Analysis
-
max time kernel
122s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/11/2024, 14:16
Static task
static1
Behavioral task
behavioral1
Sample
2c7fdaa7be7b5e2fe8555b328658f1e0e9907bc115c2ea28c1f9e2a4415491c1.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
2c7fdaa7be7b5e2fe8555b328658f1e0e9907bc115c2ea28c1f9e2a4415491c1.exe
Resource
win10v2004-20241007-en
General
-
Target
2c7fdaa7be7b5e2fe8555b328658f1e0e9907bc115c2ea28c1f9e2a4415491c1.exe
-
Size
271KB
-
MD5
a42c05f61e90f054d498b4a2126f9eb6
-
SHA1
aa078c9938e15d3363b3bf4d2ecd09a82a5ca9c8
-
SHA256
2c7fdaa7be7b5e2fe8555b328658f1e0e9907bc115c2ea28c1f9e2a4415491c1
-
SHA512
721d6889c7436bd3cd278b4994e49ac9c27c2e09b940e25537758b7fa71c1bcd23c04f72748e37b4b70af635fef6598ae545d3d92a9da00c7f2ca27b5e889821
-
SSDEEP
6144:zGOdIWe48wn1obslh391UmaFyjDZSbGqJf:zGOdRn1obsl5XURQFSv
Malware Config
Signatures
-
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
-
Executes dropped EXE 1 IoCs
pid Process 2792 unidtrd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\unidtrd.exe 2c7fdaa7be7b5e2fe8555b328658f1e0e9907bc115c2ea28c1f9e2a4415491c1.exe File created C:\PROGRA~3\Mozilla\soforsm.dll unidtrd.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2c7fdaa7be7b5e2fe8555b328658f1e0e9907bc115c2ea28c1f9e2a4415491c1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language unidtrd.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1064 2c7fdaa7be7b5e2fe8555b328658f1e0e9907bc115c2ea28c1f9e2a4415491c1.exe 2792 unidtrd.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2700 wrote to memory of 2792 2700 taskeng.exe 31 PID 2700 wrote to memory of 2792 2700 taskeng.exe 31 PID 2700 wrote to memory of 2792 2700 taskeng.exe 31 PID 2700 wrote to memory of 2792 2700 taskeng.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c7fdaa7be7b5e2fe8555b328658f1e0e9907bc115c2ea28c1f9e2a4415491c1.exe"C:\Users\Admin\AppData\Local\Temp\2c7fdaa7be7b5e2fe8555b328658f1e0e9907bc115c2ea28c1f9e2a4415491c1.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:1064
-
C:\Windows\system32\taskeng.exetaskeng.exe {6AA4C061-C6CC-4C3A-9637-B163578A0525} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\PROGRA~3\Mozilla\unidtrd.exeC:\PROGRA~3\Mozilla\unidtrd.exe -esjphrh2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
PID:2792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
271KB
MD5c67fc458f18d3d8c314a42d1db682561
SHA1788cbdae7d559c4cc903f4aeca719e9003940fc6
SHA2563948b00bcd2acf51f3b416597caa20d5e272115adc82a4d3ff145cf381ff04ab
SHA512e167aab4dbb0cad7fca8475fa17e9a2e90662480657958480797382bf20ac492a0e0cff54b3e2fac376c7f2f12c4207202cfcc54c0266d20de4f6ca05361e507