Analysis
-
max time kernel
74s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 12:13
Static task
static1
Behavioral task
behavioral1
Sample
b2dd82b93d7ee9b9d2b9e5099f3be675968b280a558a793cab93ada9905935ea.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
b2dd82b93d7ee9b9d2b9e5099f3be675968b280a558a793cab93ada9905935ea.exe
Resource
win10v2004-20241007-en
General
-
Target
b2dd82b93d7ee9b9d2b9e5099f3be675968b280a558a793cab93ada9905935ea.exe
-
Size
233KB
-
MD5
0f3004340ee9d3d5f7da8433d4507b6d
-
SHA1
ef33a7e57db906e41056c0a6c8e84f46219a7239
-
SHA256
b2dd82b93d7ee9b9d2b9e5099f3be675968b280a558a793cab93ada9905935ea
-
SHA512
5a0ca7a9977f14e745a564cdc0d4a110f90220e0bfeeec20fd51310336fd9609e3684246e3708f542b90bd17f08a876340455908c2f576ddfc94f48c38287441
-
SSDEEP
3072:fs5jAp7XSXDHAGjTmwoI+2Msl1gwW/ZJK7bJ1A50MW5UtU88q/S2jbxWGqJs0:fsapAL/jTroImi1ArWOtU8J/SbGqJp
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2212 unidtrd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\unidtrd.exe b2dd82b93d7ee9b9d2b9e5099f3be675968b280a558a793cab93ada9905935ea.exe File created C:\PROGRA~3\Mozilla\soforsm.dll unidtrd.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unidtrd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b2dd82b93d7ee9b9d2b9e5099f3be675968b280a558a793cab93ada9905935ea.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1688 b2dd82b93d7ee9b9d2b9e5099f3be675968b280a558a793cab93ada9905935ea.exe 2212 unidtrd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1236 wrote to memory of 2212 1236 taskeng.exe 31 PID 1236 wrote to memory of 2212 1236 taskeng.exe 31 PID 1236 wrote to memory of 2212 1236 taskeng.exe 31 PID 1236 wrote to memory of 2212 1236 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2dd82b93d7ee9b9d2b9e5099f3be675968b280a558a793cab93ada9905935ea.exe"C:\Users\Admin\AppData\Local\Temp\b2dd82b93d7ee9b9d2b9e5099f3be675968b280a558a793cab93ada9905935ea.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1688
-
C:\Windows\system32\taskeng.exetaskeng.exe {29E543AC-4A71-41FB-8C2B-99E128270B45} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\PROGRA~3\Mozilla\unidtrd.exeC:\PROGRA~3\Mozilla\unidtrd.exe -esjphrh2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2212
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
233KB
MD58c009cb89157321356fb2c13b7a07f79
SHA1e055677d849e92ed048e2f706cc091c324721090
SHA256d9346bb573073dce76cb20c33cf0bae02907e2e21c4f14b468f89c4a0b765609
SHA51296c634ab22449562dbc8f4e10e990ec970eb40bf91e975cdb23321db79378b8202fe6162b4912e2fb21e2ce902b38a77cb70482991ffb23e8714ac1c778d1052