abc2f5e61e9dbb472540fab1598b31438c9dcdb67342bc22774390407e233cf7

Analysis

max time kernel
16s
max time network
16s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

328aa503fe04d3abe1ddd79c4436b4c0N.exe
Size

208KB
MD5

328aa503fe04d3abe1ddd79c4436b4c0
SHA1

6bf205f9ce6136d88de54f8bf1e035af02ba55ec
SHA256

abc2f5e61e9dbb472540fab1598b31438c9dcdb67342bc22774390407e233cf7
SHA512

33fa795b92f260454099f1010b46b2b2d34d212e01e9ad4d8934560312bb985758efb4c8503b1bb933ba9dc3c42a74d1d3321352fe0b69fd2fdc683f206940c1
SSDEEP

6144:if3TXJMuE+wsyKhu7URYczeJteUbcQEj:eTJkRsrhu4WckteUbcQ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2144	ZWRAVJ.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\ZWRAVJ.exe	328aa503fe04d3abe1ddd79c4436b4c0N.exe
File opened for modification	C:\windows\ZWRAVJ.exe	328aa503fe04d3abe1ddd79c4436b4c0N.exe
File created	C:\windows\ZWRAVJ.exe.bat	328aa503fe04d3abe1ddd79c4436b4c0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	328aa503fe04d3abe1ddd79c4436b4c0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZWRAVJ.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2504	328aa503fe04d3abe1ddd79c4436b4c0N.exe
2504	328aa503fe04d3abe1ddd79c4436b4c0N.exe
2144	ZWRAVJ.exe
2144	ZWRAVJ.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2504	328aa503fe04d3abe1ddd79c4436b4c0N.exe
2504	328aa503fe04d3abe1ddd79c4436b4c0N.exe
2144	ZWRAVJ.exe
2144	ZWRAVJ.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2508	2504	328aa503fe04d3abe1ddd79c4436b4c0N.exe	30
PID 2504 wrote to memory of 2508	2504	328aa503fe04d3abe1ddd79c4436b4c0N.exe	30
PID 2504 wrote to memory of 2508	2504	328aa503fe04d3abe1ddd79c4436b4c0N.exe	30
PID 2504 wrote to memory of 2508	2504	328aa503fe04d3abe1ddd79c4436b4c0N.exe	30
PID 2508 wrote to memory of 2144	2508	cmd.exe	32
PID 2508 wrote to memory of 2144	2508	cmd.exe	32
PID 2508 wrote to memory of 2144	2508	cmd.exe	32
PID 2508 wrote to memory of 2144	2508	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\328aa503fe04d3abe1ddd79c4436b4c0N.exe
"C:\Users\Admin\AppData\Local\Temp\328aa503fe04d3abe1ddd79c4436b4c0N.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\windows\ZWRAVJ.exe.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\windows\ZWRAVJ.exe
    C:\windows\ZWRAVJ.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\ZWRAVJ.exe.bat

Filesize
58B

MD5
feb232e4628b09df2e803eabe3ba4c8e

SHA1
62001f0bceba1dbb63e3ccb3e3a3f4dde7008bbf

SHA256
4fa67bd50e09ee6be25bf6f243942bfca892bd8499dbe44ab5e231a0cab5e705

SHA512
7e3918cc61f4aa3262ec38116aef2c4d0137407a467434f23faed7c75e8fed47c2d29725b62cf781038fcaa1588a9ceeb66f849320ac263b47700435a6a8b544

Download Submit
C:\windows\ZWRAVJ.exe

Filesize
208KB

MD5
2d9ca43e6c6e929a32da33f7a05ebd4b

SHA1
742af0ae82e560635cdcd53d58601052b9bb254d

SHA256
928da8ba3c33d486d998cdabef46464b6adac62c112d77884c53e697319b4001

SHA512
6621dfae84739ffa6df295c641d190b72cd186a50bc12b39d96948ccdf5ce853f5b45e58fa8ec60311aa2de83a36884a046f48f84a6a82f717567840ae624023

Download Submit
memory/2144-18-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2144-19-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2504-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2504-12-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2508-16-0x0000000000110000-0x0000000000148000-memory.dmp

Filesize
224KB

Download
memory/2508-15-0x0000000000110000-0x0000000000148000-memory.dmp

Filesize
224KB

Download