6b16fd76e7286ae01419766ccd8e87ff5a3767b7d2c344add605125a8ce68603

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-08-2024 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7abf1fad5b898b5d54a54571e3b2890N.exe
Size

1.6MB
MD5

b7abf1fad5b898b5d54a54571e3b2890
SHA1

95b4dcee4b247c831e845b784be651b0dc194638
SHA256

6b16fd76e7286ae01419766ccd8e87ff5a3767b7d2c344add605125a8ce68603
SHA512

ea431bc0d7282fbc94762be49a63f2d3b3a28c113bdcdb0f87945d7350ca8f5575dcc7a41e3c94653d23923844624709627bda052057ee7f295cbafb5141e19c
SSDEEP

49152:k3FvTMFQW5cAFcICbgtWl4mrbYE+3Mq0deC76CHdRyD:GFvoGAZCUWl4mrE9SQC76CHdRyD

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1960	b7abf1fad5b898b5d54a54571e3b2890N.exe

Executes dropped EXE 1 IoCs

pid	Process
1960	b7abf1fad5b898b5d54a54571e3b2890N.exe

Loads dropped DLL 1 IoCs

pid	Process
624	b7abf1fad5b898b5d54a54571e3b2890N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
3	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7abf1fad5b898b5d54a54571e3b2890N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b7abf1fad5b898b5d54a54571e3b2890N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1960	b7abf1fad5b898b5d54a54571e3b2890N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
624	b7abf1fad5b898b5d54a54571e3b2890N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1960	b7abf1fad5b898b5d54a54571e3b2890N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1960	624	b7abf1fad5b898b5d54a54571e3b2890N.exe	31
PID 624 wrote to memory of 1960	624	b7abf1fad5b898b5d54a54571e3b2890N.exe	31
PID 624 wrote to memory of 1960	624	b7abf1fad5b898b5d54a54571e3b2890N.exe	31
PID 624 wrote to memory of 1960	624	b7abf1fad5b898b5d54a54571e3b2890N.exe	31

C:\Users\Admin\AppData\Local\Temp\b7abf1fad5b898b5d54a54571e3b2890N.exe
"C:\Users\Admin\AppData\Local\Temp\b7abf1fad5b898b5d54a54571e3b2890N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:624
- C:\Users\Admin\AppData\Local\Temp\b7abf1fad5b898b5d54a54571e3b2890N.exe
  C:\Users\Admin\AppData\Local\Temp\b7abf1fad5b898b5d54a54571e3b2890N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\b7abf1fad5b898b5d54a54571e3b2890N.exe

Filesize
1.6MB

MD5
a3e8d868361dbf6bb0fe441efbb95bd5

SHA1
a9aa51fc789f337d20a9f2dc86d10f0a7eb1247f

SHA256
2f213b408a6f0160ac488960bf38df052c418c84163439b0d96a0ecc1b5e298e

SHA512
78c0b1f7e2bdf61c8efe35a8095667af857a009d8d56f2c566fec1eb81223bd0b99e1a8f28cfa984f19b8ec58d846023fb3fa4b742d90328dbc45615faf21f9f

Download Submit
memory/624-0-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/624-7-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1960-9-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1960-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1960-16-0x0000000002F10000-0x0000000003002000-memory.dmp

Filesize
968KB

Download
memory/1960-38-0x000000000D8C0000-0x000000000D963000-memory.dmp

Filesize
652KB

Download
memory/1960-32-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1960-39-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download