Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 11:51
Static task
static1
Behavioral task
behavioral1
Sample
9e5a41afa9428ac0083d29a5b08c1ef7e6ad8f589f28631ba759bb97c9143d6e.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9e5a41afa9428ac0083d29a5b08c1ef7e6ad8f589f28631ba759bb97c9143d6e.exe
Resource
win10v2004-20241007-en
General
-
Target
9e5a41afa9428ac0083d29a5b08c1ef7e6ad8f589f28631ba759bb97c9143d6e.exe
-
Size
233KB
-
MD5
2478d552a2c96eb945dae48f392f986a
-
SHA1
aee5cf376ec62b0d101df0850bc90dc102474b63
-
SHA256
9e5a41afa9428ac0083d29a5b08c1ef7e6ad8f589f28631ba759bb97c9143d6e
-
SHA512
db37581c254898c452985a9afbf23fc88271b1a6cc306c21e1678b9c5de8ce9ee89f30ec8b703ee0fa5279533f395ac8c7cb88a1b79fadf16cf75b9646104d0d
-
SSDEEP
3072:fs5jAp7XSXDHAGjTmwoI+2Msl1gwW/ZJK7bJ1A50MW5UtU88q/S2jbxWGqJsV:fsapAL/jTroImi1ArWOtU8J/SbGqJU
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 1976 yofzeuh.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\yofzeuh.exe 9e5a41afa9428ac0083d29a5b08c1ef7e6ad8f589f28631ba759bb97c9143d6e.exe File created C:\PROGRA~3\Mozilla\mkkxkvk.dll yofzeuh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9e5a41afa9428ac0083d29a5b08c1ef7e6ad8f589f28631ba759bb97c9143d6e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yofzeuh.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 388 9e5a41afa9428ac0083d29a5b08c1ef7e6ad8f589f28631ba759bb97c9143d6e.exe 1976 yofzeuh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2488 wrote to memory of 1976 2488 taskeng.exe 32 PID 2488 wrote to memory of 1976 2488 taskeng.exe 32 PID 2488 wrote to memory of 1976 2488 taskeng.exe 32 PID 2488 wrote to memory of 1976 2488 taskeng.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e5a41afa9428ac0083d29a5b08c1ef7e6ad8f589f28631ba759bb97c9143d6e.exe"C:\Users\Admin\AppData\Local\Temp\9e5a41afa9428ac0083d29a5b08c1ef7e6ad8f589f28631ba759bb97c9143d6e.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:388
-
C:\Windows\system32\taskeng.exetaskeng.exe {4D8C61EE-3338-4361-AB22-73D376A9C833} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\PROGRA~3\Mozilla\yofzeuh.exeC:\PROGRA~3\Mozilla\yofzeuh.exe -qmgjyzc2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1976
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233KB
MD55c6d56caf5b651f2c38af4bb5b4335c0
SHA1d7a139c7a68de491cf7c04332b5303e3eb5b8bc6
SHA25658d00238ea6ad7aee2d5697f66419eb4804dffbe0f1ea5fbeb4e0f2f4f6c66f7
SHA51291e88004001eec09f91d3026ce1b4e4485f3d6bcff1acb5739d9142ef4fd879d04c72958fbeee59bbfb0dd926f73c7a4629fe658c6172faf94e343391c1aaa10