95e0964419c5dcdf0271ac8c69779d2b5b3149cf06543029af6d900108a30591

Analysis

max time kernel
93s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 16:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

95e0964419c5dcdf0271ac8c69779d2b5b3149cf06543029af6d900108a30591N.exe
Size

175KB
MD5

0ed32c5c4959e763b0f6208f1a7a3490
SHA1

b26a604ecc2c903663321a88fe32d58e39bd1742
SHA256

95e0964419c5dcdf0271ac8c69779d2b5b3149cf06543029af6d900108a30591
SHA512

0802b2eb9e222282db3234f8bb853972984b21c02caaa4740b7c3b8f146727eb6aed2e75f4e0d21da3ac1c2b3784e10359b37c1a7116fca9fd0ee110ef4ca9e4
SSDEEP

3072:kLcBBW/A1jbGs2lD6IHdfdkaQnprrR/lRJl7PCIa5L4x1Q:0A1jys2lZHd6n9FHJlG4Q

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
3444	zesgosm.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\zesgosm.exe	95e0964419c5dcdf0271ac8c69779d2b5b3149cf06543029af6d900108a30591N.exe
File created	C:\PROGRA~3\Mozilla\ubeuewb.dll	zesgosm.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95e0964419c5dcdf0271ac8c69779d2b5b3149cf06543029af6d900108a30591N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zesgosm.exe

C:\Users\Admin\AppData\Local\Temp\95e0964419c5dcdf0271ac8c69779d2b5b3149cf06543029af6d900108a30591N.exe
"C:\Users\Admin\AppData\Local\Temp\95e0964419c5dcdf0271ac8c69779d2b5b3149cf06543029af6d900108a30591N.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2164

C:\PROGRA~3\Mozilla\zesgosm.exe
C:\PROGRA~3\Mozilla\zesgosm.exe -ukpewwc
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla\zesgosm.exe

Filesize
175KB

MD5
bec476f3d05a4b08d4058c5f44cd8260

SHA1
d570d035f4b5c8101acd9a36f9abcaf89954facf

SHA256
8028113e54874a7b7dfc18bf7c79fbccb88b43b3ad3accab9f3533bf6692628e

SHA512
dda29e7617215188d3f915a0f5140b7f7f34fa9d2bc25fcb3ba75614a514d1002c07091cbd3e1d742ea0fc91652d8f9b07f1c853be26370e5b909d32f8b4d537

Download Submit
memory/2164-0-0x0000000000402000-0x0000000000404000-memory.dmp

Filesize
8KB

Download
memory/2164-1-0x0000000000800000-0x000000000085B000-memory.dmp

Filesize
364KB

Download
memory/2164-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3444-11-0x00000000001A0000-0x00000000001FB000-memory.dmp

Filesize
364KB

Download