78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61.exe
Size

2.0MB
MD5

0ead280a3e08ff34bee62fcc9cf0a53f
SHA1

8c001de69521a96da77c512fa6742bb3fefcda7d
SHA256

78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61
SHA512

047d7d5ef85d6d4ffb1ccf53e2696153ddd6bed38484743c9c4454a0cdcd51934912ebdee2a9de390cc35f8b7db1ecfaa6a2c3d358a92d8a5aae6a63e349b45b
SSDEEP

49152:N2nvdBTU7QFQP+ENo53Ip737cp3+BbQ8V+jW1aMibv:AvzWB7NYIp7349+BbB+jWIv

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	ZamAC7VNr~i2uF.eXe

Executes dropped EXE 2 IoCs

pid	Process
4820	ZamAC7VNr~i2uF.eXe
780	e58655c.exe

Loads dropped DLL 2 IoCs

pid	Process
4356	regsvr32.exe
4356	regsvr32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4452	780	WerFault.exe	107

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e58655c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZamAC7VNr~i2uF.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1724	taskkill.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1724	taskkill.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1720	1316	78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61.exe	83
PID 1316 wrote to memory of 1720	1316	78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61.exe	83
PID 1316 wrote to memory of 1720	1316	78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61.exe	83
PID 1720 wrote to memory of 4820	1720	cmd.exe	85
PID 1720 wrote to memory of 4820	1720	cmd.exe	85
PID 1720 wrote to memory of 4820	1720	cmd.exe	85
PID 1720 wrote to memory of 1724	1720	cmd.exe	86
PID 1720 wrote to memory of 1724	1720	cmd.exe	86
PID 1720 wrote to memory of 1724	1720	cmd.exe	86
PID 4820 wrote to memory of 3504	4820	ZamAC7VNr~i2uF.eXe	88
PID 4820 wrote to memory of 3504	4820	ZamAC7VNr~i2uF.eXe	88
PID 4820 wrote to memory of 3504	4820	ZamAC7VNr~i2uF.eXe	88
PID 4820 wrote to memory of 3680	4820	ZamAC7VNr~i2uF.eXe	92
PID 4820 wrote to memory of 3680	4820	ZamAC7VNr~i2uF.eXe	92
PID 4820 wrote to memory of 3680	4820	ZamAC7VNr~i2uF.eXe	92
PID 3680 wrote to memory of 2556	3680	cmd.exe	94
PID 3680 wrote to memory of 2556	3680	cmd.exe	94
PID 3680 wrote to memory of 2556	3680	cmd.exe	94
PID 3680 wrote to memory of 5056	3680	cmd.exe	95
PID 3680 wrote to memory of 5056	3680	cmd.exe	95
PID 3680 wrote to memory of 5056	3680	cmd.exe	95
PID 3680 wrote to memory of 4356	3680	cmd.exe	97
PID 3680 wrote to memory of 4356	3680	cmd.exe	97
PID 3680 wrote to memory of 4356	3680	cmd.exe	97
PID 4356 wrote to memory of 780	4356	regsvr32.exe	107
PID 4356 wrote to memory of 780	4356	regsvr32.exe	107
PID 4356 wrote to memory of 780	4356	regsvr32.exe	107

C:\Users\Admin\AppData\Local\Temp\78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61.exe
"C:\Users\Admin\AppData\Local\Temp\78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C COpY /Y"C:\Users\Admin\AppData\Local\Temp\78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61.exe" ..\ZamAC7VNr~i2uF.eXe > nUL && Start ..\ZAmAC7vNr~i2uF.eXE -po0TK~LTdWE2nXBqcFAGZqLa & if "" == ""for %X In ( "C:\Users\Admin\AppData\Local\Temp\78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61.exe") do taskkill /im "%~NXX" /F > nUL
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Users\Admin\AppData\Local\Temp\ZamAC7VNr~i2uF.eXe
    ..\ZAmAC7vNr~i2uF.eXE -po0TK~LTdWE2nXBqcFAGZqLa
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /C COpY /Y"C:\Users\Admin\AppData\Local\Temp\ZamAC7VNr~i2uF.eXe" ..\ZamAC7VNr~i2uF.eXe > nUL && Start ..\ZAmAC7vNr~i2uF.eXE -po0TK~LTdWE2nXBqcFAGZqLa & if "-po0TK~LTdWE2nXBqcFAGZqLa " == ""for %X In ( "C:\Users\Admin\AppData\Local\Temp\ZamAC7VNr~i2uF.eXe") do taskkill /im "%~NXX" /F > nUL
      4⤵
      System Location Discovery: System Language Discovery
      PID:3504
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c ecHo h%Time%BmguLC:\Users\Admin\AppData\Local\TempU7k%Cd%qi%Cd%08jLy%rANDom%I79C>BSNd.E0I & ecHO|seT /p = "MZ" > YO~XCVJS.miu & cOPY /Y /b Yo~xCVJS.MiU + ldZpT.u + 2B7b.THK + O79G.NW+ 7DOCE1.SU_ +BSNd.E0I ..\n~qYw._IC > nuL& DEl /Q *> NUL& StaRT regsvr32 /S ..\N~qYW._IC -u
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" ecHO"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" seT /p = "MZ" 1>YO~XCVJS.miu"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        regsvr32 /S ..\N~qYW._IC -u
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4356
      - C:\Users\Admin\AppData\Local\Temp\e58655c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\e58655c.exe"
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:780
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 804
        7⤵
        Program crash
        
