Analysis
-
max time kernel
16s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-11-2024 01:16
Static task
static1
Behavioral task
behavioral1
Sample
12f452f19a0703e9ed33ab76d7ba0286460beeed69ee0042e0ba8b6c2b0f99d1N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
12f452f19a0703e9ed33ab76d7ba0286460beeed69ee0042e0ba8b6c2b0f99d1N.exe
Resource
win10v2004-20241007-en
General
-
Target
12f452f19a0703e9ed33ab76d7ba0286460beeed69ee0042e0ba8b6c2b0f99d1N.exe
-
Size
312KB
-
MD5
7304244070456825516674275bd20f60
-
SHA1
fc8f6e2d1bb3a62cc0fb0cbff102261b9f9e5fbf
-
SHA256
12f452f19a0703e9ed33ab76d7ba0286460beeed69ee0042e0ba8b6c2b0f99d1
-
SHA512
883d1666607735cd4965ff93ff6d3651f771d1b21b673f342d9721bc7cb04bd78f6db717155c7d1b04a4b2ab73bead4b5863a213927193ad54936e36949a65a3
-
SSDEEP
6144:YGOXfUdRT6mCo4Em3d1k91UmaFycSbGqJWs6eQ/g7:YGOSRT6mChEm3dOXURtS96H/g7
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
Processes:
vuhvodg.exepid Process 2376 vuhvodg.exe -
Drops file in Program Files directory 2 IoCs
Processes:
12f452f19a0703e9ed33ab76d7ba0286460beeed69ee0042e0ba8b6c2b0f99d1N.exevuhvodg.exedescription ioc Process File created C:\PROGRA~3\Mozilla\vuhvodg.exe 12f452f19a0703e9ed33ab76d7ba0286460beeed69ee0042e0ba8b6c2b0f99d1N.exe File created C:\PROGRA~3\Mozilla\zcwirze.dll vuhvodg.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
12f452f19a0703e9ed33ab76d7ba0286460beeed69ee0042e0ba8b6c2b0f99d1N.exevuhvodg.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 12f452f19a0703e9ed33ab76d7ba0286460beeed69ee0042e0ba8b6c2b0f99d1N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vuhvodg.exe -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
12f452f19a0703e9ed33ab76d7ba0286460beeed69ee0042e0ba8b6c2b0f99d1N.exevuhvodg.exepid Process 2112 12f452f19a0703e9ed33ab76d7ba0286460beeed69ee0042e0ba8b6c2b0f99d1N.exe 2376 vuhvodg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid Process procid_target PID 2916 wrote to memory of 2376 2916 taskeng.exe 31 PID 2916 wrote to memory of 2376 2916 taskeng.exe 31 PID 2916 wrote to memory of 2376 2916 taskeng.exe 31 PID 2916 wrote to memory of 2376 2916 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\12f452f19a0703e9ed33ab76d7ba0286460beeed69ee0042e0ba8b6c2b0f99d1N.exe"C:\Users\Admin\AppData\Local\Temp\12f452f19a0703e9ed33ab76d7ba0286460beeed69ee0042e0ba8b6c2b0f99d1N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2112
-
C:\Windows\system32\taskeng.exetaskeng.exe {6E4BB1C4-971C-4A17-A15C-1EEB794D1E1A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\PROGRA~3\Mozilla\vuhvodg.exeC:\PROGRA~3\Mozilla\vuhvodg.exe -nwlnhvb2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2376
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD59d4d340c4a1f94ceb51b54dea4ef9459
SHA17c444076a9bc047880df5386d5419d7814626ee9
SHA2566901e07b2d6233cd35907e0fdfe67c1d08294ee74fa672e4d7e417aa05b0e4c7
SHA5120b45f5f6697044b597285ce213a0f8ba10466e7b7f9fdd970c32d45e7171b0e953881fc1cd97216feb52aba6e6ad0d9063c018619e3348faa3bb89ec7391a681