Resubmissions
03/09/2024, 21:32
240903-1dvy9syeqh 303/09/2024, 21:15
240903-z35pbsxcnm 303/09/2024, 21:00
240903-ztqttaxalq 303/09/2024, 20:53
240903-zps4dawhll 3Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
03/09/2024, 21:00
General
-
Target
Cisco AnyConnect Secure Mobility Client/cfom.dll
-
Size
387KB
-
MD5
d805e3c171dcbac06865329892e316dc
-
SHA1
e385f11c7a3c37fc906d0760f263f2fbb07e135a
-
SHA256
188e4e5b71a04c4428daf41c79cdfc902d2289295d981f540faff236f0ffd4b2
-
SHA512
b05129cd66d8c40e7aa88e75a83c18bb6b7e1459bfdc275e1d94ffe29c3f4cb203e6d9ea85c8366e8852b2dcad5a16305a20939c38c2724868f3d7fe3204c671
-
SSDEEP
6144:zqsfJVqWkraXabRmZoByMNI8eESnVwUQDxTaS0IRV3LkHIIII31EGS9uQNDjcxTX:zqsfpkPqogMNh5SnHixTJkdFTIPw
Score
3/10
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cisco AnyConnect Secure Mobility Client\cfom.dll",#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\Temp\Cisco AnyConnect Secure Mobility Client\cfom.dll",#12⤵
- System Location Discovery: System Language Discovery
-