0a4b44d4eb32466a0f0a5fc70828a877e439e63dc2bc6f1561f541083195d12b

Analysis

max time kernel
68s
max time network
17s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/11/2024, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a4b44d4eb32466a0f0a5fc70828a877e439e63dc2bc6f1561f541083195d12b.exe
Size

128KB
MD5

6a73c73d3dd41294cd14a968f81cf329
SHA1

f9ed03c5c81d3fb1d1123f904ec148f87f9145a7
SHA256

0a4b44d4eb32466a0f0a5fc70828a877e439e63dc2bc6f1561f541083195d12b
SHA512

c39c2142a6fe12fb0c34bf5f40f1c3eb8ecb69df353be810c967f1a9325f4c1e3b5558aa6c3a226f811969a33635b529ebb728204fc76667a9da4e3e839a7238
SSDEEP

3072:8VMGKIbIaw8/HthUEkm+BC3K5eqU+BC3K5eqYroW:pGKmpnhxK70K7S

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
2796	rgjhinb.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\rgjhinb.exe	0a4b44d4eb32466a0f0a5fc70828a877e439e63dc2bc6f1561f541083195d12b.exe
File created	C:\PROGRA~3\Mozilla\dncdida.dll	rgjhinb.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0a4b44d4eb32466a0f0a5fc70828a877e439e63dc2bc6f1561f541083195d12b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rgjhinb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2796	1364	taskeng.exe	31
PID 1364 wrote to memory of 2796	1364	taskeng.exe	31
PID 1364 wrote to memory of 2796	1364	taskeng.exe	31
PID 1364 wrote to memory of 2796	1364	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\0a4b44d4eb32466a0f0a5fc70828a877e439e63dc2bc6f1561f541083195d12b.exe
"C:\Users\Admin\AppData\Local\Temp\0a4b44d4eb32466a0f0a5fc70828a877e439e63dc2bc6f1561f541083195d12b.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:2224

C:\Windows\system32\taskeng.exe
taskeng.exe {7060E397-08A1-4C64-9762-8442276D7661} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\PROGRA~3\Mozilla\rgjhinb.exe
  C:\PROGRA~3\Mozilla\rgjhinb.exe -zxwokof
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\rgjhinb.exe

Filesize
128KB

MD5
75c3cfa2566e200063fcf37115566618

SHA1
69b49fa6dfe71f63f23ca512c6f607edf3fd92ef

SHA256
00dfb0fac5c01528326e6ec84d8cad4a6feb1602d4151c559324ae6fa6c3854e

SHA512
9a56fec48b782b188c1b78f8726243240515dd900fd9d2c7fcd018aa60dd2f03600f07c264c7df557a3cb4e3fad3195268db89d9af242a2f67cf583c8dea7f18

Download Submit
memory/2224-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2224-2-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2796-5-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2796-7-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download