4676 wrote to memory of 3332	4676	qhsgapmlc.pif	85
PID 4676 wrote to memory of 3332	4676	qhsgapmlc.pif	85
PID 4676 wrote to memory of 3332	4676	qhsgapmlc.pif	85
PID 4676 wrote to memory of 4572	4676	qhsgapmlc.pif	86
PID 4676 wrote to memory of 4572	4676	qhsgapmlc.pif	86
PID 4676 wrote to memory of 4572	4676	qhsgapmlc.pif	86
PID 4676 wrote to memory of 4572	4676	qhsgapmlc.pif	86

C:\Users\Admin\AppData\Local\Temp\texttvieww321.exe
"C:\Users\Admin\AppData\Local\Temp\texttvieww321.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\5_94\qhsgapmlc.pif
  "C:\5_94\qhsgapmlc.pif" ecpkjs.qsf
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:3332
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:4572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 80
      4⤵
      Program crash
      PID:1872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4572 -ip 4572
1⤵
PID:3524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5_94\qhsgapmlc.pif

Filesize
1.7MB

MD5
dd3466f64841cf21fc31f63f03dbfd29

SHA1
3878c8e52203d792c6f672595f7c78ab27ce3f04

SHA256
4fe3004208ed574521992dd1ba3d900b75a0f02f1d63ba1e531d309e85ffa06b

SHA512
adf3fe8378f7da5ba278db9a1df4cc7b5cff12398ec39ee7037382ebf57897de8bec72be64b5e7332bdb7ed865788dcb6ef4ceda6654e1153d39fe84b011b057

Download Submit
C:\5_94\sbdrrq.icm

Filesize
42KB

MD5
74f0a1e094a0e4dfafddc8ffad0281c2

SHA1
6e301e6295a2a7073925a615dd0ab9493e08ab96

SHA256
e1c7a07ac5091d6e100c1adae42f1bc477fcc83964fc9d9480a6cfb92b3422d9

SHA512
285914c6200cf404b713d360dad52debd4e1b26d6a70d9a4047a5a04c1e0680054fe47bb428d930b5b11e10625ae7cf5e1b56b27559fe9e336c64bddc56add8c

Download Submit
C:\5_94\tvumqgrjj.ito

Filesize
370KB

MD5
4ca051baad26f8de38acaa35afc79a4b

SHA1
c30cba02cd6d2a74695fd64ebc843ba0af323b7f

SHA256
800dffba7fc8898f854898cb42293e2aad08b7e3d406e5e6898001a7b31d3568

SHA512
9e52ce4464bbed6450bef925dc77a3b7374d15ca47d855d8fde991763afd0c10c61c210039f515d18df42f01d8f4baa54094396d18ab73c3a06de88e4b2f3f12

Download Submit