Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 11:50
Static task
static1
Behavioral task
behavioral1
Sample
9d2d9bdd5617c93901e2bda6bcb656a7bb1624fe73b13801406bb3c1d192ec68.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
9d2d9bdd5617c93901e2bda6bcb656a7bb1624fe73b13801406bb3c1d192ec68.exe
Resource
win10v2004-20241007-en
General
-
Target
9d2d9bdd5617c93901e2bda6bcb656a7bb1624fe73b13801406bb3c1d192ec68.exe
-
Size
255KB
-
MD5
7afd5afc222f81f8db4c57ceef9912dc
-
SHA1
048625b43b03e9120c364baa745b1b9f1cf339b2
-
SHA256
9d2d9bdd5617c93901e2bda6bcb656a7bb1624fe73b13801406bb3c1d192ec68
-
SHA512
4075ed3d1397075d45851ad74bb3ba8ca8f8cb551d476e478e7b2adfef52c4854a0b101cb9f15b6861da605650ce943ecf316c235dd58888d5711b3a3cd0a619
-
SSDEEP
6144:ocpiTSfDhpnShDi/SOifQsRCHplF6UWLGqpXC:wTSfDh8DiqjbwJbhwXC
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 1856 vuhvodg.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\vuhvodg.exe 9d2d9bdd5617c93901e2bda6bcb656a7bb1624fe73b13801406bb3c1d192ec68.exe File created C:\PROGRA~3\Mozilla\zcwirze.dll vuhvodg.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 9d2d9bdd5617c93901e2bda6bcb656a7bb1624fe73b13801406bb3c1d192ec68.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vuhvodg.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2112 9d2d9bdd5617c93901e2bda6bcb656a7bb1624fe73b13801406bb3c1d192ec68.exe 1856 vuhvodg.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2520 wrote to memory of 1856 2520 taskeng.exe 32 PID 2520 wrote to memory of 1856 2520 taskeng.exe 32 PID 2520 wrote to memory of 1856 2520 taskeng.exe 32 PID 2520 wrote to memory of 1856 2520 taskeng.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d2d9bdd5617c93901e2bda6bcb656a7bb1624fe73b13801406bb3c1d192ec68.exe"C:\Users\Admin\AppData\Local\Temp\9d2d9bdd5617c93901e2bda6bcb656a7bb1624fe73b13801406bb3c1d192ec68.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2112
-
C:\Windows\system32\taskeng.exetaskeng.exe {6598E0A7-15C8-4C2B-9C91-978C5F927925} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\PROGRA~3\Mozilla\vuhvodg.exeC:\PROGRA~3\Mozilla\vuhvodg.exe -nwlnhvb2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1856
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
255KB
MD558ccec943f6d8c003be897597eb7df51
SHA199221e711ccab726b233d4706ab00550ac468a6c
SHA256e7d759e246805d9fe47a4adafb7fe12e37593b7c570362b5f4bfe846c7b4286a
SHA5129a3920a64550558dbfeac43472afdf38bd996fff1d2970007a446fc13229e1715d1a7c8c2775f45e5915fca6b4aaff0c9a6be57c8f96862763f09024f1d556a7