27fdd21cafd2ae4866574dd164de56fdfe896dde66f8eede47266c7c4f610615

Analysis

max time kernel
119s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 18:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f43b7146e45f554e06dc43a8add02970N.exe
Size

89KB
MD5

f43b7146e45f554e06dc43a8add02970
SHA1

eadbcd92bd0999a5da93bf58ebb717414898914d
SHA256

27fdd21cafd2ae4866574dd164de56fdfe896dde66f8eede47266c7c4f610615
SHA512

6589d23866a03b4b63cff855e20da497e5f91b7bee08414d93330e8ce4f037e954f1d4adb96b2a86060fb1c0bb958c0cad30272daba9be6dbd4448f35c6bf041
SSDEEP

1536:jqBcjcygYu1nPyh0+mVVxlX9qNlmDWhX4eUH9AwkD2YelJ2OzI/8:jqBG0+4xlX9qNlmWhjUGwpd

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2060	murzuja.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
30	icanhazip.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f43b7146e45f554e06dc43a8add02970N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	murzuja.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 2060	4532	f43b7146e45f554e06dc43a8add02970N.exe	84
PID 4532 wrote to memory of 2060	4532	f43b7146e45f554e06dc43a8add02970N.exe	84
PID 4532 wrote to memory of 2060	4532	f43b7146e45f554e06dc43a8add02970N.exe	84

C:\Users\Admin\AppData\Local\Temp\f43b7146e45f554e06dc43a8add02970N.exe
"C:\Users\Admin\AppData\Local\Temp\f43b7146e45f554e06dc43a8add02970N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Users\Admin\AppData\Local\Temp\murzuja.exe
  C:\Users\Admin\AppData\Local\Temp\murzuja.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\murzuja.exe

Filesize
89KB

MD5
409dea74df0d21ab90df1add8945d702

SHA1
b1c326e2ebbad8c0b3af433d98c74af9cdbfb090

SHA256
a979f7904e1343aef413e1ecaa8bf00d601e3bdeca097b8c26523d36a49cf060

SHA512
8331711bbef9fed843933741d5beec1febfe1888d490d83c4b4dc79d0646bd24eb904ac682a5e32a9199a76e755971b1cd5a9b6a3be6ec8edcbc51807ed6b88e

Download Submit
memory/2060-5-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2060-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4532-0-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download