7461911bc9e836c9129e351b6fc62401fd928c05f221d03425f20aac6e1c3971

Analysis

max time kernel
121s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 23:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7461911bc9e836c9129e351b6fc62401fd928c05f221d03425f20aac6e1c3971.exe
Size

140KB
MD5

4566185a8dbb237173d99c4da65f47dc
SHA1

477066217e525c7b85ac1052bdceba127ea5a927
SHA256

7461911bc9e836c9129e351b6fc62401fd928c05f221d03425f20aac6e1c3971
SHA512

c82ef8faa3d9849bcadd31b0d89b4fd6e271043c95af29b302a03b88eb5a23fd1b5d9db9b6ed65cc2cda65bfe7686524d6ab4b3a72f59e4b5781f6a53e9b6d56
SSDEEP

3072:FC+b/xEwBxygI9vj0AT1smXA3HizrYZ6oXHqBNI5xL:k+LxBxULrsr3CffoXKBy59

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
2488	shzxojm.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\shzxojm.exe	7461911bc9e836c9129e351b6fc62401fd928c05f221d03425f20aac6e1c3971.exe
File created	C:\PROGRA~3\Mozilla\axpbjmm.dll	shzxojm.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7461911bc9e836c9129e351b6fc62401fd928c05f221d03425f20aac6e1c3971.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shzxojm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2488	2076	taskeng.exe	31
PID 2076 wrote to memory of 2488	2076	taskeng.exe	31
PID 2076 wrote to memory of 2488	2076	taskeng.exe	31
PID 2076 wrote to memory of 2488	2076	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\7461911bc9e836c9129e351b6fc62401fd928c05f221d03425f20aac6e1c3971.exe
"C:\Users\Admin\AppData\Local\Temp\7461911bc9e836c9129e351b6fc62401fd928c05f221d03425f20aac6e1c3971.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2056

C:\Windows\system32\taskeng.exe
taskeng.exe {57324290-B901-40BB-AEB7-F29FD11E55F6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\PROGRA~3\Mozilla\shzxojm.exe
  C:\PROGRA~3\Mozilla\shzxojm.exe -lxzgtlg
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\shzxojm.exe

Filesize
140KB

MD5
5f7f926d1d505e95926c22ef2e93d79c

SHA1
4dd272515751211bae4ae0e1e1b6d4ae73e12b06

SHA256
250da622179ad352881b16b31927cf9f8f315921ba55c73cdbd4982a5812931a

SHA512
ac89dc97578bdf442e203dd38aa6e2ab3cc7b7c7de41ae701aad65dd3c129fc25bcb04154bdbc9272230f7e4408471386538e7d5440cdb49c3f1381e3e45a2a7

Download Submit
memory/2056-6-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2056-3-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2056-0-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2056-2-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2056-9-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2056-1-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2488-12-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2488-13-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2488-15-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2488-14-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2488-18-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2488-20-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download