d51eff0aa1f9bcf2a3d4b6fbe4bc182b9d143fec77e32f925470162015bc01e3

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 10:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

819349010582ddcb4e0505b581b34670N.exe
Size

1.4MB
MD5

819349010582ddcb4e0505b581b34670
SHA1

3f530bd5dc2b56f81365d2372455df478d3b877a
SHA256

d51eff0aa1f9bcf2a3d4b6fbe4bc182b9d143fec77e32f925470162015bc01e3
SHA512

08a227caf82114a0aa631883743e8be478e04f8d4f068753603a1b80afdeaeda91c5ec8668346c3bf2a605ed8b04eb3364b2aa8b2b43eb0de9ab30eeb979fe87
SSDEEP

24576:DZ+k1bZfp943uaVy+nZFdiNOa/ZSNHFp77Lv+f6T8Qnskb2i6OBKaBBbxQ:DZ+WpObasgCHFpbq4TTJbG

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1932	819349010582ddcb4e0505b581b34670N.exe

Executes dropped EXE 1 IoCs

pid	Process
1932	819349010582ddcb4e0505b581b34670N.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	819349010582ddcb4e0505b581b34670N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	819349010582ddcb4e0505b581b34670N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	819349010582ddcb4e0505b581b34670N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1932	819349010582ddcb4e0505b581b34670N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2316	819349010582ddcb4e0505b581b34670N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1932	819349010582ddcb4e0505b581b34670N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 1932	2316	819349010582ddcb4e0505b581b34670N.exe	31
PID 2316 wrote to memory of 1932	2316	819349010582ddcb4e0505b581b34670N.exe	31
PID 2316 wrote to memory of 1932	2316	819349010582ddcb4e0505b581b34670N.exe	31
PID 2316 wrote to memory of 1932	2316	819349010582ddcb4e0505b581b34670N.exe	31

C:\Users\Admin\AppData\Local\Temp\819349010582ddcb4e0505b581b34670N.exe
"C:\Users\Admin\AppData\Local\Temp\819349010582ddcb4e0505b581b34670N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\819349010582ddcb4e0505b581b34670N.exe
  C:\Users\Admin\AppData\Local\Temp\819349010582ddcb4e0505b581b34670N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\819349010582ddcb4e0505b581b34670N.exe

Filesize
1.4MB

MD5
8638429df59a696c7572b8ea5ed9fdea

SHA1
e83fd107a0eaeb4d124afb5dc3b701bb28e29ba7

SHA256
af3195e309cdc520cb67bbcc48318e618fb0b5934816511afb1505d12b87f5eb

SHA512
10abb3ed27551f707d7a83fbda68a455e914ff014923328a1a96697df2f3ebd9298fe0f6404bed637be1e43d63b9477933f399cc7ebe76f283629c435a7ac609

Download Submit
memory/1932-10-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1932-16-0x0000000002E50000-0x0000000002F3D000-memory.dmp

Filesize
948KB

Download
memory/1932-30-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1932-36-0x00000000056F0000-0x0000000005793000-memory.dmp

Filesize
652KB

Download
memory/1932-37-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2316-0-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download
memory/2316-7-0x0000000003090000-0x000000000317D000-memory.dmp

Filesize
948KB

Download
memory/2316-9-0x0000000000400000-0x00000000004ED000-memory.dmp

Filesize
948KB

Download