413f106555a4bc9147878a7bec9bd32983da07a8c4d8cd898055f7d83c94137d

Analysis

max time kernel
101s
max time network
104s
platform
windows11-21h2_x64
resource
win11-20250410-en
resource tags

arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
submitted
20/04/2025, 05:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dosbox/DOSBox 0.74 Options.bat
Size

107B
MD5

f6513bd9176d025b1e0b713fdfa70fae
SHA1

60cba55375fddc388bcb183cabb8b8786e45e6d1
SHA256

ff7605d991e0dda17221625b732cbad0c10c5a34f93957d148350a0ef4dc78d5
SHA512

8489ed50aac259f11494a9115191eab190d6bde248d99ec26f10288e6a4c79c0afab42dbcad559fec868a5c2f0a33ea83ab1b43c12a1462ccf2ee950227e309f

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DOSBox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5196 wrote to memory of 3012	5196	cmd.exe	80
PID 5196 wrote to memory of 3012	5196	cmd.exe	80
PID 5196 wrote to memory of 3012	5196	cmd.exe	80
PID 3012 wrote to memory of 3824	3012	DOSBox.exe	81
PID 3012 wrote to memory of 3824	3012	DOSBox.exe	81
PID 3012 wrote to memory of 3824	3012	DOSBox.exe	81

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\dosbox\DOSBox 0.74 Options.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:5196
- C:\Users\Admin\AppData\Local\Temp\dosbox\DOSBox.exe
  DOSBox.exe -editconf notepad.exe -editconf C:\Windows\system32\notepad.exe -editconf C:\Windows\notepad.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe C:\Users\Admin\AppData\Local\DOSBox\dosbox-0.74.conf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3824

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\DOSBox\dosbox-0.74.conf

Filesize
10KB

MD5
9a31d94629a46f266af772cbc8455733

SHA1
dedfed7e4bc84a94ecdf05e89fe1d911ad31d817

SHA256
8e09fe7b8d8e9d1dcd0199c80260256c749dc3e9fa791781e5ed535b3d49957c

SHA512
ae66fdd859529ca21bd83d002d74ad5c3c816f3e2d54f43032e0b5df2a04bffd8d134ee3882c9da60abcf3e39e76d1d4e4694875db4be8c4740f8a00f7ffb6c1

Download Submit
memory/3012-2-0x0000000067C00000-0x0000000067C0A000-memory.dmp

Filesize
40KB

Download
memory/3012-3-0x0000000068100000-0x0000000068161000-memory.dmp

Filesize
388KB

Download
memory/3012-1-0x0000000000400000-0x0000000002468000-memory.dmp

Filesize
32.4MB

Download