e9351ddc6fed8b30ea643f8a1c689138290f4ad73948a684f1735a4f85c6c668

Analysis

max time kernel
312s
max time network
313s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
06/04/2025, 04:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

USDT Token Flasher v1.2.zip
Size

5.8MB
MD5

8adbcd39b6b49c2b5909500d75edf34c
SHA1

4bf0cb3e55646aca0131bbc231ab48945e8e8fdd
SHA256

e9351ddc6fed8b30ea643f8a1c689138290f4ad73948a684f1735a4f85c6c668
SHA512

a7b48b61134a887476f65e8ce4098521ae32af3be772207309eb9abd3fefd0f508792c248ab45d394ebf076de74860651ed12932e18fad89f56b9b9f001a39fd
SSDEEP

98304:1Vk1qNvqlY+AJSqdGmwfRTYLEFR/31xoT2uDImOsQPkrHLncYDafBg:Lk1qNq5AJuRT8qJ3kNDQM7D3GfBg

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	WindowsBackupClient.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	WindowsBackupClient.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	WindowsBackupClient.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	WindowsBackupClient.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5932	WindowsBackupClient.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\USDT Token Flasher v1.2.zip"
1⤵
PID:4708

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WindowsBackupClient.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WindowsBackupClient.exe" -ServerName:WindowsBackup.AppX7g7ckthmr138zk16nhs1hb5tyevsa9p6.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5932

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5828

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1928

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4012

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2025-4-6.445.1928.1.odl

Filesize
706B

MD5
bc18ccf5661365684a18601f1f0d991a

SHA1
221f290c5db1a465086c80f90f6eb6665df9c1d4

SHA256
c898a28372e075b2438989060109abb0d8eeaa4972fc627383fcfeaa19b7407f

SHA512
64ca380a406b0a539ef4b1b094818dc31a45e9467329422e3409118ba6a4fc330cfb10443d9b03e0614ace2101f9c3abd214f91e389dabf61937f297686c636c

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
11KB

MD5
bc576681750fd99ad6df90acee5073cb

SHA1
c5dda244fa7a2fff4fdca7b40525951fde1f1e67

SHA256
5f9bf866d89aa9775e8d2ea1d5abdc25e0567bd9e1af3cae7ada8a6201c9def5

SHA512
c8dd7c8921a7dc390f38a99f062e07b39eb06b10073ab698239e30715fe0e62f3e30b77b8a226885a04855d20d39d08ca2cadbcc60f4ef227501dfbfececde67

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
12KB

MD5
f57e64715da4fa76389f58301a1b2237

SHA1
fe3529390243ee6024f9f1f0e3b68560eb56891f

SHA256
b920ff907a4c492b4927729da8a302be7975b8dc65026673c54306b4c0628000

SHA512
f1a81396b2f1ed49474b5c991459c3cb01c9795bb12bbad82210a841d79943242d495bb5449cdd866a6172860ba1939387b1ceac0e00b95423e136d9bb5edc8f

Download Submit