25163fdcf3c723cf4c8b987cc02bda9883d3227d528591ce6e4b8bd3576d06d6

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
29/08/2024, 02:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ezmsetup.exe
Size

1.4MB
MD5

81d0ef502e45826a03b689201d6e9c90
SHA1

591cd20947aad97c34ad277d744e2708ea3cb1a4
SHA256

d492da1c5b6d451174de346d8f21edc23fbce3d37d0174b236697d9053451abe
SHA512

e77fd0e40678c8ddd3384c59be2300cf94b45842a1354d0fb0661ba4545d6e7655538e173b58f53ab44757651454bb100fd949adb3b5449b3506a2b57b4f4c35
SSDEEP

24576:UC99h7sFCGEBKBS3tqi5psq1zKzTqXOjJUZOiRTcTAfZKNhT+L0/AEO6YUqE:UCBskpUkpsq1KzTriRQzNhVL1j

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2392	ezmsetup.exe
2392	ezmsetup.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ezmsetup.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2392	ezmsetup.exe

C:\Users\Admin\AppData\Local\Temp\ezmsetup.exe
"C:\Users\Admin\AppData\Local\Temp\ezmsetup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\ioSpecial.ini

Filesize
708B

MD5
0c6c480362a1d91f3cc8c1cefe38a4bc

SHA1
cc71bfa52b738fc93dfedbd2ba66b76105697b7a

SHA256
9a151c3b805a03a75baad0fa28d66f7338ffa92768dc383d640bd02e56afbc87

SHA512
318a6b1fd86aa1d9d083a007a91e811de6fbb71c96606698876b408da8055e87bb454cd0f5bf862c5bf6d8d5ac4aa638e19199bd4477ccad9dc37cb827ac2d76

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\InstallOptions.dll

Filesize
12KB

MD5
f407939127208a009b9a825cb77ed3c7

SHA1
051d7fccf3fb544acaa8ab6be590bb4bc79cef82

SHA256
191fab998e58b66a2416873b06062166b547eb3ba06b1326a4a785a566aaf76d

SHA512
d45d08823ac7667f071b21d238b7fda43115db3195a442cb17d880d147e8a930374403c970afc31f676f01a83fb9c63e3be047de7e16718a08a1fdbe4b690901

Download Submit
\Users\Admin\AppData\Local\Temp\nsy8D34.tmp\LangDLL.dll

Filesize
5KB

MD5
c3cc2c281cb7c75ee8109bea13fc3880

SHA1
e7242cf294dd9f75ac3019c60885f2ee80d4263b

SHA256
0dd77f65cc2ce16ecb32ecbfe2da424dcf42909d3b8ccf8678ccfdc04f62f667

SHA512
0626fba394f39d7e485f3bfccfc0bfed0ce0b925d8d1b7189540aba5999b5ce75733a30b42179fc2a0f7c09db32a21d8e7cb27ce3d81f6e9a09e9df9d1f37aba

Download Submit