Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 21:17
Static task
static1
Behavioral task
behavioral1
Sample
c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe
Resource
win10v2004-20241007-en
General
-
Target
c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe
-
Size
90KB
-
MD5
5f9cb0091d31abea73bb6d919418f090
-
SHA1
0e27682c0240be2f29a5ffea62c8c64ee30dd32c
-
SHA256
c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2
-
SHA512
5db9797e78bbecb0bad6c95d4ff7faf63ce3759d59b080f8341f64dd451353fd9187afd0efb025776aabfe728a644cb7b6d51a2b98345f8b915c03e247181641
-
SSDEEP
1536:fbO5Z3CDT1OFXcahvBVxoqleuhw7+Ub3Kmb1Qz9r0I+MtyGu1eX85Xm/pFK1fdD+:6bS/1OHpVxoqeSw7+Uj1IF+LG9X8sKrS
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 1928 c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe -
Executes dropped EXE 1 IoCs
pid Process 1928 c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe -
Loads dropped DLL 1 IoCs
pid Process 2204 c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2204 c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2204 c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe 1928 c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2204 wrote to memory of 1928 2204 c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe 31 PID 2204 wrote to memory of 1928 2204 c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe 31 PID 2204 wrote to memory of 1928 2204 c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe 31 PID 2204 wrote to memory of 1928 2204 c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe"C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exeC:\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of UnmapMainImage
PID:1928
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\c4b3fbd6c43b34d3818b28c5df707adb20dcf40870e92d816bad9c632eb828c2N.exe
Filesize90KB
MD5e4c89dc028b820d4a44cb70d69d1e582
SHA17de95dd2cc625b980aa0fb5c8d19a21b02910c2b
SHA25656eae82ae149ed712dcf7bbea1136013a7f892fff740712d75cb9231fdba881c
SHA5129f213c577d2f948424eabf78558ff1382643ffe7f1e154af4e478c551014c59492abb51e9ac9d576e1baee430108c2060e68fb793947a5f88a202586f0b5fd57