59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59

Analysis

max time kernel
80s
max time network
61s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe
Size

988KB
MD5

5cc95c47beea902404f58ec7bf3e4bf0
SHA1

80132e618fb5da5ef03965405d6808f9ba6df8c5
SHA256

59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59
SHA512

20fb19c8a969420e90e365c00b6b29e8ddfac22774186deb5cf82931712f4cc27bdd01a6bf37e8a8102209e73b6b32c9fcaa1a353383b007f2ed6e25540df27c
SSDEEP

24576:uZxkG5b/nenk3su45PctcUp1mQBAi2ZrZ3Wd5Xa/ZS6o77LQdmbgrr:uLkG5Lnenk3su45PctcUp1mQ4rZ3Wd5i

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2824	59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe

Executes dropped EXE 1 IoCs

pid	Process
2824	59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe

Loads dropped DLL 1 IoCs

pid	Process
2316	59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2824	59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2316	59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2824	59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2824	2316	59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe	31
PID 2316 wrote to memory of 2824	2316	59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe	31
PID 2316 wrote to memory of 2824	2316	59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe	31
PID 2316 wrote to memory of 2824	2316	59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe	31

C:\Users\Admin\AppData\Local\Temp\59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe
"C:\Users\Admin\AppData\Local\Temp\59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2316
- C:\Users\Admin\AppData\Local\Temp\59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe
  C:\Users\Admin\AppData\Local\Temp\59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\59dc640ffa99ad1da961df8cc243a5d0c193cfa99d6a9c7b35107bec3c89ec59N.exe

Filesize
988KB

MD5
754febdfcd0a2f1ba6e42bd3442e6b86

SHA1
a67513cc677688fcb55b90e9631efd484259c43b

SHA256
d999a3affa602e5cbc08a4e49b4b0c16b4f7641536df1aecef9504cc972120ce

SHA512
4f284122f0c6322af2bcd6cb166c25f059fa8cc8dab52619a36b734eb2d18a8e74051af038df3774238a04ea2f5bf1d5492a0bad34821d2988ce8f4fa380f242

Download Submit
memory/2316-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2316-6-0x00000000030D0000-0x00000000031BF000-memory.dmp

Filesize
956KB

Download
memory/2316-9-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2824-10-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/2824-12-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/2824-14-0x0000000002EE0000-0x0000000002FCF000-memory.dmp

Filesize
956KB

Download
memory/2824-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2824-39-0x000000000EE90000-0x000000000EF33000-memory.dmp

Filesize
652KB

Download
memory/2824-40-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download