Overview

overview

3

Static

static

3

eb5b250be0...1N.exe

windows7-x64

3

eb5b250be0...1N.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    27s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/10/2024, 22:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    eb5b250be045ebb96ec3be53ff2a81a3d34a7c7e2e892cc378d8fa7b05a84701N.exe

  • Size

    333KB

  • MD5

    d7eadfc3b361f326c7999dbe8e9ef7f0

  • SHA1

    28f936a78ef9cefda0667714f8fff6a9a7c76fd0

  • SHA256

    eb5b250be045ebb96ec3be53ff2a81a3d34a7c7e2e892cc378d8fa7b05a84701

  • SHA512

    52534ed43e05a3413852714591e919379f514c5f3d4af5a60d718a5c64ce4976af69c79d90c55d3b2063ffa9a5021f0fb919285ca54b7e03f18689569c032655

  • SSDEEP

    6144:eILU50cDi8Ar3vLkf049n/m+GGv9uLrmSVqjy00tDxta+7SY2f:e9GSOCunmqDBSn

Score
3/10
discovery

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 32 IoCs
  • Modifies data under HKEY_USERS 9 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb5b250be045ebb96ec3be53ff2a81a3d34a7c7e2e892cc378d8fa7b05a84701N.exe
    "C:\Users\Admin\AppData\Local\Temp\eb5b250be045ebb96ec3be53ff2a81a3d34a7c7e2e892cc378d8fa7b05a84701N.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    PID:2768
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:2688
    • C:\Windows\system32\csrss.exe
      %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of WriteProcessMemory
      PID:2692
    • C:\Windows\system32\winlogon.exe
      winlogon.exe
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2144
      • C:\Windows\system32\LogonUI.exe
        "LogonUI.exe" /flags:0x0
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:776

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/776-3-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/776-4-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2688-2-0x0000000002E10000-0x0000000002E11000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2768-0-0x0000000000400000-0x0000000000456000-memory.dmp

            Filesize

            344KB

            Download

          • memory/2768-1-0x0000000000400000-0x0000000000456000-memory.dmp

            Filesize

            344KB

            Download