        PID:4452
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /im "78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61.exe" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 780 -ip 780
1⤵
PID:1416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX1\2b7b.THk

Filesize
393KB

MD5
4b9e46165a55d8876d0e85cac6282775

SHA1
103045f664b16fb1e51fd127dcefc6d5a5ba8e70

SHA256
2fe223befa1178489b046a44253c6f88c8f7b73b9374c2309377c46bf1d4a819

SHA512
3f495bed08516ed670b8877e497b5044a2bb379b8eacd34ce7539ca3d108b7cd348d1a6be39b4d1790b724eb3b02b90282023e6c76037701be5d0fbe6f45b869

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\YO~XCVJS.miu

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\ldZpT.u

Filesize
73KB

MD5
c0a777e2eee4a3c706a2a05f94c0a87e

SHA1
ad55bc9e6893b871d368b5e9f16636945e8b038d

SHA256
2a5511aa2c973586bdb6930a817bb94832329f7b30168388896c103f4172bfc2

SHA512
4e37828f444436ef161dfed5c7f858a9ea6ff23c68c27bb7c5064e4d5b31a8002dfdd1a68ac08528246c6ff869a0c4380dae22bb3d738d2e1f1391f3ec99e594

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\o79g.NW

Filesize
1.0MB

MD5
a2cc505f8d5a2efa58dad23fb5b08c9b

SHA1
30eb4ab5b81259eef3514f3d9c6f9a0b066e4a89

SHA256
4f4a847a0559960c6d29acc91fe5b1a649964d781a255670f025e32990a1ed6b

SHA512
b38fcadc35ba9e0b401f2b2df1077bb3b15e504b18c4a9657cbc4ca01de706f3def36659dfb03f072841d12ac522e66748ca505c961bac15bcedc7399277e527

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZamAC7VNr~i2uF.eXe

Filesize
2.0MB

MD5
0ead280a3e08ff34bee62fcc9cf0a53f

SHA1
8c001de69521a96da77c512fa6742bb3fefcda7d

SHA256
78a74ea4f8dc7a468ba1fcfeaeef24b17eea9bbbedfe897ec7cf02c1e60c3e61

SHA512
047d7d5ef85d6d4ffb1ccf53e2696153ddd6bed38484743c9c4454a0cdcd51934912ebdee2a9de390cc35f8b7db1ecfaa6a2c3d358a92d8a5aae6a63e349b45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e58655c.exe

Filesize
21KB

MD5
858939a54a0406e5be7220b92b6eb2b3

SHA1
da24c0b6f723a74a8ec59e58c9c0aea3e86b7109

SHA256
a30f30a109cb78d5eb1969f6c13f01a1e0a5f07b7ad8b133f5d2616223c1ce0a

SHA512
8875d1e43ea59314695747796894a2f171e92f7b04024dbc529af1497331489e279cd06ea03061288089d2f07ad437178b9d62f0bae2e16ae0b95c5681569401

Download Submit
memory/780-60-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download
memory/4356-34-0x000000002D260000-0x000000002D2F8000-memory.dmp

Filesize
608KB

Download
memory/4356-31-0x000000002D260000-0x000000002D2F8000-memory.dmp

Filesize
608KB

Download
memory/4356-32-0x0000000002140000-0x0000000003140000-memory.dmp

Filesize
16.0MB

Download
memory/4356-28-0x000000002D260000-0x000000002D2F8000-memory.dmp

Filesize
608KB

Download
memory/4356-35-0x000000002D300000-0x000000002DC39000-memory.dmp

Filesize
9.2MB

Download
memory/4356-36-0x000000002DC40000-0x000000002DCD1000-memory.dmp

Filesize
580KB

Download
memory/4356-37-0x000000002DCE0000-0x000000002DD6C000-memory.dmp

Filesize
560KB

Download
memory/4356-40-0x000000002DCE0000-0x000000002DD6C000-memory.dmp

Filesize
560KB

Download
memory/4356-41-0x00000000000D0000-0x00000000000D1000-memory.dmp

Filesize
4KB

Download
memory/4356-42-0x0000000000400000-0x0000000000404000-memory.dmp

Filesize
16KB

Download
memory/4356-43-0x0000000000410000-0x0000000000416000-memory.dmp

Filesize
24KB

Download
memory/4356-27-0x000000002D1B0000-0x000000002D25B000-memory.dmp

Filesize
684KB

Download
memory/4356-26-0x0000000002140000-0x0000000003140000-memory.dmp

Filesize
16.0MB

Download