Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 12:07
Static task
static1
Behavioral task
behavioral1
Sample
ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe
Resource
win10v2004-20241007-en
General
-
Target
ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe
-
Size
271KB
-
MD5
47c30d86040310f9258036118fe07e0f
-
SHA1
c742e780825f3fe495e160efa43be626fb7bd5bc
-
SHA256
ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22
-
SHA512
c84472b294cd714ef3a1e773918f63f2f3123a42a758c79785bb7aeef53c43d4ad0e3c5bec2d70c007e82692a8b756c90de81215424c3936f350d27307b5198d
-
SSDEEP
6144:zGOdIWe48wn1obslh391UmaFyjDZSbGqJa:zGOdRn1obsl5XURQFSK
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 1712 grzejjh.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\grzejjh.exe ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe File created C:\PROGRA~3\Mozilla\clclgsb.dll grzejjh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grzejjh.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2604 ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe 1712 grzejjh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2084 wrote to memory of 1712 2084 taskeng.exe 31 PID 2084 wrote to memory of 1712 2084 taskeng.exe 31 PID 2084 wrote to memory of 1712 2084 taskeng.exe 31 PID 2084 wrote to memory of 1712 2084 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe"C:\Users\Admin\AppData\Local\Temp\ad309c69e404aa167339cf9c3b21b27e59a73441b32d87148d88c48379e9bb22.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2604
-
C:\Windows\system32\taskeng.exetaskeng.exe {5A5015BD-78BC-4DD8-8B85-9CFB0C5B2C81} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\PROGRA~3\Mozilla\grzejjh.exeC:\PROGRA~3\Mozilla\grzejjh.exe -kaflank2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1712
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD54f1aa7b4ffba0ecd24ae0a9beb099b09
SHA14bf164f844716963c1ed43ddf6998c692b813d13
SHA2566639d36141d41fc306fe9af096b5395d086df976c2ee0a66fdd6e65c0fd97693
SHA5125b8236b7ad8d382385c328a29dcad6ebabeeb352bc82ed7d0f002373bc56f9b7a8cf7c792ae46a7fc2734b4950361a0414a9a607b25440024580bfbc68ef2af8