Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 12:11
Static task
static1
Behavioral task
behavioral1
Sample
b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe
Resource
win10v2004-20241007-en
General
-
Target
b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe
-
Size
229KB
-
MD5
d0a7507b80382c7418a5c98926b85e76
-
SHA1
197df4ed81ccfb071826bfa5a27f88eeeba6c892
-
SHA256
b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e
-
SHA512
b2c8d1d299a3dffe8364cdcef207d5e2a8d7f82c93fdda3d346ab2eb17deb058d6462d473e83c546ecce6d8dcc1e498a68796ff80bc94df930bee3e94d8f6473
-
SSDEEP
3072:URtnaxdjv3SoCrKdKUUTNHY5Snf8TvHTxK3STrOdHa5S2jbxWGqJs3:dj8rKdKUUhHYE0T7ciXOdHa5SbGqJ2
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2292 cpfmqte.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\cpfmqte.exe b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe File created C:\PROGRA~3\Mozilla\zbgopeh.dll cpfmqte.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpfmqte.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2372 b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe 2292 cpfmqte.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1736 wrote to memory of 2292 1736 taskeng.exe 31 PID 1736 wrote to memory of 2292 1736 taskeng.exe 31 PID 1736 wrote to memory of 2292 1736 taskeng.exe 31 PID 1736 wrote to memory of 2292 1736 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe"C:\Users\Admin\AppData\Local\Temp\b0fcca707fad480b62d1bf32380d675529c6e8d6f3c80a0d8e2761cd5567666e.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2372
-
C:\Windows\system32\taskeng.exetaskeng.exe {32765D10-93FE-40B9-90FE-AF68A0055532} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\PROGRA~3\Mozilla\cpfmqte.exeC:\PROGRA~3\Mozilla\cpfmqte.exe -lecvesj2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2292
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5ebabef3959c0b7659439ffb7c016c32f
SHA119ecb760e58c0fa2e8ab878cf08ae520d8d73dde
SHA256b912a96355a3e86d30a5f242fba7f436f5c32675c26d63d44a236194ac23f549
SHA5127ec32e6781161611bb34cc7fd5689142f1a58e0cbe52fae0ff217043296bb47c2a7984c8b3997d3720ef3bcf484c7fb80d144e16433aeb26a92985c9ce6b2b1e