ca8f9b9bd36906f10a3b358375dee4c877ce2806c0d696c269bda932e7a4e632

Analysis

max time kernel
95s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca8f9b9bd36906f10a3b358375dee4c877ce2806c0d696c269bda932e7a4e632.exe
Size

314KB
MD5

e001f245442dddb4ffa43ab9dfa7128e
SHA1

746dfbc1ceefd6744fa8ff22a5f371ad10d80ec1
SHA256

ca8f9b9bd36906f10a3b358375dee4c877ce2806c0d696c269bda932e7a4e632
SHA512

ac85d6b8dae10c4232266581942359ffad89459672ba2811a642415a5cdb196c983e8a3af73075be19998a30bd997d7f009d2157187f38ddd36e5923c53a8558
SSDEEP

6144:v4E31UUn9SXHt3zvLq6r9j4E31UUn9SXHt3zvLD:v4i1dn9qtZrx4i1dn9qtj

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
544	cwelzlb.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\cwelzlb.exe	ca8f9b9bd36906f10a3b358375dee4c877ce2806c0d696c269bda932e7a4e632.exe
File created	C:\PROGRA~3\Mozilla\ftyifzg.dll	cwelzlb.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cwelzlb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ca8f9b9bd36906f10a3b358375dee4c877ce2806c0d696c269bda932e7a4e632.exe

C:\Users\Admin\AppData\Local\Temp\ca8f9b9bd36906f10a3b358375dee4c877ce2806c0d696c269bda932e7a4e632.exe
"C:\Users\Admin\AppData\Local\Temp\ca8f9b9bd36906f10a3b358375dee4c877ce2806c0d696c269bda932e7a4e632.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4668

C:\PROGRA~3\Mozilla\cwelzlb.exe
C:\PROGRA~3\Mozilla\cwelzlb.exe -voeftbj
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla\cwelzlb.exe

Filesize
314KB

MD5
718ff5cf6074e39db2d148e6ea7b6a98

SHA1
e43654d9648410421fdce9bb948c374c32a5b97c

SHA256
917801da599f00ba9d3a4be1d72f84c7d4a55a7f76ede284b716f6001cf9366c

SHA512
f685eb7acb1ef1b0e1fe2628d87a93a094918a0f75300ba1e0846425f3f24e5518f22d46c6c4133a15d38ca0618e55c517023fb49293bb38cd94f6dbb84687df

Download Submit
memory/544-5-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/544-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/544-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4668-0-0x0000000000740000-0x000000000079B000-memory.dmp

Filesize
364KB

Download
memory/4668-1-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4668-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4668-9-0x0000000000740000-0x000000000079B000-memory.dmp

Filesize
364KB

Download