Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 12:06
Static task
static1
Behavioral task
behavioral1
Sample
acddc4e0d2487f1325cc97fbc64d73b29f1c1cd95aa10552c3a73e119caab9d1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
acddc4e0d2487f1325cc97fbc64d73b29f1c1cd95aa10552c3a73e119caab9d1.exe
Resource
win10v2004-20241007-en
General
-
Target
acddc4e0d2487f1325cc97fbc64d73b29f1c1cd95aa10552c3a73e119caab9d1.exe
-
Size
271KB
-
MD5
a0b8255b91009a2aa6ee4d5a16d62a6f
-
SHA1
01b14c3e4588b3e1718a9ded5318d8f08b0761ba
-
SHA256
acddc4e0d2487f1325cc97fbc64d73b29f1c1cd95aa10552c3a73e119caab9d1
-
SHA512
7748d416250e15e65f2b26856fde2c6989c87cb462d1d74a1486dbe18514a1dd78e67b109b6a66a743d2dca56e63902f39799c90066a0cbb0684fbdc0cada049
-
SSDEEP
6144:eFpiTSfDhpOQAYg718kVFRCHplF6UTSbGqJ7:RTSfDh7AL18UwJbhTSL
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 856 whmlgxa.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\jddgeih.dll whmlgxa.exe File created C:\PROGRA~3\Mozilla\whmlgxa.exe acddc4e0d2487f1325cc97fbc64d73b29f1c1cd95aa10552c3a73e119caab9d1.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whmlgxa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language acddc4e0d2487f1325cc97fbc64d73b29f1c1cd95aa10552c3a73e119caab9d1.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2124 acddc4e0d2487f1325cc97fbc64d73b29f1c1cd95aa10552c3a73e119caab9d1.exe 856 whmlgxa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2280 wrote to memory of 856 2280 taskeng.exe 29 PID 2280 wrote to memory of 856 2280 taskeng.exe 29 PID 2280 wrote to memory of 856 2280 taskeng.exe 29 PID 2280 wrote to memory of 856 2280 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\acddc4e0d2487f1325cc97fbc64d73b29f1c1cd95aa10552c3a73e119caab9d1.exe"C:\Users\Admin\AppData\Local\Temp\acddc4e0d2487f1325cc97fbc64d73b29f1c1cd95aa10552c3a73e119caab9d1.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2124
-
C:\Windows\system32\taskeng.exetaskeng.exe {0613C2EB-9BA0-4690-B913-E1E64479DE67} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\PROGRA~3\Mozilla\whmlgxa.exeC:\PROGRA~3\Mozilla\whmlgxa.exe -yvexadc2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD5f51b4814ef61fa73fc87074dd8c40955
SHA1006621bda2cd809fbc46a83c319b76193e0a9678
SHA2564ba1d94a867ebc2ecde7a91a81986ee58ffac6676a549d821e45320ad15f1ae6
SHA512d85a10615554023a1c8e6dd68ea534b625a032e0aed6f469e2f575ff4b52d8736e28c953bc978c4b7549a0cdaa13c2a4892ae3dd8bdfd51029614c578295fed2