Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/11/2024, 13:51

General

  • Target

    58c7a9bcc2c097634972bb2a70d9f0648163d3058e079715372c44c8621a1eb2N.exe

  • Size

    229KB

  • MD5

    3f26c83e31e557b982d910c3fa033936

  • SHA1

    099425a36cddbd317350599a13c1ca69476e9cc5

  • SHA256

    5b476a7574d83bcd132690becf2cb8f42e9f3eeb40d478a81e5343ff4c856a39

  • SHA512

    8cbdf90c4749589e1e76eaa4f3dcdd831cd14b4ecd3e75aadadaa81eac7a06691912f7b15c947c05f07dfa943b7b497845d5cee3612e782a3d8214d51f2a1906

  • SSDEEP

    3072:oTNkXHfvl0awuW22s1z/7zLou7YPUpUld9tSMsCNjqaoMrV2eEwSXsHTS:o2fvloM1T7r7YMpRBMVPS

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58c7a9bcc2c097634972bb2a70d9f0648163d3058e079715372c44c8621a1eb2N.exe
    "C:\Users\Admin\AppData\Local\Temp\58c7a9bcc2c097634972bb2a70d9f0648163d3058e079715372c44c8621a1eb2N.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of UnmapMainImage
    PID:1620
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {51346560-8CDE-4E3F-87DA-B88D8191EF17} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2568
    • C:\PROGRA~3\Mozilla\cpfmqte.exe
      C:\PROGRA~3\Mozilla\cpfmqte.exe -lecvesj
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of UnmapMainImage
      PID:1556

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRA~3\Mozilla\cpfmqte.exe

          Filesize

          229KB

          MD5

          f97cd0fe3bbc3694e68ed0cdb782136d

          SHA1

          89337e938715206c7ae7466dddd84d8bd2f654a2

          SHA256

          ffe5531e7f60f7aef405eef7812d951784531d2512552b342f9ca11c9afec79b

          SHA512

          116f1cbed7cd2ab721ca0ddac157e853ae62ed79ac145e12d8b7be57df05f4c79f5256abdbfcf9559edd153d0bb79437b4b0de7699a3390f6415dbd6c43e1621

        • memory/1556-7-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

        • memory/1556-6-0x0000000000460000-0x00000000004BB000-memory.dmp

          Filesize

          364KB

        • memory/1556-9-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

        • memory/1620-1-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB

        • memory/1620-0-0x0000000000350000-0x00000000003AB000-memory.dmp

          Filesize

          364KB

        • memory/1620-3-0x0000000000400000-0x000000000045B000-memory.dmp

          Filesize

          364KB