e801a02936cc0ef8402db5e94f54adc186a7162e155ae2928b04645ef87ca771

Analysis

max time kernel
80s
max time network
65s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 12:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e64761a1f5ad58e785abaeca605bd590N.exe
Size

1.9MB
MD5

e64761a1f5ad58e785abaeca605bd590
SHA1

2ed1b728d51aa964a77cb3d4729b6c36947df167
SHA256

e801a02936cc0ef8402db5e94f54adc186a7162e155ae2928b04645ef87ca771
SHA512

42d331f4a209635cfcf666207ef52b12fb540b129f7634be1a829d1310d2638cb049cc363047f2097125dd1e05fd71fc4dac0ebc17cccebafe3d9bebc0ad530b
SSDEEP

24576:39kSEuzft2Fe9uK+uj/kqg3xmULKa/ZSoa/JXekh77Lv+f6T8gsihEChlUu+0:39xQFS+urk9xmULKgTg4khbNsm+0

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2388	e64761a1f5ad58e785abaeca605bd590N.exe

Executes dropped EXE 1 IoCs

pid	Process
2388	e64761a1f5ad58e785abaeca605bd590N.exe

Loads dropped DLL 1 IoCs

pid	Process
536	e64761a1f5ad58e785abaeca605bd590N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e64761a1f5ad58e785abaeca605bd590N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e64761a1f5ad58e785abaeca605bd590N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2388	e64761a1f5ad58e785abaeca605bd590N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
536	e64761a1f5ad58e785abaeca605bd590N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2388	e64761a1f5ad58e785abaeca605bd590N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 2388	536	e64761a1f5ad58e785abaeca605bd590N.exe	32
PID 536 wrote to memory of 2388	536	e64761a1f5ad58e785abaeca605bd590N.exe	32
PID 536 wrote to memory of 2388	536	e64761a1f5ad58e785abaeca605bd590N.exe	32
PID 536 wrote to memory of 2388	536	e64761a1f5ad58e785abaeca605bd590N.exe	32

C:\Users\Admin\AppData\Local\Temp\e64761a1f5ad58e785abaeca605bd590N.exe
"C:\Users\Admin\AppData\Local\Temp\e64761a1f5ad58e785abaeca605bd590N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\e64761a1f5ad58e785abaeca605bd590N.exe
  C:\Users\Admin\AppData\Local\Temp\e64761a1f5ad58e785abaeca605bd590N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\e64761a1f5ad58e785abaeca605bd590N.exe

Filesize
1.9MB

MD5
8792e2bc07474fed687cccf0902504bf

SHA1
b23d2001abd7cb108dc47b9783780785433cd730

SHA256
08c07033e8605e5295921e11479ddb7e50f12751403c100710bb7cd15f8b0907

SHA512
6f8036718a0e23995002cdbe583c8fa7eeefa23e6e910012e9d926d7ff9ac04b8a765cbb4a9936a83cb631541a0a9521c360175ffb43b0e9d1e5507ad68fc801

Download Submit
memory/536-0-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/536-9-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/536-6-0x0000000003260000-0x0000000003377000-memory.dmp

Filesize
1.1MB

Download
memory/2388-10-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/2388-11-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2388-17-0x0000000002F80000-0x0000000003097000-memory.dmp

Filesize
1.1MB

Download
memory/2388-31-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2388-37-0x0000000005740000-0x00000000057E3000-memory.dmp

Filesize
652KB

Download
memory/2388-38-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download