1231486611b9aa5e40cfd43654c2640db1627687a3c7316872dd70e4b4e7ea47

Analysis

max time kernel
105s
max time network
115s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26/07/2024, 08:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aafa02ccfc3a6d59d506534ed2ebc070N.exe
Size

174KB
MD5

aafa02ccfc3a6d59d506534ed2ebc070
SHA1

a1cd28bcb39b4460d060ef1372b4c62fbe7f0e95
SHA256

1231486611b9aa5e40cfd43654c2640db1627687a3c7316872dd70e4b4e7ea47
SHA512

245426d217dd31a236854fdba153ee734787338c6fd6a27043f82ac1d0a7a454bac4e73da1340df0e8ebe5f62cb22a6b71d4892af9391b27dcd3e5edf1e526f4
SSDEEP

3072:4MftVuhLf/Y34erRHjgrsX5KYFAM5vTK3clMdisNDtI1rEMe7HzDqRA:M3Y3JdmsJaIOiWDKrA3DqRA

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
4712	amwoxye.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\amwoxye.exe	aafa02ccfc3a6d59d506534ed2ebc070N.exe
File created	C:\PROGRA~3\Mozilla\zfeqbre.dll	amwoxye.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aafa02ccfc3a6d59d506534ed2ebc070N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	amwoxye.exe

C:\Users\Admin\AppData\Local\Temp\aafa02ccfc3a6d59d506534ed2ebc070N.exe
"C:\Users\Admin\AppData\Local\Temp\aafa02ccfc3a6d59d506534ed2ebc070N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3008

C:\PROGRA~3\Mozilla\amwoxye.exe
C:\PROGRA~3\Mozilla\amwoxye.exe -wkgszrd
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\amwoxye.exe

Filesize
174KB

MD5
ba3ffe2d6478c0b5576bc9b4b0e63748

SHA1
af405fe8cf3482ac823207286a8b897e124a20f5

SHA256
4b3ee3a8703909a798f19edd6f25d7829a991fcc26956edb4595c12450c3d439

SHA512
a5989f7539d850aecd416b3ac9a8adaa479daedff692ac565c33110937c24c25cb432830268fdfdc06929f2bf0c327b0a228ad931ff4a9a1002357ab0c391cf6

Download Submit
memory/3008-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3008-3-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3008-1-0x0000000000401000-0x0000000000402000-memory.dmp

Filesize
4KB

Download
memory/3008-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3008-9-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4712-10-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4712-15-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4712-14-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/4712-17-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download