d0de52ef94137d15e6fa4b7968023b7889ad88686c219fb33fc5e9c35f265839

Analysis

max time kernel
14s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/09/2024, 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ffb816bbaa03cfe0874ba6764e6df950N.exe
Size

4.6MB
MD5

ffb816bbaa03cfe0874ba6764e6df950
SHA1

5a290a657dedc9147503073e6875ded88519d230
SHA256

d0de52ef94137d15e6fa4b7968023b7889ad88686c219fb33fc5e9c35f265839
SHA512

b1427eb1a93862397ca217869cc99e7007c807503ae36b3e617b0baa503b2fc3f2e76db1a591eec49d3083d833a5abe8b3f7f3c3650d7c208e4842810d192e79
SSDEEP

6144:pIPZVeZOKXM3S2uDXQofi7TzZII96Nq1NAKSZh+i:pIRSOKX72uk//KYAkKb+i

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2376	ffb816bbaa03cfe0874ba6764e6df950N.exe
2376	ffb816bbaa03cfe0874ba6764e6df950N.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2380	2376	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffb816bbaa03cfe0874ba6764e6df950N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2380	2376	ffb816bbaa03cfe0874ba6764e6df950N.exe	30
PID 2376 wrote to memory of 2380	2376	ffb816bbaa03cfe0874ba6764e6df950N.exe	30
PID 2376 wrote to memory of 2380	2376	ffb816bbaa03cfe0874ba6764e6df950N.exe	30
PID 2376 wrote to memory of 2380	2376	ffb816bbaa03cfe0874ba6764e6df950N.exe	30

C:\Users\Admin\AppData\Local\Temp\ffb816bbaa03cfe0874ba6764e6df950N.exe
"C:\Users\Admin\AppData\Local\Temp\ffb816bbaa03cfe0874ba6764e6df950N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 200
  2⤵
  - Program crash
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\DBXBL.exe

Filesize
4.6MB

MD5
5d9dd351e3d3111e498ede2685f572e7

SHA1
290ae36c881c27bafdee80bc71bd2d0face15aaa

SHA256
d43409fbdc59419d7e48b37b60a333cefa9778b4fbd5e89b1a8bcc718970f62f

SHA512
b6dadf75d5fe33f60708ab5f7f6c6afd309869fd1ac717c66a6d75f2c27d0aad2d320b4195d7f8dfcf352d2021f71ba3b823175039952d2a144a583ad0ba0653

Download Submit