b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2

Analysis

max time kernel
80s
max time network
61s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe
Size

1004KB
MD5

b2c7e470722d7551f9b65f5c02fb8e50
SHA1

6d181aba79a8477f08e4fa18eb1211061e0e0bc9
SHA256

b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2
SHA512

87314ee4367a82daf71f02e0c65233c8e0a9c088ad8ff6db8b0f3e4c5fc6e7cac505adeaf520b8ee133591a2499fd2dba4605eacddf33f96a4051097fd3efc57
SSDEEP

12288:YjagpagWRYmHAc2bpINtxvR7NhxHG9y7Z4ZRaru9s5iu2UbxioVBtujVDa/ZSCB8:YjFpgL2KtxS9y7Ka3sI6a/ZSCBHn677

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1192	b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe

Executes dropped EXE 1 IoCs

pid	Process
1192	b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe

Loads dropped DLL 1 IoCs

pid	Process
1456	b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	pastebin.com
4	pastebin.com

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1192	b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1456	b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1192	b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1192	1456	b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe	30
PID 1456 wrote to memory of 1192	1456	b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe	30
PID 1456 wrote to memory of 1192	1456	b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe	30
PID 1456 wrote to memory of 1192	1456	b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe	30

C:\Users\Admin\AppData\Local\Temp\b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe
"C:\Users\Admin\AppData\Local\Temp\b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe
  C:\Users\Admin\AppData\Local\Temp\b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:1192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\b3fa5a79f8fe6d79aa291d605e5a521e292af6ac8123ff25253e939ee07ce0b2N.exe

Filesize
1004KB

MD5
c0f2ed265c4084486e005d68a142e40e

SHA1
d6da2836d2382249cda919afa3da086510ce9806

SHA256
9f4e0835ff66370c24575754f4e806fddf4c8829298993a83e8c764e8f93ba73

SHA512
cb0625e4598e8a644edf8f8f2e23930e2e0321ece539bd5422b318ebca846483c5b350054483660a33a2b360f732f726cc52a00ccdbc4a83c6cbdd1fb616cbd4

Download Submit
memory/1192-10-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1192-11-0x0000000000400000-0x00000000004A3000-memory.dmp

Filesize
652KB

Download
memory/1192-13-0x00000000014F0000-0x00000000015DF000-memory.dmp

Filesize
956KB

Download
memory/1192-33-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/1192-39-0x000000000F250000-0x000000000F2F3000-memory.dmp

Filesize
652KB

Download
memory/1192-40-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1456-0-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1456-9-0x0000000000400000-0x00000000004EF000-memory.dmp

Filesize
956KB

Download
memory/1456-7-0x00000000031F0000-0x00000000032DF000-memory.dmp

Filesize
956KB

Download