5b7d1a48ac05e8b2c6cd200a641ba0acd870a4f65f178d4dfa92762621fef894

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
03/09/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b7d1a48ac05e8b2c6cd200a641ba0acd870a4f65f178d4dfa92762621fef894.exe
Size

3.7MB
MD5

c31462f1b1bd64a8b27ea1d396870011
SHA1

37a5c2c590164eda5258010ec5e4b49d541e7a65
SHA256

5b7d1a48ac05e8b2c6cd200a641ba0acd870a4f65f178d4dfa92762621fef894
SHA512

63bd204e0985152b9e380f2471c0bce545ef242200a7ac6a426c35ba3336a77beef35b43a0ec6f2e0b23d32a07a1f141b556c4a9591e71d4724bdc2912697d33
SSDEEP

98304:jamC2MkcH7PJlIXpHKvIeFebLUZ4pv4pnY:4wKPJIpHKveLU+pv4y

Score

8^/10

discovery persistence privilege_escalation vmprotect

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
2360	yofzeuh.exe

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/memory/1728-0-0x0000000000400000-0x0000000000980000-memory.dmp	vmprotect
behavioral1/files/0x0009000000017429-6.dat	vmprotect
behavioral1/memory/2360-8-0x0000000000400000-0x0000000000980000-memory.dmp	vmprotect

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\yofzeuh.exe	5b7d1a48ac05e8b2c6cd200a641ba0acd870a4f65f178d4dfa92762621fef894.exe
File created	C:\PROGRA~3\Mozilla\mkkxkvk.dll	yofzeuh.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5b7d1a48ac05e8b2c6cd200a641ba0acd870a4f65f178d4dfa92762621fef894.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yofzeuh.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1728	5b7d1a48ac05e8b2c6cd200a641ba0acd870a4f65f178d4dfa92762621fef894.exe
2360	yofzeuh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 2360	2412	taskeng.exe	31
PID 2412 wrote to memory of 2360	2412	taskeng.exe	31
PID 2412 wrote to memory of 2360	2412	taskeng.exe	31
PID 2412 wrote to memory of 2360	2412	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\5b7d1a48ac05e8b2c6cd200a641ba0acd870a4f65f178d4dfa92762621fef894.exe
"C:\Users\Admin\AppData\Local\Temp\5b7d1a48ac05e8b2c6cd200a641ba0acd870a4f65f178d4dfa92762621fef894.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1728

C:\Windows\system32\taskeng.exe
taskeng.exe {D4B7FB98-ED5E-406E-9389-8FAD9ABC70F2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2412
- C:\PROGRA~3\Mozilla\yofzeuh.exe
  C:\PROGRA~3\Mozilla\yofzeuh.exe -qmgjyzc
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\yofzeuh.exe

Filesize
3.7MB

MD5
5aa506fee8fc238a4f68e2f0db8fcdc6

SHA1
2b5696847b0bf01e3c92f1dcedbda76e9a98d476

SHA256
065033bfdad8aba5bce17557a03c6ec5ba8c12727027b897b7c501d53bafe1ea

SHA512
379dd7d6eb54ac6e5f6a2db9ce048b7eb9e9c83d43b4e4889f7ac3437ef57d9238c4ea40f86ff37f3505b3d37cb3481d3ade2c84dfe5a1899b0f9acbe0b61fb2

Download Submit
memory/1728-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1728-2-0x0000000000300000-0x000000000035B000-memory.dmp

Filesize
364KB

Download
memory/1728-0-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/1728-5-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2360-8-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/2360-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2360-10-0x0000000000CA0000-0x0000000000CFB000-memory.dmp

Filesize
364KB

Download
memory/2360-13-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download