db3c57e1b733bedfa3def09cb000fd4bd1918dcbedc545a5be90bd0fee4bfde7

Analysis

max time kernel
135s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2023 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

42814dec4f6211a12ba3524aa0b4949e_JC.exe
Size

208KB
MD5

42814dec4f6211a12ba3524aa0b4949e
SHA1

55054838b5fb7405d414a175aa854d49811f266f
SHA256

db3c57e1b733bedfa3def09cb000fd4bd1918dcbedc545a5be90bd0fee4bfde7
SHA512

0dff7c6172801cf0d4382845f8444508b69c40a38825c8611d352fc94bee68b848aab81bb72737c85d71c7a5f24cbf1b159e671db71e7c77b64111d71fa66614
SSDEEP

3072:7BAFpE3MG2YP6/U7hJcoW+y9mLQl/oJNXBp7H6WTM4NLthEjQT6j:7BAFpE3MM687hJcnWQ5ozXBllMQEj1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	KZWE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	BZW.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	42814dec4f6211a12ba3524aa0b4949e_JC.exe

Executes dropped EXE 3 IoCs

pid	Process
2304	KZWE.exe
2764	BZW.exe
3788	VMAHS.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\KZWE.exe	42814dec4f6211a12ba3524aa0b4949e_JC.exe
File opened for modification	C:\windows\SysWOW64\KZWE.exe	42814dec4f6211a12ba3524aa0b4949e_JC.exe
File created	C:\windows\SysWOW64\KZWE.exe.bat	42814dec4f6211a12ba3524aa0b4949e_JC.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\windows\VMAHS.exe	BZW.exe
File created	C:\windows\VMAHS.exe.bat	BZW.exe
File created	C:\windows\system\BZW.exe	KZWE.exe
File opened for modification	C:\windows\system\BZW.exe	KZWE.exe
File created	C:\windows\system\BZW.exe.bat	KZWE.exe
File created	C:\windows\VMAHS.exe	BZW.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
5012	4580	WerFault.exe	86
2664	2304	WerFault.exe	93
5112	2764	WerFault.exe	99
2756	3788	WerFault.exe	104

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4580	42814dec4f6211a12ba3524aa0b4949e_JC.exe
4580	42814dec4f6211a12ba3524aa0b4949e_JC.exe
2304	KZWE.exe
2304	KZWE.exe
2764	BZW.exe
2764	BZW.exe
3788	VMAHS.exe
3788	VMAHS.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4580	42814dec4f6211a12ba3524aa0b4949e_JC.exe
4580	42814dec4f6211a12ba3524aa0b4949e_JC.exe
2304	KZWE.exe
2304	KZWE.exe
2764	BZW.exe
2764	BZW.exe
3788	VMAHS.exe
3788	VMAHS.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 1720	4580	42814dec4f6211a12ba3524aa0b4949e_JC.exe	92
PID 4580 wrote to memory of 1720	4580	42814dec4f6211a12ba3524aa0b4949e_JC.exe	92
PID 4580 wrote to memory of 1720	4580	42814dec4f6211a12ba3524aa0b4949e_JC.exe	92
PID 1720 wrote to memory of 2304	1720	cmd.exe	93
PID 1720 wrote to memory of 2304	1720	cmd.exe	93
PID 1720 wrote to memory of 2304	1720	cmd.exe	93
PID 2304 wrote to memory of 4732	2304	KZWE.exe	97
PID 2304 wrote to memory of 4732	2304	KZWE.exe	97
PID 2304 wrote to memory of 4732	2304	KZWE.exe	97
PID 4732 wrote to memory of 2764	4732	cmd.exe	99
PID 4732 wrote to memory of 2764	4732	cmd.exe	99
PID 4732 wrote to memory of 2764	4732	cmd.exe	99
PID 2764 wrote to memory of 4068	2764	BZW.exe	103
PID 2764 wrote to memory of 4068	2764	BZW.exe	103
PID 2764 wrote to memory of 4068	2764	BZW.exe	103
PID 4068 wrote to memory of 3788	4068	cmd.exe	104
PID 4068 wrote to memory of 3788	4068	cmd.exe	104
PID 4068 wrote to memory of 3788	4068	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\42814dec4f6211a12ba3524aa0b4949e_JC.exe
"C:\Users\Admin\AppData\Local\Temp\42814dec4f6211a12ba3524aa0b4949e_JC.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\KZWE.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\windows\SysWOW64\KZWE.exe
    C:\windows\system32\KZWE.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2304
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system\BZW.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4732
    - - C:\windows\system\BZW.exe
        
        C:\windows\system\BZW.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2764
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 1016
        6⤵
        Program crash
        
        PID:5112
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\VMAHS.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4068
        
        C:\windows\VMAHS.exe
        
        C:\windows\VMAHS.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3788
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3788 -s 852
        8⤵
        Program crash
        
        PID:2756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2304 -s 1336
      4⤵
      Program crash
      PID:2664
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4580 -s 976
  2⤵
  - Program crash
  PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4580 -ip 4580
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2304 -ip 2304
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2764 -ip 2764
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 3788 -ip 3788
1⤵
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\KZWE.exe

Filesize
208KB

MD5
22d35848e176a510a99cfa57190e60e1

SHA1
fad0d3e0b8e9caf4abc19dc9de0fef8fc0115f95

SHA256
a91bb3a8b24c387930c7a565f00c66db401169516102c4fffe3653447263acb0

SHA512
74a08d22605aebec5800b5b884da4bcfb25380d326363c26fb67eb122558269ca8adb07838d22824067e522b9b5d4b4fe5b6280e51112eba36a3fd6de4fb1d47

