a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26-09-2024 02:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958.exe
Size

4.6MB
MD5

25860926414bf43383246f7c773a8d6c
SHA1

760390a4a14df085f4c841067f52c79409cdc93e
SHA256

a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958
SHA512

61825ef1b03f5516f2820faae3dad01911054debb714b2162fd28cdc7c26199eb6174eddb3e48a4b200c350a083a561a58bd2724496fcb71e87d4492e2ec5a07
SSDEEP

98304:+pbYDHaUeRG/GnYDievJRVrQo4QGB0s53+sTH7/93veWGLRHHk:+pbu9e+qYDiQf1hfGWsBVb/rGLhE

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1228	DZIPR.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958.exe
1228	DZIPR.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DZIPR.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1228	DZIPR.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1228	2404	a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958.exe	30
PID 2404 wrote to memory of 1228	2404	a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958.exe	30
PID 2404 wrote to memory of 1228	2404	a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958.exe	30
PID 2404 wrote to memory of 1228	2404	a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958.exe	30

C:\Users\Admin\AppData\Local\Temp\a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958.exe
"C:\Users\Admin\AppData\Local\Temp\a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Users\Admin\DZIPR.exe
  "C:\Users\Admin\DZIPR.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\DZIPR.dll

Filesize
346KB

MD5
ad28d4167571382569d2384ffd7bd2a9

SHA1
efc7534bcb1645d4056702e073519f571d8db77b

SHA256
f919a8e63ec0f2f05ac01a6cab4088c13fbf14a38b071cfa9f710c9e069462eb

SHA512
8f28867b46dd7a801cbf70d8d7fe5f2bfb8654a417c40ba264faf81af8bb1a28e1a1200fdc9828a4a4c6df0a13817055290c16f9468d311b8d8049a2439348d9

Download Submit
C:\Users\Admin\ekqqtq

Filesize
952KB

MD5
4649f3a4e58c6040b07f6d486c149a71

SHA1
64f8fc631c5fb4e5f6bc20c207047d8e2b500587

SHA256
5d81ca77492946aa2cfe00349342de8cceb317d8649bedbfd95992dca885f184

SHA512
4e1b229d30403b594e992fe0893e568161c8d901fe20461093d11159ab03b5dd410d1834bc64ac4ccc39d4f6b072946703f06eeb982d79b1c9a1b773b57013b7

Download Submit
C:\Users\Admin\ipqtwm

Filesize
70KB

MD5
f125e72b3968ca233ef3c7e2f4db34e7

SHA1
4fb34044ef18cedbd3ede4272c44416d3f11735c

SHA256
ced30560c6c0fc15cbdbdbc0d480dca6b41ce3183057e43b419dd6814a33db92

SHA512
b645d1eb685a69b9ca9bbdb1f4638af8ae151ddfb9527c423f7779971246ed60f981ce26ce8af2fc7b63164e7c13e9c6e98a7f148831a1e59318e60e5a39f881

Download Submit
\Users\Admin\DZIPR.exe

Filesize
8.4MB

MD5
ec9ce1d67f98072281015c7726fba245

SHA1
e89b16265acf4a251b527ddf22830f2650987263

SHA256
9ab4145d5525ae741b80f4e66f505abba59adcbe01868dfef84fbe4450634cc1

SHA512
21db8f3ae325021589de9c2489ab2ce6814722a17a92476a56147478aa9767ce5c4769169f287060cc08ad76019178ba547fcef32074ef1afb1926845e7158e1

Download Submit
memory/1228-17-0x0000000074EF0000-0x0000000075064000-memory.dmp

Filesize
1.5MB

Download
memory/1228-18-0x0000000077C60000-0x0000000077E09000-memory.dmp

Filesize
1.7MB

Download
memory/1228-19-0x0000000000400000-0x0000000000C69000-memory.dmp

Filesize
8.4MB

Download