b749207628d530cab42dc8c1b17de9af6d8e4a8a8e85070c30b1c98619bad6e2

Analysis

max time kernel
121s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ez.exe
Size

165KB
MD5

3527c96c3cee29e503b286fcda1c2995
SHA1

ec43af77db36085fcb7564a21058419ff8b9334d
SHA256

b749207628d530cab42dc8c1b17de9af6d8e4a8a8e85070c30b1c98619bad6e2
SHA512

744e6b1ae259489666d227686c63e3c0cb8806535dda438470202f68b17fa293be29e6f2c0f04f59a0d47a3ceb0071cbe12c30894da7dc064442325e31ae7af6
SSDEEP

3072:hxvux/s189kbq8dBrxSmFNhiwQzEoKikb/XWdt:rvxBrlNhiqDnbOdt

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ez.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ez.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 6 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2164	schtasks.exe
2208	schtasks.exe
1224	schtasks.exe
3916	schtasks.exe
2104	schtasks.exe
4100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe
560	ez.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	560	ez.exe
Token: SeRestorePrivilege	1748	dw20.exe
Token: SeBackupPrivilege	1748	dw20.exe
Token: SeBackupPrivilege	1748	dw20.exe
Token: SeBackupPrivilege	1748	dw20.exe
Token: SeDebugPrivilege	3908	ez.exe
Token: SeBackupPrivilege	2136	dw20.exe
Token: SeBackupPrivilege	2136	dw20.exe
Token: SeDebugPrivilege	4800	ez.exe
Token: SeBackupPrivilege	2868	dw20.exe
Token: SeBackupPrivilege	2868	dw20.exe

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 3968	560	ez.exe	84
PID 560 wrote to memory of 3968	560	ez.exe	84
PID 560 wrote to memory of 3968	560	ez.exe	84
PID 560 wrote to memory of 2164	560	ez.exe	86
PID 560 wrote to memory of 2164	560	ez.exe	86
PID 560 wrote to memory of 2164	560	ez.exe	86
PID 560 wrote to memory of 5064	560	ez.exe	88
PID 560 wrote to memory of 5064	560	ez.exe	88
PID 560 wrote to memory of 5064	560	ez.exe	88
PID 560 wrote to memory of 2208	560	ez.exe	90
PID 560 wrote to memory of 2208	560	ez.exe	90
PID 560 wrote to memory of 2208	560	ez.exe	90
PID 560 wrote to memory of 1748	560	ez.exe	92
PID 560 wrote to memory of 1748	560	ez.exe	92
PID 560 wrote to memory of 1748	560	ez.exe	92
PID 3908 wrote to memory of 2188	3908	ez.exe	104
PID 3908 wrote to memory of 2188	3908	ez.exe	104
PID 3908 wrote to memory of 2188	3908	ez.exe	104
PID 3908 wrote to memory of 1224	3908	ez.exe	106
PID 3908 wrote to memory of 1224	3908	ez.exe	106
PID 3908 wrote to memory of 1224	3908	ez.exe	106
PID 3908 wrote to memory of 924	3908	ez.exe	107
PID 3908 wrote to memory of 924	3908	ez.exe	107
PID 3908 wrote to memory of 924	3908	ez.exe	107
PID 3908 wrote to memory of 3916	3908	ez.exe	110
PID 3908 wrote to memory of 3916	3908	ez.exe	110
PID 3908 wrote to memory of 3916	3908	ez.exe	110
PID 3908 wrote to memory of 2136	3908	ez.exe	112
PID 3908 wrote to memory of 2136	3908	ez.exe	112
PID 3908 wrote to memory of 2136	3908	ez.exe	112
PID 4800 wrote to memory of 4948	4800	ez.exe	114
PID 4800 wrote to memory of 4948	4800	ez.exe	114
PID 4800 wrote to memory of 4948	4800	ez.exe	114
PID 4800 wrote to memory of 2104	4800	ez.exe	116
PID 4800 wrote to memory of 2104	4800	ez.exe	116
PID 4800 wrote to memory of 2104	4800	ez.exe	116
PID 4800 wrote to memory of 2232	4800	ez.exe	117
PID 4800 wrote to memory of 2232	4800	ez.exe	117
PID 4800 wrote to memory of 2232	4800	ez.exe	117
PID 4800 wrote to memory of 4100	4800	ez.exe	120
PID 4800 wrote to memory of 4100	4800	ez.exe	120
PID 4800 wrote to memory of 4100	4800	ez.exe	120
PID 4800 wrote to memory of 2868	4800	ez.exe	122
PID 4800 wrote to memory of 2868	4800	ez.exe	122
PID 4800 wrote to memory of 2868	4800	ez.exe	122

C:\Users\Admin\AppData\Local\Temp\ez.exe
"C:\Users\Admin\AppData\Local\Temp\ez.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYANP /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3968
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 5
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2164
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5064
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1040
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:1748

C:\Users\Admin\AppData\Local\Temp\ez.exe
C:\Users\Admin\AppData\Local\Temp\ez.exe
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYANP /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 5
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1224
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:924
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:3916
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1012
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2136

C:\Users\Admin\AppData\Local\Temp\ez.exe
C:\Users\Admin\AppData\Local\Temp\ez.exe
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYANP /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4948
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYANP /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 5
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2104
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2232
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\ez.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4100
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1000
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious use of AdjustPrivilegeToken
  PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/560-0-0x00000000746C2000-0x00000000746C3000-memory.dmp

Filesize
4KB

Download
memory/560-1-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/560-2-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/560-3-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/560-4-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/560-5-0x00000000746C2000-0x00000000746C3000-memory.dmp

Filesize
4KB

Download
memory/560-6-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download
memory/560-13-0x00000000746C0000-0x0000000074C71000-memory.dmp

Filesize
5.7MB

Download