Download Submit
C:\Windows\System\BZW.exe

Filesize
208KB

MD5
12b4c8cd0e10e1e626cf4ce77cd2dd74

SHA1
2204eba875322373c5c875418a6c89ee1de4608e

SHA256
32c91282eceaf738e31c87f62d24a9159a03734a0d684421a50a17bb0f951ffe

SHA512
17eb026eafebd2f2889e05f71c63df24c089a2f5802b82ff6ee3c0f23dfa01127e68a17bc5952d5e8152d068f873b9ab1729dcd43943c361a1d051ff988792e8

Download Submit
C:\Windows\System\BZW.exe

Filesize
208KB

MD5
773cd3f3a4e0555a88f7ebf8fadb8c34

SHA1
ecb857b8266bdd4635db490034cebd5a24860431

SHA256
f05d098ef7c82c5e7ef5e8cb0599d46b71752caeb43b865a930cba15bff00b81

SHA512
9376fdc09a33d878c3e5f350dd94a4017e0953fab877074457eebec59c900af1221845c0b47e796e7922d92fc3bf21f1b759da5d8c49d40e71fe1e56c1531cb1

Download Submit
C:\Windows\VMAHS.exe

Filesize
208KB

MD5
773cd3f3a4e0555a88f7ebf8fadb8c34

SHA1
ecb857b8266bdd4635db490034cebd5a24860431

SHA256
f05d098ef7c82c5e7ef5e8cb0599d46b71752caeb43b865a930cba15bff00b81

SHA512
9376fdc09a33d878c3e5f350dd94a4017e0953fab877074457eebec59c900af1221845c0b47e796e7922d92fc3bf21f1b759da5d8c49d40e71fe1e56c1531cb1

Download Submit
C:\windows\SysWOW64\KZWE.exe

Filesize
208KB

MD5
22d35848e176a510a99cfa57190e60e1

SHA1
fad0d3e0b8e9caf4abc19dc9de0fef8fc0115f95

SHA256
a91bb3a8b24c387930c7a565f00c66db401169516102c4fffe3653447263acb0

SHA512
74a08d22605aebec5800b5b884da4bcfb25380d326363c26fb67eb122558269ca8adb07838d22824067e522b9b5d4b4fe5b6280e51112eba36a3fd6de4fb1d47

Download Submit
C:\windows\SysWOW64\KZWE.exe.bat

Filesize
72B

MD5
4bca6e5f480ad649698d9744320aede1

SHA1
b93c36f2668c69afb95ca16c2429ffddee57b93b

SHA256
9cb3bb5fef1c4f7cb05c9e75bd464c36e7394bb1ce744fe530a91912619c3aed

SHA512
9eea35c76b370628d174cf78e203232033850b3cab78ee2fa6f961ba28f0c0fd04a4bb4812fd12a2015af500da28ba88adf2507b64b55f21edebf0fa69f5bb07

Download Submit
C:\windows\VMAHS.exe

Filesize
208KB

MD5
773cd3f3a4e0555a88f7ebf8fadb8c34

SHA1
ecb857b8266bdd4635db490034cebd5a24860431

SHA256
f05d098ef7c82c5e7ef5e8cb0599d46b71752caeb43b865a930cba15bff00b81

SHA512
9376fdc09a33d878c3e5f350dd94a4017e0953fab877074457eebec59c900af1221845c0b47e796e7922d92fc3bf21f1b759da5d8c49d40e71fe1e56c1531cb1

Download Submit
C:\windows\VMAHS.exe.bat

Filesize
56B

MD5
d1830043a36b45610080243fd96fe683

SHA1
0fe941262e6391fac3b35e9276aaba6d54dfe3ff

SHA256
6ab0aa9f458f59a3e869846025225f69b788b2c3db75cf7f6f415026d35b81b8

SHA512
7c9e415c570824b99c149e97c5237a1c31daaad671d833337934334c8f405399956f76731685ed1318e78b482a56878aac6e3dc35f97ab4729bcd273a51d7677

Download Submit
C:\windows\system\BZW.exe

Filesize
208KB

MD5
773cd3f3a4e0555a88f7ebf8fadb8c34

SHA1
ecb857b8266bdd4635db490034cebd5a24860431

SHA256
f05d098ef7c82c5e7ef5e8cb0599d46b71752caeb43b865a930cba15bff00b81

SHA512
9376fdc09a33d878c3e5f350dd94a4017e0953fab877074457eebec59c900af1221845c0b47e796e7922d92fc3bf21f1b759da5d8c49d40e71fe1e56c1531cb1

Download Submit
C:\windows\system\BZW.exe.bat

Filesize
66B

MD5
621d9fc5305d6988ee4c5a37e0d0d085

SHA1
aaeaac1988558690f2b7719bed97d247269fee86

SHA256
c40ef4a21b0ab5dffd1fd70495c112fdbfe7260b1202c933380d81d320a2d452

SHA512
a5408084dac9d8c9b2e26e54cf8286151cf9b24a40a777161128bc83a9b980656394f2c965371b1d8f429b0d3eca937e4b7087af33ba825f82a7c720fb88ae48

Download Submit
memory/2304-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2304-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2764-22-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2764-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3788-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3788-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4580-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4580-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download