3a2b30d53d38ebbbf7536d332a1c6417b7b0767991397e69da8aebf230e531b5

Analysis

max time kernel
17s
max time network
21s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 14:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4723f8c1a35bc7a9fe267e956991ef30N.exe
Size

147KB
MD5

4723f8c1a35bc7a9fe267e956991ef30
SHA1

ed6a9d06ddf77f86f1e9db18b9902623fb9385bc
SHA256

3a2b30d53d38ebbbf7536d332a1c6417b7b0767991397e69da8aebf230e531b5
SHA512

a934244e265b685aa39d1f5a2ac66fe4af1ad1542a93c5ab43d90f8548f59be8e1100592bedbefaad26f52a6ab3b9a598660959b956b721a40bf46c72a4effef
SSDEEP

3072:lVMfMIbIww3J9EO3ak5J6KPaGyIlv24e9S+BC3K5eqU+BC3K5eqYroGO:wfMmqN3ndfrI9cK70K7X

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
1736	cpfmqte.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\zbgopeh.dll	cpfmqte.exe
File created	C:\PROGRA~3\Mozilla\cpfmqte.exe	4723f8c1a35bc7a9fe267e956991ef30N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4723f8c1a35bc7a9fe267e956991ef30N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cpfmqte.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 1736	2404	taskeng.exe	31
PID 2404 wrote to memory of 1736	2404	taskeng.exe	31
PID 2404 wrote to memory of 1736	2404	taskeng.exe	31
PID 2404 wrote to memory of 1736	2404	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\4723f8c1a35bc7a9fe267e956991ef30N.exe
"C:\Users\Admin\AppData\Local\Temp\4723f8c1a35bc7a9fe267e956991ef30N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2520

C:\Windows\system32\taskeng.exe
taskeng.exe {1F930624-F61D-4350-82D8-79B90A1F867B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2404
- C:\PROGRA~3\Mozilla\cpfmqte.exe
  C:\PROGRA~3\Mozilla\cpfmqte.exe -lecvesj
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\cpfmqte.exe

Filesize
147KB

MD5
113804314a198a3184c0d9a751b75bd8

SHA1
b77ff039646cee69d26a2b1c62b1eba851aaa2e0

SHA256
41c4bb5583d3bbc4a2d7bbe4c04dfc49db9a32f17805a59a03d381928f785615

SHA512
17b0f3e351d00c6a83fe45c100300f2fbe0f8c080a7e5b5601590b72c1bc4c7a9634839733cb129d4a0677a7b250f5af1fa30aa85f5e478081617b9c25a9bd97

Download Submit