Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 12:29
Static task
static1
Behavioral task
behavioral1
Sample
c0ffc0537b08f2b8e752a75e940c3a004021cb7d18b0511014b28a98273a09a1.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
c0ffc0537b08f2b8e752a75e940c3a004021cb7d18b0511014b28a98273a09a1.exe
Resource
win10v2004-20241007-en
General
-
Target
c0ffc0537b08f2b8e752a75e940c3a004021cb7d18b0511014b28a98273a09a1.exe
-
Size
229KB
-
MD5
70eacd9f022d3229dd2ce201fc6c7391
-
SHA1
7a5846082eb2404ca64cfeea5ebb2ed9a062d8fe
-
SHA256
c0ffc0537b08f2b8e752a75e940c3a004021cb7d18b0511014b28a98273a09a1
-
SHA512
f51e5e2d12eabb8e25f7e41d3f73d401e7384a6cde8d473f27116ac7858cada614664e7f20732cefdf71e6170b306b78a8e47e684db5e1c05888f9701122a5e6
-
SSDEEP
3072:URtnaxdjv3SoCrKdKUUTNHY5Snf8TvHTxK3STrOdHa5S2jbxWGqJsS:dj8rKdKUUhHYE0T7ciXOdHa5SbGqJx
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2112 grzejjh.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\grzejjh.exe c0ffc0537b08f2b8e752a75e940c3a004021cb7d18b0511014b28a98273a09a1.exe File created C:\PROGRA~3\Mozilla\clclgsb.dll grzejjh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0ffc0537b08f2b8e752a75e940c3a004021cb7d18b0511014b28a98273a09a1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grzejjh.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2144 c0ffc0537b08f2b8e752a75e940c3a004021cb7d18b0511014b28a98273a09a1.exe 2112 grzejjh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2372 wrote to memory of 2112 2372 taskeng.exe 31 PID 2372 wrote to memory of 2112 2372 taskeng.exe 31 PID 2372 wrote to memory of 2112 2372 taskeng.exe 31 PID 2372 wrote to memory of 2112 2372 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\c0ffc0537b08f2b8e752a75e940c3a004021cb7d18b0511014b28a98273a09a1.exe"C:\Users\Admin\AppData\Local\Temp\c0ffc0537b08f2b8e752a75e940c3a004021cb7d18b0511014b28a98273a09a1.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2144
-
C:\Windows\system32\taskeng.exetaskeng.exe {536E9526-578B-4673-97D0-BA253A57BA99} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\PROGRA~3\Mozilla\grzejjh.exeC:\PROGRA~3\Mozilla\grzejjh.exe -kaflank2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2112
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD58c98d2caf195282645b2792fcbc9a93b
SHA142e5635344d624c1eb8869ee1c1b1db65d180354
SHA256ea5373f870aedec9f625afb56cf4e9ea19e3640ca39972d6a2013c5d7a176225
SHA51265195f8b6ac7e07f5f5078e2059da3f275546d1bec7a406583806fa524a2bd15fa6ce0173b2be62fbc1795e4a6f17a673f6edaf29dec31c4eb61503cbc2c3cdd