Analysis
-
max time kernel
66s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 12:01
Static task
static1
Behavioral task
behavioral1
Sample
a7590a5f4406b774b2471fc27b66545565f1ab939f6a388169f780f29eb8b713.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
a7590a5f4406b774b2471fc27b66545565f1ab939f6a388169f780f29eb8b713.exe
Resource
win10v2004-20241007-en
General
-
Target
a7590a5f4406b774b2471fc27b66545565f1ab939f6a388169f780f29eb8b713.exe
-
Size
312KB
-
MD5
19d992f46bd32a800bca65dc9dafe185
-
SHA1
180663fc3a766a28745abc8a6a7faa6b8796b28b
-
SHA256
a7590a5f4406b774b2471fc27b66545565f1ab939f6a388169f780f29eb8b713
-
SHA512
9e4a6fe5bbb01b41e2881caa25b17b1e7db312224c71254a79e2e111fdac68277aa322d817198e91df547b2670b8873ac2261e2ea15b50503645d119c4e0b861
-
SSDEEP
6144:YGOXfUdRT6mCo4Em3d1k91UmaFycSbGqJWs6eQ/gU:YGOSRT6mChEm3dOXURtS96H/gU
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2668 unidtrd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\unidtrd.exe a7590a5f4406b774b2471fc27b66545565f1ab939f6a388169f780f29eb8b713.exe File created C:\PROGRA~3\Mozilla\soforsm.dll unidtrd.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7590a5f4406b774b2471fc27b66545565f1ab939f6a388169f780f29eb8b713.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unidtrd.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1680 a7590a5f4406b774b2471fc27b66545565f1ab939f6a388169f780f29eb8b713.exe 2668 unidtrd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2668 2928 taskeng.exe 31 PID 2928 wrote to memory of 2668 2928 taskeng.exe 31 PID 2928 wrote to memory of 2668 2928 taskeng.exe 31 PID 2928 wrote to memory of 2668 2928 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7590a5f4406b774b2471fc27b66545565f1ab939f6a388169f780f29eb8b713.exe"C:\Users\Admin\AppData\Local\Temp\a7590a5f4406b774b2471fc27b66545565f1ab939f6a388169f780f29eb8b713.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1680
-
C:\Windows\system32\taskeng.exetaskeng.exe {160D17E6-8CEC-4B9A-AB3A-3B2BF6D3A739} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\PROGRA~3\Mozilla\unidtrd.exeC:\PROGRA~3\Mozilla\unidtrd.exe -esjphrh2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD5d094a23a8a6c3b513f6eef486cec0b2e
SHA1a6a48e3bfde647ec329401fb472bd660746e0817
SHA2561312988de393da8d66367c5619a40c7819db8ccea875eefd474dd7f3a28f26b0
SHA5125a019d25bafa3c9b70028c986b8e37912837e84cbd60685a072a10478dc34fe319f03b8f9405fd658d842509307d601ffe0e1e52e08d032b034ce99ea93a81ee