b749207628d530cab42dc8c1b17de9af6d8e4a8a8e85070c30b1c98619bad6e2

Analysis

max time kernel
119s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
15-01-2025 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ez.exe
Size

165KB
MD5

3527c96c3cee29e503b286fcda1c2995
SHA1

ec43af77db36085fcb7564a21058419ff8b9334d
SHA256

b749207628d530cab42dc8c1b17de9af6d8e4a8a8e85070c30b1c98619bad6e2
SHA512

744e6b1ae259489666d227686c63e3c0cb8806535dda438470202f68b17fa293be29e6f2c0f04f59a0d47a3ceb0071cbe12c30894da7dc064442325e31ae7af6
SSDEEP

3072:hxvux/s189kbq8dBrxSmFNhiwQzEoKikb/XWdt:rvxBrlNhiqDnbOdt

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2892	schtasks.exe
2696	schtasks.exe
2524	schtasks.exe
2392	schtasks.exe
2244	schtasks.exe
976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe
1680	ez.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1680	ez.exe
Token: SeDebugPrivilege	2132	ez.exe
Token: SeDebugPrivilege	2488	ez.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 2900	1680	ez.exe	30
PID 1680 wrote to memory of 2900	1680	ez.exe	30
PID 1680 wrote to memory of 2900	1680	ez.exe	30
PID 1680 wrote to memory of 2900	1680	ez.exe	30
PID 1680 wrote to memory of 2892	1680	ez.exe	32
PID 1680 wrote to memory of 2892	1680	ez.exe	32
PID 1680 wrote to memory of 2892	1680	ez.exe	32
PID 1680 wrote to memory of 2892	1680	ez.exe	32
PID 1680 wrote to memory of 2668	1680	ez.exe	34
PID 1680 wrote to memory of 2668	1680	ez.exe	34
PID 1680 wrote to memory of 2668	1680	ez.exe	34
PID 1680 wrote to memory of 2668	1680	ez.exe	34
PID 1680 wrote to memory of 2696	1680	ez.exe	36
PID 1680 wrote to memory of 2696	1680	ez.exe	36
PID 1680 wrote to memory of 2696	1680	ez.exe	36
PID 1680 wrote to memory of 2696	1680	ez.exe	36
PID 1680 wrote to memory of 2692	1680	ez.exe	38
PID 1680 wrote to memory of 2692	1680	ez.exe	38
PID 1680 wrote to memory of 2692	1680	ez.exe	38
PID 1680 wrote to memory of 2692	1680	ez.exe	38
PID 1672 wrote to memory of 2132	1672	taskeng.exe	40
PID 1672 wrote to memory of 2132	1672	taskeng.exe	40
PID 1672 wrote to memory of 2132	1672	taskeng.exe	40
PID 1672 wrote to memory of 2132	1672	taskeng.exe	40
PID 2132 wrote to memory of 2300	2132	ez.exe	41
PID 2132 wrote to memory of 2300	2132	ez.exe	41
PID 2132 wrote to memory of 2300	2132	ez.exe	41
PID 2132 wrote to memory of 2300	2132	ez.exe	41
PID 2132 wrote to memory of 2524	2132	ez.exe	43
PID 2132 wrote to memory of 2524	2132	ez.exe	43
PID 2132 wrote to memory of 2524	2132	ez.exe	43
PID 2132 wrote to memory of 2524	2132	ez.exe	43
PID 2132 wrote to memory of 2112	2132	ez.exe	45
PID 2132 wrote to memory of 2112	2132	ez.exe	45
PID 2132 wrote to memory of 2112	2132	ez.exe	45
PID 2132 wrote to memory of 2112	2132	ez.exe	45
PID 2132 wrote to memory of 2392	2132	ez.exe	47
PID 2132 wrote to memory of 2392	2132	ez.exe	47
PID 2132 wrote to memory of 2392	2132	ez.exe	47
PID 2132 wrote to memory of 2392	2132	ez.exe	47
PID 2132 wrote to memory of 2860	2132	ez.exe	49
PID 2132 wrote to memory of 2860	2132	ez.exe	49
PID 2132 wrote to memory of 2860	2132	ez.exe	49
PID 2132 wrote to memory of 2860	2132	ez.exe	49
PID 1672 wrote to memory of 2488	1672	taskeng.exe	50
PID 1672 wrote to memory of 2488	1672	taskeng.exe	50
PID 1672 wrote to memory of 2488	1672	taskeng.exe	50
PID 1672 wrote to memory of 2488	1672	taskeng.exe	50
PID 2488 wrote to memory of 2088	2488	ez.exe	51
PID 2488 wrote to memory of 2088	2488	ez.exe	51
PID 2488 wrote to memory of 2088	2488	ez.exe	51
PID 2488 wrote to memory of 2088	2488	ez.exe	51
PID 2488 wrote to memory of 2244	2488	ez.exe	53
PID 2488 wrote to memory of 2244	2488	ez.exe	53
PID 2488 wrote to memory of 2244	2488	ez.exe	53
PID 2488 wrote to memory of 2244	2488	ez.exe	53
PID 2488 wrote to memory of 2084	2488	ez.exe	55
PID 2488 wrote to memory of 2084	2488	ez.exe	55
PID 2488 wrote to memory of 2084	2488	ez.exe	55
PID 2488 wrote to memory of 2084	2488	ez.exe	55
PID 2488 wrote to memory of 976	2488	ez.exe	57
PID 2488 wrote to memory of 976	2488	ez.exe	57
PID 2488 wrote to memory of 976	2488	ez.exe	57
PID 2488 wrote to memory of 976	2488	ez.exe	57

C:\Users\Admin\AppData\Local\Temp\ez.exe
"C:\Users\Admin\AppData\Local\Temp\ez.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYANP /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2900
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 5
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2892
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2668
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2696
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 608
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2692

C:\Windows\system32\taskeng.exe
taskeng.exe {024D7983-DE8A-4E29-9B44-D7AAB4E4CC41} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\ez.exe
  C:\Users\Admin\AppData\Local\Temp\ez.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYANP /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2524
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2112
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2392
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 612
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860
- C:\Users\Admin\AppData\Local\Temp\ez.exe
  C:\Users\Admin\AppData\Local\Temp\ez.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYANP /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2088
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 5
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2244
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2084
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:976
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 608
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1680-0-0x00000000740A1000-0x00000000740A2000-memory.dmp

Filesize
4KB

Download
memory/1680-1-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-2-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-3-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-4-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-5-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-6-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-7-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download
memory/1680-8-0x00000000740A0000-0x000000007464B000-memory.dmp

Filesize
5.7MB

Download