08ad14ba74f393ec6c2452a1e7a17b9912660d008f2a0f7f04302e32d14d5202

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
01/08/2024, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32bwsx.exe
Size

396KB
MD5

4bdf8b86122f7a4b0788c0e1d49a3ca1
SHA1

4716bfa0f21b62dd57dba32a796a5f7651f8550a
SHA256

0e2c63949e01e88c1c0610d4ea466f4061199c34349749066d08baec9a97e439
SHA512

6d93858615882bdb758bc4cdcd244400afde25fc23b98cecb4911e5149a370f19e43c68a6086293e1e38458c1a2e1502a6724cce166bdca9e2396bfb5ceab3ba
SSDEEP

12288:X63rVv5WySvWfEXf3jFe/IrBGwSwYzbIL:QrVYyk0of3jk/wAJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3044	INSTALL.EXE

Loads dropped DLL 4 IoCs

pid	Process
1984	32bwsx.exe
3044	INSTALL.EXE
3044	INSTALL.EXE
3044	INSTALL.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTALL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32bwsx.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3044	INSTALL.EXE
3044	INSTALL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 3044	1984	32bwsx.exe	31
PID 1984 wrote to memory of 3044	1984	32bwsx.exe	31
PID 1984 wrote to memory of 3044	1984	32bwsx.exe	31
PID 1984 wrote to memory of 3044	1984	32bwsx.exe	31
PID 1984 wrote to memory of 3044	1984	32bwsx.exe	31
PID 1984 wrote to memory of 3044	1984	32bwsx.exe	31
PID 1984 wrote to memory of 3044	1984	32bwsx.exe	31

C:\Users\Admin\AppData\Local\Temp\32bwsx.exe
"C:\Users\Admin\AppData\Local\Temp\32bwsx.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Users\Admin\AppData\Local\Temp\WZSD597.tmp\INSTALL.EXE
  INSTALL.EXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\WZSD597.tmp\INSTALL.EXE

Filesize
332KB

MD5
65195253304179eb060cd0bf2c62debb

SHA1
9bd414d5fd0edaa3a281ab631a18b6cd5b4bf312

SHA256
26c599cfc76f81c983cf441c6d25b1814edf167c7f5dc2dc49f3ccb34a7037b1

SHA512
d6f820e6e02ba5703da4fd64c74efeae4498a1072ad728e1ad37da0c09ec42fb5f1864c7e5d927a898d0bbb683ffe1b5329dbd0e01606b92930b1e68d2a6097b

Download Submit