aa2bc6bdab3c1cd9cc94e92a00f2501ffd6bef384e69e605b9533ee4a9af2fcc

Analysis

max time kernel
121s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 12:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Court Project V1.1/Doxinfo.exe
Size

90KB
MD5

078639fa0eda91454c03374bb90d938f
SHA1

a10c694f38759187098c57d63c0ae925322cdfa9
SHA256

cc2028db9daecfc962308f695bca0d46ea2e451984e4762c14dd8c3f3f055bae
SHA512

1f0348ab86e54df0928e99005ce7e9f097eed5a57f1dfad1dae6994725fef194ae7cdbe965f872b446465a566a523f587f01292f8e966fbdcb367227a098360e
SSDEEP

1536:mLdD+0MON593j/NL0R21zt2kxi9dBkLpwWoNVzqkjaOT:mLdSro1xL221ztidmWr1n

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Doxinfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 2436	3028	Doxinfo.exe	31
PID 3028 wrote to memory of 2436	3028	Doxinfo.exe	31
PID 3028 wrote to memory of 2436	3028	Doxinfo.exe	31
PID 3028 wrote to memory of 2436	3028	Doxinfo.exe	31
PID 2436 wrote to memory of 2280	2436	cmd.exe	32
PID 2436 wrote to memory of 2280	2436	cmd.exe	32
PID 2436 wrote to memory of 2280	2436	cmd.exe	32
PID 2436 wrote to memory of 2280	2436	cmd.exe	32
PID 2436 wrote to memory of 2020	2436	cmd.exe	33
PID 2436 wrote to memory of 2020	2436	cmd.exe	33
PID 2436 wrote to memory of 2020	2436	cmd.exe	33
PID 2436 wrote to memory of 2020	2436	cmd.exe	33
PID 2436 wrote to memory of 2704	2436	cmd.exe	34
PID 2436 wrote to memory of 2704	2436	cmd.exe	34
PID 2436 wrote to memory of 2704	2436	cmd.exe	34
PID 2436 wrote to memory of 2704	2436	cmd.exe	34
PID 2436 wrote to memory of 2764	2436	cmd.exe	35
PID 2436 wrote to memory of 2764	2436	cmd.exe	35
PID 2436 wrote to memory of 2764	2436	cmd.exe	35
PID 2436 wrote to memory of 2764	2436	cmd.exe	35
PID 2436 wrote to memory of 2796	2436	cmd.exe	36
PID 2436 wrote to memory of 2796	2436	cmd.exe	36
PID 2436 wrote to memory of 2796	2436	cmd.exe	36
PID 2436 wrote to memory of 2796	2436	cmd.exe	36
PID 2436 wrote to memory of 2904	2436	cmd.exe	37
PID 2436 wrote to memory of 2904	2436	cmd.exe	37
PID 2436 wrote to memory of 2904	2436	cmd.exe	37
PID 2436 wrote to memory of 2904	2436	cmd.exe	37
PID 2436 wrote to memory of 2668	2436	cmd.exe	38
PID 2436 wrote to memory of 2668	2436	cmd.exe	38
PID 2436 wrote to memory of 2668	2436	cmd.exe	38
PID 2436 wrote to memory of 2668	2436	cmd.exe	38
PID 2436 wrote to memory of 2692	2436	cmd.exe	39
PID 2436 wrote to memory of 2692	2436	cmd.exe	39
PID 2436 wrote to memory of 2692	2436	cmd.exe	39
PID 2436 wrote to memory of 2692	2436	cmd.exe	39
PID 2436 wrote to memory of 2256	2436	cmd.exe	40
PID 2436 wrote to memory of 2256	2436	cmd.exe	40
PID 2436 wrote to memory of 2256	2436	cmd.exe	40
PID 2436 wrote to memory of 2256	2436	cmd.exe	40
PID 2436 wrote to memory of 2804	2436	cmd.exe	41
PID 2436 wrote to memory of 2804	2436	cmd.exe	41
PID 2436 wrote to memory of 2804	2436	cmd.exe	41
PID 2436 wrote to memory of 2804	2436	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\Court Project V1.1\Doxinfo.exe
"C:\Users\Admin\AppData\Local\Temp\Court Project V1.1\Doxinfo.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\8BFA.tmp\Doxinfo.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\mode.com
    MODE con: cols=110 lines=45
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2280
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2020
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:04 /R "+" " --- Cyber Hacking ---" nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2704
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:07 /R "+" " CODED BY @Luishino Pericena Choque " nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2764
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:0E /R "+" " COMANDOS" nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2796
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:06 /R "+" " [-]web Buscar en sitios web [-]url Acortador de link [-]inf Informacion" nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2904
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:06 /R "+" " [-]img Buscar imagenes [-]cls Limpiar la pantalla [-]v Version" nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2668
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:06 /R "+" " [-]ip Buscar ubicacion [-]help Ayuda con Doxinfo" nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2692
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:0C /R "+" " [+] Seleccione una opcion" nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2256
- - C:\Windows\SysWOW64\findstr.exe
    findstr /v /a:0C /R "+" " (Doxinfo)" nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8BFA.tmp\Doxinfo.bat

Filesize
21KB

MD5
f90f7f81bed1f7f200df22de5eae78fd

SHA1
5925de3264089069d76e673640006f2b99da4f0f

SHA256
e8f44227a9090d0e118843f5706c52409655ce5f5363bba08dcc3682ad727930

SHA512
70e8d1adb6d94e08a43caeadfb953c6d77b04b5e38761d77ca3924b7356f117e9fe030d01eaf826dd7d37607b6bbb1a8d5e72290107c311bc0423dc85d360711

Download Submit
C:\Users\Admin\AppData\Local\Temp\Court Project V1.1\ --- Cyber Hacking ---

Filesize
3B

MD5
df66fa563a2fafdb93cc559deb0a38c4

SHA1
e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

SHA256
3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

SHA512
34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

Download Submit