1f8c9a3874f67a64d9ffff9f73d608d62dbd93a443404d969455e03b62e5fd48

max time kernel
2s
max time network
6s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-01-2025 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

793KB
MD5

5b3e5ace672f4250aeb06382579d165d
SHA1

5f1d413192d92fa9a58cd5208963cda6c6c7c678
SHA256

1f8c9a3874f67a64d9ffff9f73d608d62dbd93a443404d969455e03b62e5fd48
SHA512

115551e9a8186986761c03d66928e432410b9c310f2dd862155cfddf1dd01133563a611e12998e898cbd78dce5ad8c2f4da923c5c2e3cec08d20bd38d644695c
SSDEEP

12288:d3K1Pp+lMeB8UODTAFKHMRTviTOODTAFKHMRTviTr:JK1PSMZx0FKsRTqT/0FKsRTqTr

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 348 wrote to memory of 312	348	setup.exe	85
PID 348 wrote to memory of 312	348	setup.exe	85
PID 348 wrote to memory of 312	348	setup.exe	85
PID 348 wrote to memory of 1968	348	setup.exe	86
PID 348 wrote to memory of 1968	348	setup.exe	86
PID 348 wrote to memory of 1968	348	setup.exe	86
PID 348 wrote to memory of 1616	348	setup.exe	87
PID 348 wrote to memory of 1616	348	setup.exe	87
PID 348 wrote to memory of 1616	348	setup.exe	87
PID 348 wrote to memory of 2140	348	setup.exe	88
PID 348 wrote to memory of 2140	348	setup.exe	88
PID 348 wrote to memory of 2140	348	setup.exe	88
PID 348 wrote to memory of 436	348	setup.exe	89
PID 348 wrote to memory of 436	348	setup.exe	89
PID 348 wrote to memory of 436	348	setup.exe	89
PID 348 wrote to memory of 4596	348	setup.exe	90
PID 348 wrote to memory of 4596	348	setup.exe	90
PID 348 wrote to memory of 4596	348	setup.exe	90
PID 348 wrote to memory of 3424	348	setup.exe	91
PID 348 wrote to memory of 3424	348	setup.exe	91
PID 348 wrote to memory of 3424	348	setup.exe	91
PID 348 wrote to memory of 4416	348	setup.exe	92
PID 348 wrote to memory of 4416	348	setup.exe	92
PID 348 wrote to memory of 4416	348	setup.exe	92
PID 348 wrote to memory of 4564	348	setup.exe	93
PID 348 wrote to memory of 4564	348	setup.exe	93
PID 348 wrote to memory of 4564	348	setup.exe	93
PID 348 wrote to memory of 804	348	setup.exe	94
PID 348 wrote to memory of 804	348	setup.exe	94
PID 348 wrote to memory of 804	348	setup.exe	94
PID 348 wrote to memory of 3864	348	setup.exe	95
PID 348 wrote to memory of 3864	348	setup.exe	95
PID 348 wrote to memory of 3864	348	setup.exe	95
PID 348 wrote to memory of 3456	348	setup.exe	96
PID 348 wrote to memory of 3456	348	setup.exe	96
PID 348 wrote to memory of 3456	348	setup.exe	96
PID 348 wrote to memory of 3180	348	setup.exe	97
PID 348 wrote to memory of 3180	348	setup.exe	97
PID 348 wrote to memory of 3180	348	setup.exe	97
PID 348 wrote to memory of 1476	348	setup.exe	98
PID 348 wrote to memory of 1476	348	setup.exe	98
PID 348 wrote to memory of 1476	348	setup.exe	98
PID 348 wrote to memory of 4040	348	setup.exe	99
PID 348 wrote to memory of 4040	348	setup.exe	99
PID 348 wrote to memory of 4040	348	setup.exe	99
PID 348 wrote to memory of 2360	348	setup.exe	100
PID 348 wrote to memory of 2360	348	setup.exe	100
PID 348 wrote to memory of 2360	348	setup.exe	100
PID 348 wrote to memory of 2548	348	setup.exe	101
PID 348 wrote to memory of 2548	348	setup.exe	101
PID 348 wrote to memory of 2548	348	setup.exe	101
PID 348 wrote to memory of 4212	348	setup.exe	102
PID 348 wrote to memory of 4212	348	setup.exe	102
PID 348 wrote to memory of 4212	348	setup.exe	102
PID 348 wrote to memory of 832	348	setup.exe	103
PID 348 wrote to memory of 832	348	setup.exe	103
PID 348 wrote to memory of 832	348	setup.exe	103
PID 348 wrote to memory of 1848	348	setup.exe	104
PID 348 wrote to memory of 1848	348	setup.exe	104
PID 348 wrote to memory of 1848	348	setup.exe	104
PID 348 wrote to memory of 1652	348	setup.exe	105
PID 348 wrote to memory of 1652	348	setup.exe	105
PID 348 wrote to memory of 1652	348	setup.exe	105
PID 348 wrote to memory of 3128	348	setup.exe	106

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:348
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:312
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:1968
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:1616
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2140
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:436
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4596
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3424
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4416
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4564
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:804
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3864
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3456
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3180
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:1476
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4040
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2360
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4212
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:832
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:1652
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3128
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3992
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4812
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:920
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2740
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2296
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:1808
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2656
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2260
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4000
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3052
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:1332
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3624
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3200
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3536
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2572
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2832
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2800
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4616
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:316
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4272
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2812
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:5028
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3140
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3272
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:452
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3144
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:1164
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4104
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4364
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4592
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3588
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:2416
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4900
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3084
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3700
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3896
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3784
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4528
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:1992
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4804
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4740
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:1596
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:3252
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  PID:624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/348-0-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download

Resubmissions

Analysis