a4ba4c1c540627c04f01f592c422996497c8ab882a4329d297de11289667ebb1

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/03/2025, 04:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

164KB
MD5

2369fa6bdd5e97a7dcd2aea9d7f39dca
SHA1

f1cdfc5fffaa82131c2f5c881de155e37dcfc469
SHA256

a4ba4c1c540627c04f01f592c422996497c8ab882a4329d297de11289667ebb1
SHA512

a4705fef7da26a96547685e61524b2b742be9daeb282bdebbc16c48a4b22dc0796f95211737b28b33abe5de4bdf82664c9811b3889e035ef54d0e072dca25cb2
SSDEEP

3072:PbyC/42vwqdUEBCVbFFtsJH4jyrbNeUCNo6wv1mo:PbBubFFthjKbe4P

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	test.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TASKKILL.exe

Kills process with taskkill 6 IoCs

defense_evasion

pid	Process
268	TASKKILL.exe
1228	TASKKILL.exe
2904	TASKKILL.exe
2952	TASKKILL.exe
748	TASKKILL.exe
1436	TASKKILL.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe
2276	schtasks.exe
2256	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2384	test.exe
2384	test.exe
2384	test.exe
2384	test.exe
2384	test.exe
2384	test.exe
2384	test.exe
2524	test.exe
2524	test.exe
2524	test.exe
2524	test.exe
2524	test.exe
2524	test.exe
2524	test.exe
1352	test.exe
1352	test.exe
1352	test.exe
1352	test.exe
1352	test.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	test.exe
Token: SeDebugPrivilege	1228	TASKKILL.exe
Token: SeDebugPrivilege	268	TASKKILL.exe
Token: SeDebugPrivilege	2524	test.exe
Token: SeDebugPrivilege	2952	TASKKILL.exe
Token: SeDebugPrivilege	2904	TASKKILL.exe
Token: SeDebugPrivilege	748	TASKKILL.exe
Token: SeDebugPrivilege	1436	TASKKILL.exe
Token: SeDebugPrivilege	1352	test.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 268	2384	test.exe	28
PID 2384 wrote to memory of 268	2384	test.exe	28
PID 2384 wrote to memory of 268	2384	test.exe	28
PID 2384 wrote to memory of 268	2384	test.exe	28
PID 2384 wrote to memory of 1228	2384	test.exe	29
PID 2384 wrote to memory of 1228	2384	test.exe	29
PID 2384 wrote to memory of 1228	2384	test.exe	29
PID 2384 wrote to memory of 1228	2384	test.exe	29
PID 2384 wrote to memory of 2600	2384	test.exe	33
PID 2384 wrote to memory of 2600	2384	test.exe	33
PID 2384 wrote to memory of 2600	2384	test.exe	33
PID 2384 wrote to memory of 2600	2384	test.exe	33
PID 2384 wrote to memory of 2700	2384	test.exe	35
PID 2384 wrote to memory of 2700	2384	test.exe	35
PID 2384 wrote to memory of 2700	2384	test.exe	35
PID 2384 wrote to memory of 2700	2384	test.exe	35
PID 2384 wrote to memory of 2644	2384	test.exe	37
PID 2384 wrote to memory of 2644	2384	test.exe	37
PID 2384 wrote to memory of 2644	2384	test.exe	37
PID 2384 wrote to memory of 2644	2384	test.exe	37
PID 2540 wrote to memory of 2524	2540	taskeng.exe	41
PID 2540 wrote to memory of 2524	2540	taskeng.exe	41
PID 2540 wrote to memory of 2524	2540	taskeng.exe	41
PID 2540 wrote to memory of 2524	2540	taskeng.exe	41
PID 2524 wrote to memory of 2904	2524	test.exe	42
PID 2524 wrote to memory of 2904	2524	test.exe	42
PID 2524 wrote to memory of 2904	2524	test.exe	42
PID 2524 wrote to memory of 2904	2524	test.exe	42
PID 2524 wrote to memory of 2952	2524	test.exe	43
PID 2524 wrote to memory of 2952	2524	test.exe	43
PID 2524 wrote to memory of 2952	2524	test.exe	43
PID 2524 wrote to memory of 2952	2524	test.exe	43
PID 2524 wrote to memory of 2320	2524	test.exe	46
PID 2524 wrote to memory of 2320	2524	test.exe	46
PID 2524 wrote to memory of 2320	2524	test.exe	46
PID 2524 wrote to memory of 2320	2524	test.exe	46
PID 2524 wrote to memory of 2276	2524	test.exe	48
PID 2524 wrote to memory of 2276	2524	test.exe	48
PID 2524 wrote to memory of 2276	2524	test.exe	48
PID 2524 wrote to memory of 2276	2524	test.exe	48
PID 2524 wrote to memory of 1440	2524	test.exe	50
PID 2524 wrote to memory of 1440	2524	test.exe	50
PID 2524 wrote to memory of 1440	2524	test.exe	50
PID 2524 wrote to memory of 1440	2524	test.exe	50
PID 2540 wrote to memory of 1352	2540	taskeng.exe	51
PID 2540 wrote to memory of 1352	2540	taskeng.exe	51
PID 2540 wrote to memory of 1352	2540	taskeng.exe	51
PID 2540 wrote to memory of 1352	2540	taskeng.exe	51
PID 1352 wrote to memory of 748	1352	test.exe	52
PID 1352 wrote to memory of 748	1352	test.exe	52
PID 1352 wrote to memory of 748	1352	test.exe	52
PID 1352 wrote to memory of 748	1352	test.exe	52
PID 1352 wrote to memory of 1436	1352	test.exe	54
PID 1352 wrote to memory of 1436	1352	test.exe	54
PID 1352 wrote to memory of 1436	1352	test.exe	54
PID 1352 wrote to memory of 1436	1352	test.exe	54
PID 1352 wrote to memory of 2720	1352	test.exe	56
PID 1352 wrote to memory of 2720	1352	test.exe	56
PID 1352 wrote to memory of 2720	1352	test.exe	56
PID 1352 wrote to memory of 2720	1352	test.exe	56
PID 1352 wrote to memory of 2256	1352	test.exe	58
PID 1352 wrote to memory of 2256	1352	test.exe	58
PID 1352 wrote to memory of 2256	1352	test.exe	58
PID 1352 wrote to memory of 2256	1352	test.exe	58

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM wscript.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:268
- C:\Windows\SysWOW64\TASKKILL.exe
  TASKKILL /F /IM cmd.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1228
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /Delete /tn NYAN /F
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2600
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\test.exe" /sc minute /mo 1
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 1008
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2644

C:\Windows\system32\taskeng.exe
taskeng.exe {E7E1D5AB-50E4-4229-98C9-72C68EC68A82} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM wscript.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2904
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\test.exe" /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2276
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 556
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1440
- C:\Users\Admin\AppData\Local\Temp\test.exe
  C:\Users\Admin\AppData\Local\Temp\test.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM wscript.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:748
- - C:\Windows\SysWOW64\TASKKILL.exe
    TASKKILL /F /IM cmd.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1436
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /Delete /tn NYAN /F
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /tn NYAN /tr "C:\Users\Admin\AppData\Local\Temp\test.exe" /sc minute /mo 1
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2256
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 556
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2384-0-0x0000000074211000-0x0000000074212000-memory.dmp

Filesize
4KB

Download
memory/2384-1-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/2384-2-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/2384-10-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download
memory/2384-11-0x0000000074210000-0x00000000747BB000-memory.dmp

Filesize
5.7MB

Download