b749207628d530cab42dc8c1b17de9af6d8e4a8a8e85070c30b1c98619bad6e2

Analysis

max time kernel
108s
max time network
112s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
15-01-2025 18:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ez.exe
Size

165KB
MD5

3527c96c3cee29e503b286fcda1c2995
SHA1

ec43af77db36085fcb7564a21058419ff8b9334d
SHA256

b749207628d530cab42dc8c1b17de9af6d8e4a8a8e85070c30b1c98619bad6e2
SHA512

744e6b1ae259489666d227686c63e3c0cb8806535dda438470202f68b17fa293be29e6f2c0f04f59a0d47a3ceb0071cbe12c30894da7dc064442325e31ae7af6
SSDEEP

3072:hxvux/s189kbq8dBrxSmFNhiwQzEoKikb/XWdt:rvxBrlNhiqDnbOdt

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3588	schtasks.exe
4948	schtasks.exe
4756	schtasks.exe
3132	schtasks.exe
2292	schtasks.exe
1240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe
2000	ez.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	ez.exe
Token: SeRestorePrivilege	3032	dw20.exe
Token: SeBackupPrivilege	3032	dw20.exe
Token: SeBackupPrivilege	3032	dw20.exe
Token: SeBackupPrivilege	3032	dw20.exe
Token: SeDebugPrivilege	3252	ez.exe
Token: SeBackupPrivilege	964	dw20.exe
Token: SeBackupPrivilege	964	dw20.exe
Token: SeDebugPrivilege	2944	ez.exe
Token: SeBackupPrivilege	544	dw20.exe
Token: SeBackupPrivilege	544	dw20.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1940	2000	ez.exe	84
PID 2000 wrote to memory of 1940	2000	ez.exe	84
PID 2000 wrote to memory of 1940	2000	ez.exe	84
PID 2000 wrote to memory of 4948	2000	ez.exe	87
PID 2000 wrote to memory of 4948	2000	ez.exe	87
PID 2000 wrote to memory of 4948	2000	ez.exe	87
PID 2000 wrote to memory of 3744	2000	ez.exe	89
PID 2000 wrote to memory of 3744	2000	ez.exe	89
PID 2000 wrote to memory of 3744	2000	ez.exe	89
PID 2000 wrote to memory of 4756	2000	ez.exe	91
PID 2000 wrote to memory of 4756	2000	ez.exe	91
PID 2000 wrote to memory of 4756	2000	ez.exe	91
PID 2000 wrote to memory of 3032	2000	ez.exe	93
PID 2000 wrote to memory of 3032	2000	ez.exe	93
PID 2000 wrote to memory of 3032	2000	ez.exe	93
PID 3252 wrote to memory of 2672	3252	ez.exe	98
PID 3252 wrote to memory of 2672	3252	ez.exe	98
PID 3252 wrote to memory of 2672	3252	ez.exe	98
PID 3252 wrote to memory of 3132	3252	ez.exe	100
PID 3252 wrote to memory of 3132	3252	ez.exe	100
PID 3252 wrote to memory of 3132	3252	ez.exe	100
PID 3252 wrote to memory of 2172	3252	ez.exe	101
PID 3252 wrote to memory of 2172	3252	ez.exe	101
PID 3252 wrote to memory of 2172	3252	ez.exe	101
PID 3252 wrote to memory of 2292	3252	ez.exe	104
PID 3252 wrote to memory of 2292	3252	ez.exe	104
PID 3252 wrote to memory of 2292	3252	ez.exe	104
PID 3252 wrote to memory of 964	3252	ez.exe	106
PID 3252 wrote to memory of 964	3252	ez.exe	106
PID 3252 wrote to memory of 964	3252	ez.exe	106
PID 2944 wrote to memory of 1512	2944	ez.exe	108
PID 2944 wrote to memory of 1512	2944	ez.exe	108
PID 2944 wrote to memory of 1512	2944	ez.exe	108
PID 2944 wrote to memory of 1240	2944	ez.exe	110
PID 2944 wrote to memory of 1240	2944	ez.exe	110
PID 2944 wrote to memory of 1240	2944	ez.exe	110
PID 2944 wrote to memory of 640	2944	ez.exe	111
PID 2944 wrote to memory of 640	2944	ez.exe	111
PID 2944 wrote to memory of 640	2944	ez.exe	111
PID 2944 wrote to memory of 3588	2944	ez.exe	114
PID 2944 wrote to memory of 3588	2944	ez.exe	114
PID 2944 wrote to memory of 3588	2944	ez.exe	114
PID 2944 wrote to memory of 544	2944	ez.exe	116
PID 2944 wrote to memory of 544	2944	ez.exe	116
PID 2944 wrote to memory of 544	2944	ez.exe	116

C:\Users\Admin\AppData\Local\Temp\ez.exe
"C:\Users\Admin\AppData\Local\Temp\ez.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYANP /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 5
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4948
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3744
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4756
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1040
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:3032

C:\Users\Admin\AppData\Local\Temp\ez.exe
"C:\Users\Admin\AppData\Local\Temp\ez.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3252
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYANP /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2672
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 5
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3132
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1008
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:964

C:\Users\Admin\AppData\Local\Temp\ez.exe
"C:\Users\Admin\AppData\Local\Temp\ez.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYANP /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1512
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 5
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1240
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:640
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3588
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1008
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2000-0-0x0000000075342000-0x0000000075343000-memory.dmp

Filesize
4KB

Download
memory/2000-1-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2000-2-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2000-3-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2000-4-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2000-5-0x0000000075342000-0x0000000075343000-memory.dmp

Filesize
4KB

Download
memory/2000-6-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download
memory/2000-13-0x0000000075340000-0x00000000758F1000-memory.dmp

Filesize
5.7MB

Download