81f99c5b0327626eb7d5a5e804df898ae26229f9e5f4a0f42c374ee9f8387d63

Analysis

max time kernel
82s
max time network
69s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3abccfd3a85f85888dcbc2836859d290N.exe
Size

5.0MB
MD5

3abccfd3a85f85888dcbc2836859d290
SHA1

75e8d70dc3f27adc32f34f346248bee7cb45f27d
SHA256

81f99c5b0327626eb7d5a5e804df898ae26229f9e5f4a0f42c374ee9f8387d63
SHA512

f47ae1ddd50d4c4ae29ad04777a7d14cdd78198bb9c1a2391da00ac187594432c1ee465c0b8964135b001268c614567232269e7a72a36e68f1312486e2292d10
SSDEEP

98304:W2igfeezuE4KFtaEkQQQAEXytvZi8eue8RQQW1SjPI5VZhQQAEXytvZi8eue8:W2igGgxFtaEkQpOfpPChpO

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2520	3abccfd3a85f85888dcbc2836859d290N.exe

Executes dropped EXE 1 IoCs

pid	Process
2520	3abccfd3a85f85888dcbc2836859d290N.exe

Loads dropped DLL 1 IoCs

pid	Process
900	3abccfd3a85f85888dcbc2836859d290N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
5	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3abccfd3a85f85888dcbc2836859d290N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3abccfd3a85f85888dcbc2836859d290N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2520	3abccfd3a85f85888dcbc2836859d290N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
900	3abccfd3a85f85888dcbc2836859d290N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2520	3abccfd3a85f85888dcbc2836859d290N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 900 wrote to memory of 2520	900	3abccfd3a85f85888dcbc2836859d290N.exe	30
PID 900 wrote to memory of 2520	900	3abccfd3a85f85888dcbc2836859d290N.exe	30
PID 900 wrote to memory of 2520	900	3abccfd3a85f85888dcbc2836859d290N.exe	30
PID 900 wrote to memory of 2520	900	3abccfd3a85f85888dcbc2836859d290N.exe	30

C:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe
"C:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:900
- C:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe
  C:\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\3abccfd3a85f85888dcbc2836859d290N.exe

Filesize
5.0MB

MD5
f7b7fd21a2499f52e0650e4cb94d8dce

SHA1
dba95271c1e5542a5491cdd4626bf72fbf71ae6e

SHA256
a42df64a43584e603d88d6e2fd2a50db69fdf08ebe13b3e23ad1d5d09730f268

SHA512
4e3f5d505ca8e080109cb1ddb262abf79bd717383717829ebfb454cc93a214b9619a40908450df90c01b8d49c2b9bd639bd0559763723a3c0324b087384b1c33

Download Submit
memory/900-0-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/900-7-0x00000000002F0000-0x00000000003E1000-memory.dmp

Filesize
964KB

Download
memory/900-9-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2520-10-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download
memory/2520-11-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2520-17-0x0000000002E90000-0x0000000002F81000-memory.dmp

Filesize
964KB

Download
memory/2520-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2520-39-0x000000000ECE0000-0x000000000ED83000-memory.dmp

Filesize
652KB

Download
memory/2520-40-0x0000000000400000-0x00000000004F1000-memory.dmp

Filesize
964KB

Download