62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/09/2024, 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe
Size

5.4MB
MD5

b5c6318c46a0b258046b0e0e955e2530
SHA1

9b8736675d250558f5d243edc1c26db5427d3f10
SHA256

62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1
SHA512

317b3f655ac248e8cbf3a62cf215ebd94c79c0d84db6d86b22bf2c73d333f3097270cfc60c0d01be13cfd5644008d92493393ab2bf913bbb177e5446695783e7
SSDEEP

98304:iJH5pH+H8H1pH+H/+H+H/XBHXH/XxBHcpH+H8HBHHcpH+H8UHZpH+H8Hs+H8UHZE:8ZpecVpeWefB3fxB8pechH8pecU5pecg

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2688	vzaxicu.exe

Loads dropped DLL 2 IoCs

pid	Process
1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe
1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1284-0-0x0000000000400000-0x000000000047E000-memory.dmp	upx
behavioral1/files/0x0009000000012281-4.dat	upx
behavioral1/memory/1284-109682-0x0000000000400000-0x000000000047E000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1284 set thread context of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30
PID 1284 wrote to memory of 2688	1284	62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe	30

C:\Users\Admin\AppData\Local\Temp\62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe
"C:\Users\Admin\AppData\Local\Temp\62a46e42bf9d5a9beb38d64b16757083dfd4cfe3e069409ffdb6c315ab6c28a1N.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\vzaxicu.exe
  C:\Users\Admin\AppData\Local\Temp\vzaxicu.exe
  2⤵
  - Executes dropped EXE
  PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\vzaxicu.exe

Filesize
7.3MB

MD5
041cbaf7e8c44fcd41050832b74a49c3

SHA1
87b8ce5346ad22109ac66db16daa6ebef4a912a1

SHA256
9797c04f89686e01ec6a991a8365d57f9050f39390bcbd180e2377470388e53c

SHA512
c50740c120111ebaa21d80562f57544ea37670a15ec11f29662481684e7d6302b5aba4565b0530cd16fb437ec1f83a6de8aabaf5eda357b75eed2af33ce99e0d

Download Submit
memory/1284-1498-0x0000000001E90000-0x0000000001F0E000-memory.dmp

Filesize
504KB

Download
memory/1284-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1284-2-0x0000000000451000-0x0000000000453000-memory.dmp

Filesize
8KB

Download
memory/1284-10-0x0000000001E90000-0x0000000001F0E000-memory.dmp

Filesize
504KB

Download
memory/1284-0-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1284-109682-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2688-49-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-41-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-71-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-69-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-67-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-65-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-63-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-61-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-59-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-57-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-51-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-53-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-47-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-45-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-43-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-73-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-39-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-37-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-35-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-33-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-31-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-29-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-27-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-25-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-23-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-21-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-19-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-17-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-15-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-13-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-11-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2688-55-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download