e59a1eeb4f320c90c7b358f591ce6c1b7a97c1ee48bd30397c8b1c6960893bc9

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0d88f5934f1db8a15373706387dce90N.exe
Size

159KB
MD5

e0d88f5934f1db8a15373706387dce90
SHA1

3d6a633b8f7052b70cc4cc293e31bbaae7382a99
SHA256

e59a1eeb4f320c90c7b358f591ce6c1b7a97c1ee48bd30397c8b1c6960893bc9
SHA512

2602501472c2e3fb328173919e68de138d5b23b1c3e73b3d6ac25590b9a0989379ff3849aaaeb6267b5ae5c7ddadf80d2cdf0a3294f02586402ffed0ca46022f
SSDEEP

3072:wq6+ouCpk2mpcWJ0r+QNTBfz95PjQeenDc3:wldk1cWQRNTBLreo3

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e0d88f5934f1db8a15373706387dce90N.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2552 wrote to memory of 1924	2552	e0d88f5934f1db8a15373706387dce90N.exe	30
PID 2552 wrote to memory of 1924	2552	e0d88f5934f1db8a15373706387dce90N.exe	30
PID 2552 wrote to memory of 1924	2552	e0d88f5934f1db8a15373706387dce90N.exe	30
PID 2552 wrote to memory of 1924	2552	e0d88f5934f1db8a15373706387dce90N.exe	30
PID 1924 wrote to memory of 1568	1924	cmd.exe	32
PID 1924 wrote to memory of 1568	1924	cmd.exe	32
PID 1924 wrote to memory of 1568	1924	cmd.exe	32
PID 1924 wrote to memory of 1672	1924	cmd.exe	33
PID 1924 wrote to memory of 1672	1924	cmd.exe	33
PID 1924 wrote to memory of 1672	1924	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\e0d88f5934f1db8a15373706387dce90N.exe
"C:\Users\Admin\AppData\Local\Temp\e0d88f5934f1db8a15373706387dce90N.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C63C.tmp\C63D.tmp\C63E.bat C:\Users\Admin\AppData\Local\Temp\e0d88f5934f1db8a15373706387dce90N.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\EasyUEFI" /v "Email" /t REG_SZ /d "[email protected]" /f
    3⤵
    PID:1568
- - C:\Windows\system32\reg.exe
    Reg.exe add "HKLM\SOFTWARE\EasyUEFI" /v "License" /t REG_SZ /d "KV2CS7TDQZ58QHAEHVNYQEWE3W465QEUXD4H4E5EQPNY2SQF" /f
    3⤵
    PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C63C.tmp\C63D.tmp\C63E.bat

Filesize
349B

MD5
de026db21eacd755ebc37df170efb0d4

SHA1
093660f29d2c103a96944d468c60d51ac40fd865

SHA256
979c1644e0f9d081cd3a5cdd36ee38bc7e3294af63303f6055d7d5adc211217c

SHA512
d77192000f57ad361e465f629ff990acaa0cea9f84be816426bcbe14af0b0e2e571c3bb85af41fadaede584f5132d6e91e40073be0d5b8cff134d3518fe29e6a

Download Submit