b0fec7506c51b7ee6339be43e21be53a272e7c32aee2eae94c2adcc772de483c

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ebdda93e9c72423ad33848c1962cab00N.exe
Size

194KB
MD5

ebdda93e9c72423ad33848c1962cab00
SHA1

739a8df25b3230a27f9f0fc974a3d15400acdb07
SHA256

b0fec7506c51b7ee6339be43e21be53a272e7c32aee2eae94c2adcc772de483c
SHA512

a38034535250496d6e90dc750cd310b6a4691bac862182060a5f565102bc23363d8e0cf8e4445e0e15923bb71bb83e4bd7501f3513080385932915033eb26b58
SSDEEP

6144:snuqz5VCFSyqu67Xh67XkBSVhccIJmExQ:snuqz5QRnih6MLFJmExQ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2252	ebdda93e9c72423ad33848c1962cab00N.exe

Executes dropped EXE 1 IoCs

pid	Process
2252	ebdda93e9c72423ad33848c1962cab00N.exe

Loads dropped DLL 1 IoCs

pid	Process
836	ebdda93e9c72423ad33848c1962cab00N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebdda93e9c72423ad33848c1962cab00N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
836	ebdda93e9c72423ad33848c1962cab00N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2252	ebdda93e9c72423ad33848c1962cab00N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2252	836	ebdda93e9c72423ad33848c1962cab00N.exe	31
PID 836 wrote to memory of 2252	836	ebdda93e9c72423ad33848c1962cab00N.exe	31
PID 836 wrote to memory of 2252	836	ebdda93e9c72423ad33848c1962cab00N.exe	31
PID 836 wrote to memory of 2252	836	ebdda93e9c72423ad33848c1962cab00N.exe	31

C:\Users\Admin\AppData\Local\Temp\ebdda93e9c72423ad33848c1962cab00N.exe
"C:\Users\Admin\AppData\Local\Temp\ebdda93e9c72423ad33848c1962cab00N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\AppData\Local\Temp\ebdda93e9c72423ad33848c1962cab00N.exe
  C:\Users\Admin\AppData\Local\Temp\ebdda93e9c72423ad33848c1962cab00N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:2252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ebdda93e9c72423ad33848c1962cab00N.exe

Filesize
194KB

MD5
cb94230db8cc6e66768d05ca0c87256e

SHA1
61d98a479d0129ce8fd5ace8c2e8911e7603ddcc

SHA256
67b2619ee5d5b8ba73c789294bde04af44d78311f4fa6c9b706ad7e159aa0492

SHA512
99e7b3bee05acf29b45cfa4722444317441d5530c282c3b3c3e18b3c5aae776cce53e45b3a387dd6e2a9ba0d5e32bf2b1b3a02f1931293473512909479a96438

Download Submit
memory/836-0-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/836-10-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2252-17-0x00000000001E0000-0x0000000000219000-memory.dmp

Filesize
228KB

Download
memory/2252-12-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2252-11-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download