Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 13:51
Static task
static1
Behavioral task
behavioral1
Sample
58c7a9bcc2c097634972bb2a70d9f0648163d3058e079715372c44c8621a1eb2N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
58c7a9bcc2c097634972bb2a70d9f0648163d3058e079715372c44c8621a1eb2N.exe
Resource
win10v2004-20241007-en
General
-
Target
58c7a9bcc2c097634972bb2a70d9f0648163d3058e079715372c44c8621a1eb2N.exe
-
Size
229KB
-
MD5
3f26c83e31e557b982d910c3fa033936
-
SHA1
099425a36cddbd317350599a13c1ca69476e9cc5
-
SHA256
5b476a7574d83bcd132690becf2cb8f42e9f3eeb40d478a81e5343ff4c856a39
-
SHA512
8cbdf90c4749589e1e76eaa4f3dcdd831cd14b4ecd3e75aadadaa81eac7a06691912f7b15c947c05f07dfa943b7b497845d5cee3612e782a3d8214d51f2a1906
-
SSDEEP
3072:oTNkXHfvl0awuW22s1z/7zLou7YPUpUld9tSMsCNjqaoMrV2eEwSXsHTS:o2fvloM1T7r7YMpRBMVPS
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 1556 cpfmqte.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\cpfmqte.exe 58c7a9bcc2c097634972bb2a70d9f0648163d3058e079715372c44c8621a1eb2N.exe File created C:\PROGRA~3\Mozilla\zbgopeh.dll cpfmqte.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 58c7a9bcc2c097634972bb2a70d9f0648163d3058e079715372c44c8621a1eb2N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cpfmqte.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1620 58c7a9bcc2c097634972bb2a70d9f0648163d3058e079715372c44c8621a1eb2N.exe 1556 cpfmqte.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2568 wrote to memory of 1556 2568 taskeng.exe 31 PID 2568 wrote to memory of 1556 2568 taskeng.exe 31 PID 2568 wrote to memory of 1556 2568 taskeng.exe 31 PID 2568 wrote to memory of 1556 2568 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\58c7a9bcc2c097634972bb2a70d9f0648163d3058e079715372c44c8621a1eb2N.exe"C:\Users\Admin\AppData\Local\Temp\58c7a9bcc2c097634972bb2a70d9f0648163d3058e079715372c44c8621a1eb2N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1620
-
C:\Windows\system32\taskeng.exetaskeng.exe {51346560-8CDE-4E3F-87DA-B88D8191EF17} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\PROGRA~3\Mozilla\cpfmqte.exeC:\PROGRA~3\Mozilla\cpfmqte.exe -lecvesj2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1556
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5f97cd0fe3bbc3694e68ed0cdb782136d
SHA189337e938715206c7ae7466dddd84d8bd2f654a2
SHA256ffe5531e7f60f7aef405eef7812d951784531d2512552b342f9ca11c9afec79b
SHA512116f1cbed7cd2ab721ca0ddac157e853ae62ed79ac145e12d8b7be57df05f4c79f5256abdbfcf9559edd153d0bb79437b4b0de7699a3390f6415dbd6c43e1621