f865da650d899ec01d363f00f013e46991d163c6ea2d33748be54172206a04a2

Analysis

max time kernel
120s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 16:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f865da650d899ec01d363f00f013e46991d163c6ea2d33748be54172206a04a2N.exe
Size

177KB
MD5

57a46419a39a8446b51224ad8f3af170
SHA1

1f0c84497887dfc1686b373521a0571ed5cf7d28
SHA256

f865da650d899ec01d363f00f013e46991d163c6ea2d33748be54172206a04a2
SHA512

0c5f76d63eb921cebb1fea32ee2a2508b9bb7fa1b7dd3f31f6b086c5d8b82bf5aac00262c946cf51f41af2e241168492b2b4dde1051a3339656438ac9d2c1216
SSDEEP

3072:YmX+4E31UUnIkiczVmcynqIzvLVMaq6rdXVoFRzS:k4E31UUnIk5s1zvLq6r9t

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
2464	dxphjxh.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\yocgcxd.dll	dxphjxh.exe
File created	C:\PROGRA~3\Mozilla\dxphjxh.exe	f865da650d899ec01d363f00f013e46991d163c6ea2d33748be54172206a04a2N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f865da650d899ec01d363f00f013e46991d163c6ea2d33748be54172206a04a2N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxphjxh.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1728	f865da650d899ec01d363f00f013e46991d163c6ea2d33748be54172206a04a2N.exe
2464	dxphjxh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 2464	2316	taskeng.exe	31
PID 2316 wrote to memory of 2464	2316	taskeng.exe	31
PID 2316 wrote to memory of 2464	2316	taskeng.exe	31
PID 2316 wrote to memory of 2464	2316	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\f865da650d899ec01d363f00f013e46991d163c6ea2d33748be54172206a04a2N.exe
"C:\Users\Admin\AppData\Local\Temp\f865da650d899ec01d363f00f013e46991d163c6ea2d33748be54172206a04a2N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1728

C:\Windows\system32\taskeng.exe
taskeng.exe {1E17A7E1-589F-4F8A-A08F-B3383C48DC5A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2316
- C:\PROGRA~3\Mozilla\dxphjxh.exe
  C:\PROGRA~3\Mozilla\dxphjxh.exe -wyqgbfl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of UnmapMainImage
  PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\dxphjxh.exe

Filesize
177KB

MD5
ef1c99f2156d31560fdec9ab717e825e

SHA1
ef80b29d4f381fe789bf978391c01eb339128b75

SHA256
440bf72e956e67cb27516634edb81c7d388109e034b4f6783ec4e15e0aa9dd29

SHA512
95f5bd13fe82102232f2c70552a5b0703b18f842793509f8e6274c03b1fe60ad425d18e86a2a2c39e107d4506b75c0f23ed824962667db62e8d6f3c4b22349de

Download Submit
memory/1728-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1728-1-0x00000000002E0000-0x000000000033B000-memory.dmp

Filesize
364KB

Download
memory/1728-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1728-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2464-7-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2464-8-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2464-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2464-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download