Analysis
-
max time kernel
31s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 13:53
Static task
static1
Behavioral task
behavioral1
Sample
40a8661f26ac2485ad055e05bd6dd6f88a895013818fe4d8743a0304b8a83d01N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
40a8661f26ac2485ad055e05bd6dd6f88a895013818fe4d8743a0304b8a83d01N.exe
Resource
win10v2004-20241007-en
General
-
Target
40a8661f26ac2485ad055e05bd6dd6f88a895013818fe4d8743a0304b8a83d01N.exe
-
Size
312KB
-
MD5
c3fea3be17f15962c66b77e2fcc3b080
-
SHA1
647207c2745ff5d9d0dadee140f55905b543e8ca
-
SHA256
40a8661f26ac2485ad055e05bd6dd6f88a895013818fe4d8743a0304b8a83d01
-
SHA512
01924b7181e9eba4b142a5114b625f2f4784a5c724e9b6d01f46f8f5f91d54b7ff1700ea8d9059600a8183ace40d45c386c8ab1415e4e86e2aa6dd62ea40ccda
-
SSDEEP
6144:YGOXfUdRT6mCo4Em3d1k91UmaFycSbGqJWs6eQ/gM:YGOSRT6mChEm3dOXURtS96H/gM
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2940 yofzeuh.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\yofzeuh.exe 40a8661f26ac2485ad055e05bd6dd6f88a895013818fe4d8743a0304b8a83d01N.exe File created C:\PROGRA~3\Mozilla\mkkxkvk.dll yofzeuh.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 40a8661f26ac2485ad055e05bd6dd6f88a895013818fe4d8743a0304b8a83d01N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yofzeuh.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1508 40a8661f26ac2485ad055e05bd6dd6f88a895013818fe4d8743a0304b8a83d01N.exe 2940 yofzeuh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2940 2792 taskeng.exe 31 PID 2792 wrote to memory of 2940 2792 taskeng.exe 31 PID 2792 wrote to memory of 2940 2792 taskeng.exe 31 PID 2792 wrote to memory of 2940 2792 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\40a8661f26ac2485ad055e05bd6dd6f88a895013818fe4d8743a0304b8a83d01N.exe"C:\Users\Admin\AppData\Local\Temp\40a8661f26ac2485ad055e05bd6dd6f88a895013818fe4d8743a0304b8a83d01N.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1508
-
C:\Windows\system32\taskeng.exetaskeng.exe {5942D638-A7BF-45C9-AF24-5A9427963D56} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\PROGRA~3\Mozilla\yofzeuh.exeC:\PROGRA~3\Mozilla\yofzeuh.exe -qmgjyzc2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
312KB
MD56edbd6bc9feead8416e498cafaf01533
SHA18f3e7bf3590cbaa3c6755cb6cc7c0b1d0704f7a2
SHA256ef7d33120d3ed18d02e630d4f3d46f11d6b01f0decad0e75766e37eb29cab96c
SHA512e3b41e692dbbb35efde767605c70489fb7b2ccc6c57f00f6cd8a514e6d3ef24d3a17aefe31fa576723286c527ae915109fc988e8aa2d77fae6adaf4782832866