c06b01cfd3f0434e5f28cc85c2cc6892e1a5902018342bba1c87110dd4887997

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe
Size

640KB
MD5

e2cbbbeac3e3fbf04444d57b8c8a8c10
SHA1

9f38030473cbf752842af9b06bef3c2b8a3d01ac
SHA256

c06b01cfd3f0434e5f28cc85c2cc6892e1a5902018342bba1c87110dd4887997
SHA512

dfd8e0bd1b7c74dd295c67f08f4e2fc62d929d7d37cf3c7ea063e57f9211a2f8e5984cb64e91d010ddbcd980d67130d7df71ceda044016bb88bf1ada4b51d02b
SSDEEP

12288:5NzTInlbDeWhVQ5zCD4TyWN9VysX7ryTk2osi9:5NzTIlXeWhVQ5zY4xN9VyUUkV19

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
372	e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe

Executes dropped EXE 1 IoCs

pid	Process
372	e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe

Loads dropped DLL 1 IoCs

pid	Process
2192	e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2192	e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
372	e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 372	2192	e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe	31
PID 2192 wrote to memory of 372	2192	e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe	31
PID 2192 wrote to memory of 372	2192	e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe	31
PID 2192 wrote to memory of 372	2192	e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe	31

C:\Users\Admin\AppData\Local\Temp\e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe
"C:\Users\Admin\AppData\Local\Temp\e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe
  C:\Users\Admin\AppData\Local\Temp\e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Suspicious use of UnmapMainImage
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\e2cbbbeac3e3fbf04444d57b8c8a8c10N.exe

Filesize
640KB

MD5
efef5ce3ead00017fb004a3ee50f31aa

SHA1
5e63ebf8c19c6da330256f94a1b546c711d0912d

SHA256
5ed03dcff2b6760c5d1825ae72068a3ca5d581c09678f07639e5ec218635b0cc

SHA512
8d3705f85edcec422dc530fe7b3f89b46185aa5dca7c73b3e4c3bc05839c83f7d220176c8f49b44f13f7785d5605def57672e44d480f888bc537a55de989ed69

Download Submit
memory/372-10-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/372-16-0x00000000001F0000-0x0000000000236000-memory.dmp

Filesize
280KB

Download
memory/372-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/372-17-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2192-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2192-8-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download