Analysis
-
max time kernel
115s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 02:42
Static task
static1
Behavioral task
behavioral1
Sample
2b87b0fb0e85dcde222b1fc3eba00e60N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2b87b0fb0e85dcde222b1fc3eba00e60N.exe
Resource
win10v2004-20240802-en
General
-
Target
2b87b0fb0e85dcde222b1fc3eba00e60N.exe
-
Size
132KB
-
MD5
2b87b0fb0e85dcde222b1fc3eba00e60
-
SHA1
04291d94327e6e7c5d690e82463472603f389feb
-
SHA256
8e5b326b4451499e7d55a2c6825559c9c59cb0d9114d89ff23cd12c5710cb940
-
SHA512
2b5aec623a4329eaaf8e1abb3e2c56a0df5490fb051ef83bfc55b0a9b099af42a3553843e1c9df7af96286f0ce53f1beb57c63b0e1c12e67a8c6abc713cb4e54
-
SSDEEP
3072:ZVMfMIbIaw3J90/LfD/Q+BC3K5eqU+BC3K5eqYroGIkToBl:kfMmMmXgK70K79R
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2616 ndribzb.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\ndribzb.exe 2b87b0fb0e85dcde222b1fc3eba00e60N.exe File created C:\PROGRA~3\Mozilla\fyggpme.dll ndribzb.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ndribzb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b87b0fb0e85dcde222b1fc3eba00e60N.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2764 wrote to memory of 2616 2764 taskeng.exe 31 PID 2764 wrote to memory of 2616 2764 taskeng.exe 31 PID 2764 wrote to memory of 2616 2764 taskeng.exe 31 PID 2764 wrote to memory of 2616 2764 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b87b0fb0e85dcde222b1fc3eba00e60N.exe"C:\Users\Admin\AppData\Local\Temp\2b87b0fb0e85dcde222b1fc3eba00e60N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2700
-
C:\Windows\system32\taskeng.exetaskeng.exe {6C15DB1F-7E3E-4573-9CCB-94CEE9A8F257} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\PROGRA~3\Mozilla\ndribzb.exeC:\PROGRA~3\Mozilla\ndribzb.exe -eciltya2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
132KB
MD52d1e5ee795afdbbeb00e100bebe818ce
SHA159430b973f318e5029464fd61cc7d928ba0ab863
SHA256b02029bdd69d8a744fb4c89239a54ec33613aee988fb9a5e86223643099b6ba5
SHA512e4c856c012d3d9d61886e6d3f376ff4ee31a2e5ea20cd7ade093d4819e09e3a95f48c6e9035f028dcadec3f3e97375a2ac330379b1d7284d9fa3299f2d1a00f7