0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23-07-2024 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Size

2.3MB
MD5

010d3ed12031239d3f314f66bb28d58d
SHA1

9daa168735a3f72e715f87d952a18f6c8f00238c
SHA256

0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87
SHA512

07234248dcb4d331e15bc102d83442723e5c887ded4cb8b9a66a288ea72560b7b85c169e08d192a035ff757dc8b0efdb555af97e7171bb378d17cd1c35a4e863
SSDEEP

49152:MJ8U/HLU3Yp7dPM8V/HLU3Yp7CgUxK3h7/SEyIas8JWsa6HdLm:MJ8U/HQ3r8V/HQ3BbxKxD9jXsj9Lm

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

description	pid	Process	procid_target
PID 3020 wrote to memory of 2948	3020	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	31
PID 3020 wrote to memory of 2948	3020	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	31
PID 3020 wrote to memory of 2948	3020	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	31
PID 3020 wrote to memory of 2948	3020	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	31
PID 2948 wrote to memory of 3032	2948	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	32
PID 2948 wrote to memory of 3032	2948	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	32
PID 2948 wrote to memory of 3032	2948	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	32
PID 2948 wrote to memory of 3032	2948	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	32
PID 3032 wrote to memory of 2716	3032	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	33
PID 3032 wrote to memory of 2716	3032	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	33
PID 3032 wrote to memory of 2716	3032	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	33
PID 3032 wrote to memory of 2716	3032	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	33
PID 2716 wrote to memory of 2844	2716	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	34
PID 2716 wrote to memory of 2844	2716	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	34
PID 2716 wrote to memory of 2844	2716	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	34
PID 2716 wrote to memory of 2844	2716	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	34
PID 2844 wrote to memory of 2732	2844	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	35
PID 2844 wrote to memory of 2732	2844	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	35
PID 2844 wrote to memory of 2732	2844	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	35
PID 2844 wrote to memory of 2732	2844	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	35
PID 2732 wrote to memory of 2724	2732	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	36
PID 2732 wrote to memory of 2724	2732	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	36
PID 2732 wrote to memory of 2724	2732	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	36
PID 2732 wrote to memory of 2724	2732	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	36
PID 2724 wrote to memory of 2800	2724	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	37
PID 2724 wrote to memory of 2800	2724	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	37
PID 2724 wrote to memory of 2800	2724	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	37
PID 2724 wrote to memory of 2800	2724	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	37
PID 2800 wrote to memory of 2872	2800	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	38
PID 2800 wrote to memory of 2872	2800	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	38
PID 2800 wrote to memory of 2872	2800	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	38
PID 2800 wrote to memory of 2872	2800	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	38
PID 2872 wrote to memory of 2640	2872	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	39
PID 2872 wrote to memory of 2640	2872	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	39
PID 2872 wrote to memory of 2640	2872	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	39
PID 2872 wrote to memory of 2640	2872	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	39
PID 2640 wrote to memory of 3044	2640	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	40
PID 2640 wrote to memory of 3044	2640	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	40
PID 2640 wrote to memory of 3044	2640	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	40
PID 2640 wrote to memory of 3044	2640	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	40
PID 3044 wrote to memory of 652	3044	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	41
PID 3044 wrote to memory of 652	3044	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	41
PID 3044 wrote to memory of 652	3044	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	41
PID 3044 wrote to memory of 652	3044	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	41
PID 652 wrote to memory of 1896	652	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	42
PID 652 wrote to memory of 1896	652	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	42
PID 652 wrote to memory of 1896	652	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	42
PID 652 wrote to memory of 1896	652	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	42
PID 1896 wrote to memory of 1716	1896	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	43
PID 1896 wrote to memory of 1716	1896	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	43
PID 1896 wrote to memory of 1716	1896	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	43
PID 1896 wrote to memory of 1716	1896	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	43
PID 1716 wrote to memory of 1596	1716	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	44
PID 1716 wrote to memory of 1596	1716	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	44
PID 1716 wrote to memory of 1596	1716	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	44
PID 1716 wrote to memory of 1596	1716	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	44
PID 1596 wrote to memory of 1328	1596	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	45
PID 1596 wrote to memory of 1328	1596	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	45
PID 1596 wrote to memory of 1328	1596	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	45
PID 1596 wrote to memory of 1328	1596	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	45
PID 1328 wrote to memory of 1748	1328	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	46
PID 1328 wrote to memory of 1748	1328	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	46
PID 1328 wrote to memory of 1748	1328	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	46
PID 1328 wrote to memory of 1748	1328	0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe	46

C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
"C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
  "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
    "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
      "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2716
    - - C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2844
      - C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        9⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        10⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        11⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        12⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        14⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        16⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe
        
        "C:\Users\Admin\AppData\Local\Temp\0e63ba9976f0a65f778b70c452659aff5b2845c212d58b2583a4c90363626b87.exe"
        17⤵
        
        PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads