Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
04/10/2024, 22:26 UTC
Behavioral task
behavioral1
Sample
1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe
Resource
win10v2004-20240802-en
General
-
Target
1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe
-
Size
483KB
-
MD5
c889bbf5b1e3688a1863be4080a67cdf
-
SHA1
78917ebb95eda1e6ea617c9e52fa37cac374e487
-
SHA256
c17f913d54daa4fc678b281988d2b6997ea93b6bd277bab6c3e222f60065887b
-
SHA512
67fbb47e45d633c6a1631dbc9cfd47bbb3f567d11ae362b106edf197191800d2a3989b4454bca526b4e027d14940f1d54497e364090aebc6cc55beab3fcc3c74
-
SSDEEP
6144:+XIktXfM8Lv86r9uVWAa2je4Z5zl4hgDHQQs4NTQjoHFsAOZZDAXYcNb5Gv:+X7tPMK8ctGe4Dzl4h2QnuPs/ZDScv
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1580 1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe"C:\Users\Admin\AppData\Local\Temp\1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1580
Network
-
DNSsost2024ene.duckdns.org1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exeRemote address:8.8.8.8:53Requestsost2024ene.duckdns.orgIN AResponsesost2024ene.duckdns.orgIN A186.169.83.212
-
DNSgeoplugin.net1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exeRemote address:8.8.8.8:53Requestgeoplugin.netIN AResponsegeoplugin.netIN A178.237.33.50
-
GEThttp://geoplugin.net/json.gp1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exeRemote address:178.237.33.50:80RequestGET /json.gp HTTP/1.1
Host: geoplugin.net
Cache-Control: no-cache
ResponseHTTP/1.1 200 OK
server: Apache
content-length: 955
content-type: application/json; charset=utf-8
cache-control: public, max-age=300
access-control-allow-origin: *
-
186.169.83.212:1213sost2024ene.duckdns.orgtls1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe3.7kB 1.6kB 14 17
-
178.237.33.50:80http://geoplugin.net/json.gphttp1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe623 B 2.5kB 12 4
HTTP Request
GET http://geoplugin.net/json.gpHTTP Response
200
-
8.8.8.8:53sost2024ene.duckdns.orgdns1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe69 B 85 B 1 1
DNS Request
sost2024ene.duckdns.org
DNS Response
186.169.83.212
-
8.8.8.8:53geoplugin.netdns1728080706a248a4f632b137f140bbdefdc6243fcfee4f77d8efc81faca52425088e5ea1dc575.dat-decoded.exe59 B 75 B 1 1
DNS Request
geoplugin.net
DNS Response
178.237.33.50
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD5da244aedd61446b809c31bc8e6e524f2
SHA104446b9cb430de49eb16da73efe589a7e69f803f
SHA2561cdda9620cb81ef1bc3ec014f3855035380a5ce30dee7df3c40db3e14c50b44b
SHA5125aa26d4985babb25567b3bf65bd0fe20d8f166b412b0a37b45cb80cef3be5db9f5ccea550f6f7d2c258910429863f170830106fce28109688eed7bca3e837a58