4411e10e8b76657e09ada62672cde602a6706f9301a4bff92423b7c368286f22

Analysis

max time kernel
102s
max time network
113s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4411e10e8b76657e09ada62672cde602a6706f9301a4bff92423b7c368286f22N.exe
Size

75KB
MD5

bcd62c3209e157143f3eb5827fa99d70
SHA1

c5acf2c5f8eedc43fea907edea0b39c10ea0faca
SHA256

4411e10e8b76657e09ada62672cde602a6706f9301a4bff92423b7c368286f22
SHA512

16f27c7b6bc0a7659d5a7854e86ba6581caeeacb7dd61be4ddbfba529d6b528d13e74665f36fb06bf979e0e8dde1be3bb791eeaf3d55daf684be6ac02ec488de
SSDEEP

1536:UyqAXcrg4uQHPSC/+C4O1xLXuGNl7DDhlQeU79WwxF39c:U3B/+UxLXuGNlHDhpUkwO

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	murzuja.exe

Loads dropped DLL 1 IoCs

pid	Process
2384	4411e10e8b76657e09ada62672cde602a6706f9301a4bff92423b7c368286f22N.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	icanhazip.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4411e10e8b76657e09ada62672cde602a6706f9301a4bff92423b7c368286f22N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	murzuja.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2028	2384	4411e10e8b76657e09ada62672cde602a6706f9301a4bff92423b7c368286f22N.exe	30
PID 2384 wrote to memory of 2028	2384	4411e10e8b76657e09ada62672cde602a6706f9301a4bff92423b7c368286f22N.exe	30
PID 2384 wrote to memory of 2028	2384	4411e10e8b76657e09ada62672cde602a6706f9301a4bff92423b7c368286f22N.exe	30
PID 2384 wrote to memory of 2028	2384	4411e10e8b76657e09ada62672cde602a6706f9301a4bff92423b7c368286f22N.exe	30

C:\Users\Admin\AppData\Local\Temp\4411e10e8b76657e09ada62672cde602a6706f9301a4bff92423b7c368286f22N.exe
"C:\Users\Admin\AppData\Local\Temp\4411e10e8b76657e09ada62672cde602a6706f9301a4bff92423b7c368286f22N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\murzuja.exe
  C:\Users\Admin\AppData\Local\Temp\murzuja.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\murzuja.exe

Filesize
76KB

MD5
ce392f947de173ce1b7fcc4fc36badf3

SHA1
91bb7ccdd96040ddc72a78a8641c053680ba54b2

SHA256
b3069097868cef581d5b95222e49e48942a3c61163d1cf6f6849527568268aeb

SHA512
5f1978eda6d5f817e4e35b853de1298c223216900d3ff6c1348599f6ea554eaf390b5d4732c47d5323a40b4e8aede2d28bc62c2fb41a7a8a8a657981667c3370

Download Submit
memory/2028-6-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2384-1-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download