fbac1dec32c78b793c4917c6688129303f60da9be7f5c6933aeb63f8d8a3569f

Resubmissions

23-11-2024 04:03

241123-emmtcsxqes 3

23-11-2024 04:01

241123-elnz2atpgr 3

Analysis

max time kernel
45s
max time network
47s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CREAISO.bat
Size

178B
MD5

7f117556539267e0a120f592ca05cce8
SHA1

ebb9e02f85e65b6eb6f893a4b10327dfc8891423
SHA256

e013877a0c7e2238f3939a819f5e4cfe901c6c1575bdc0f55b8bd0bba6b2a4a3
SHA512

8080a631a73b550ce687255b1fac40599e3e507a9f12eeda75497d8db88a099ac2bddefd478ac6839bf84611afbc4f4e7f19c6ef91fc5a13873431d60f608a93

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mkisofs.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2956	mkisofs.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2956	2092	cmd.exe	32
PID 2092 wrote to memory of 2956	2092	cmd.exe	32
PID 2092 wrote to memory of 2956	2092	cmd.exe	32
PID 2092 wrote to memory of 2956	2092	cmd.exe	32

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\CREAISO.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Users\Admin\AppData\Local\Temp\mkisofs.exe
  mkisofs -r -b isolinux.bin -boot-info-table -no-emul-boot -boot-load-size 4 -o ../BurnMe.iso .
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2956

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2956-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download