8e5b326b4451499e7d55a2c6825559c9c59cb0d9114d89ff23cd12c5710cb940

Analysis

max time kernel
115s
max time network
19s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b87b0fb0e85dcde222b1fc3eba00e60N.exe
Size

132KB
MD5

2b87b0fb0e85dcde222b1fc3eba00e60
SHA1

04291d94327e6e7c5d690e82463472603f389feb
SHA256

8e5b326b4451499e7d55a2c6825559c9c59cb0d9114d89ff23cd12c5710cb940
SHA512

2b5aec623a4329eaaf8e1abb3e2c56a0df5490fb051ef83bfc55b0a9b099af42a3553843e1c9df7af96286f0ce53f1beb57c63b0e1c12e67a8c6abc713cb4e54
SSDEEP

3072:ZVMfMIbIaw3J90/LfD/Q+BC3K5eqU+BC3K5eqYroGIkToBl:kfMmMmXgK70K79R

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
2616	ndribzb.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\ndribzb.exe	2b87b0fb0e85dcde222b1fc3eba00e60N.exe
File created	C:\PROGRA~3\Mozilla\fyggpme.dll	ndribzb.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ndribzb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b87b0fb0e85dcde222b1fc3eba00e60N.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2616	2764	taskeng.exe	31
PID 2764 wrote to memory of 2616	2764	taskeng.exe	31
PID 2764 wrote to memory of 2616	2764	taskeng.exe	31
PID 2764 wrote to memory of 2616	2764	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\2b87b0fb0e85dcde222b1fc3eba00e60N.exe
"C:\Users\Admin\AppData\Local\Temp\2b87b0fb0e85dcde222b1fc3eba00e60N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2700

C:\Windows\system32\taskeng.exe
taskeng.exe {6C15DB1F-7E3E-4573-9CCB-94CEE9A8F257} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2764
- C:\PROGRA~3\Mozilla\ndribzb.exe
  C:\PROGRA~3\Mozilla\ndribzb.exe -eciltya
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\ndribzb.exe

Filesize
132KB

MD5
2d1e5ee795afdbbeb00e100bebe818ce

SHA1
59430b973f318e5029464fd61cc7d928ba0ab863

SHA256
b02029bdd69d8a744fb4c89239a54ec33613aee988fb9a5e86223643099b6ba5

SHA512
e4c856c012d3d9d61886e6d3f376ff4ee31a2e5ea20cd7ade093d4819e09e3a95f48c6e9035f028dcadec3f3e97375a2ac330379b1d7284d9fa3299f2d1a00f7

Download Submit