881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774

General

Target

881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774.exe
Size

6.1MB
MD5

fa1e1544d3c43fc8a9b1f4142b046391
SHA1

c4a1b757c5bd90d7e59e84c009c2c5f19471fefe
SHA256

881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774
SHA512

e86c5f4bb723c02cfa772e7fa5ab7afff22212057cbe52ca1f0cc4d9a34410b511e2e75c8f9eab4bc4d50cbbeba156ca9d4a4b12aa29052c67ba47494ee2a2d9
SSDEEP

98304:sMDtIXLr06AdfEThF35PzuY+NmU7afvNN5+N6F8c5AvtfXmJ+PigmgI:UrmEdF3D+NmcaNNH8Uotnmz

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2220	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2012	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2196	schtasks.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2448	1964	881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774.exe	28
PID 1964 wrote to memory of 2448	1964	881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774.exe	28
PID 1964 wrote to memory of 2448	1964	881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774.exe	28
PID 1964 wrote to memory of 2448	1964	881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774.exe	28
PID 1964 wrote to memory of 2220	1964	881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774.exe	30
PID 1964 wrote to memory of 2220	1964	881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774.exe	30
PID 1964 wrote to memory of 2220	1964	881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774.exe	30
PID 1964 wrote to memory of 2220	1964	881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774.exe	30
PID 2448 wrote to memory of 804	2448	cmd.exe	32
PID 2448 wrote to memory of 804	2448	cmd.exe	32
PID 2448 wrote to memory of 804	2448	cmd.exe	32
PID 2448 wrote to memory of 804	2448	cmd.exe	32
PID 2220 wrote to memory of 1000	2220	cmd.exe	33
PID 2220 wrote to memory of 1000	2220	cmd.exe	33
PID 2220 wrote to memory of 1000	2220	cmd.exe	33
PID 2220 wrote to memory of 1000	2220	cmd.exe	33
PID 2448 wrote to memory of 2196	2448	cmd.exe	34
PID 2448 wrote to memory of 2196	2448	cmd.exe	34
PID 2448 wrote to memory of 2196	2448	cmd.exe	34
PID 2448 wrote to memory of 2196	2448	cmd.exe	34
PID 2220 wrote to memory of 2012	2220	cmd.exe	35
PID 2220 wrote to memory of 2012	2220	cmd.exe	35
PID 2220 wrote to memory of 2012	2220	cmd.exe	35
PID 2220 wrote to memory of 2012	2220	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774.exe
"C:\Users\Admin\AppData\Local\Temp\881f48b7bb0843623dd37e519ba30d51cb19b324bb992167eda19df2e97e7774.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe202411177413426.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /delete /tn "Maintenance" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:804
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx202411177413426.xml"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2196
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zb202411177413426.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1000
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zb202411177413426.bat

Filesize
756B

MD5
4a4c78c3a541bf514c64678baa3b6ff4

SHA1
43c05ff2a0ca1071abffc8fa1724cb33c3663873

SHA256
973ecae95e955879822f66bc19f88958e762ef621c826147a59bf82b4d1fa4f2

SHA512
8eb1a2092d88d65613f82171cd299966ff8b691344ef89a1fed35abcd297a8520e5993473113ed5fb2c3116770ae5a84966b5e17dc08f0aa4d9972e1c49e350b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbe202411177413426.bat

Filesize
293B

MD5
e9a9597031e5fda26f8e4e2bb5683cd6

SHA1
40dde7328b2b5aaeae61271300e2d5a81d991eef

SHA256
0cc1ef4eb954d833826849e6c0b630736614ccb7c9b05ec1a3dd708f9665f75b

SHA512
f816e3ede6c286a88843240f63078305c6e729ddb396ee28abe970995d8ed0734b521278956b4bb41757220e93ffbd912931ce1c4f44a433b4825aca364cddd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx202411177413426.xml

Filesize
1KB

MD5
1c4523bc0de2d714e319fae3165f41b9

SHA1
9be7af0026f5eb17e02fb73cb34b071b51c732f2

SHA256
67cebcf4c2e0823e382f350c33a2110f1a35dacdcce19c3bb6e6ee6550f9b80a

SHA512
dee6a088431734b1dfe57474c5dbca7c632b75cd23fc2d16c868d8e633cd5d83961f7e6b98c83e605f5ba676bc4c5d08bd74c7ab8057a973cbf70b3ae1488c6d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads