241d5e932144d6bf59010cad15af1524ea22da9152d3ab6f1639a8d47be28000

Analysis

max time kernel
91s
max time network
182s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
10/02/2025, 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VirusSign.2023.11.29/047c7fed39ef255fecdd70e9a870ae19.exe
Size

201KB
MD5

047c7fed39ef255fecdd70e9a870ae19
SHA1

e4a67366dad976acc98df8ae22b7f57908bce6b7
SHA256

66cdae03bb8c51a27b91bfe1d9050ced4e460187e24b0e57a1c293ee0ed7d31e
SHA512

535222afefe3de7da26fa260206928fe0aa5864b7820d0e00c941522dee4c0a7272f059a2483b83922263e7e5776cfbc19d2e655976f6fb5c02aa354b045e62c
SSDEEP

3072:n4CgWgTsDAJJRjOV2/pwb5ryT5tlDhB2IFTLFZhh2D+0caj3kyRACAbpn:n4Cg3JJF35tlDhB2Cn9ozO

Score

8^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
26	4200	Process not Found

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
3936	kwforzi.exe

Loads dropped DLL 2 IoCs

pid	Process
1160	Process not Found
3832	MicrosoftEdgeUpdate.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\kwforzi.exe	047c7fed39ef255fecdd70e9a870ae19.exe
File created	C:\PROGRA~3\Mozilla\lksxdrg.dll	kwforzi.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	047c7fed39ef255fecdd70e9a870ae19.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kwforzi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3832	MicrosoftEdgeUpdate.exe

C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\047c7fed39ef255fecdd70e9a870ae19.exe
"C:\Users\Admin\AppData\Local\Temp\VirusSign.2023.11.29\047c7fed39ef255fecdd70e9a870ae19.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5096

C:\PROGRA~3\Mozilla\kwforzi.exe
"C:\PROGRA~3\Mozilla\kwforzi.exe" -dawiryc
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3936

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjZFOTFEQzUtQUNFRC00QTI4LUFDRkItN0EwN0E5MDZBODJBfSIgdXNlcmlkPSJ7OTU2MDI1MTgtMDJFRC00RTEyLUI5ODctRjQ3ODhGOUU1NDBGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RDZCMkRCOTktM0RENy00NDU4LTlBNzUtNEM2RjVBQ0IxOEU4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMiIgaW5zdGFsbGRhdGV0aW1lPSIxNzM4OTM1NTAwIiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODM0MDgwNDYzMTQwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQzNzY4NjQ3NyIvPjwvYXBwPjwvcmVxdWVzdD4
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla\kwforzi.exe

Filesize
201KB

MD5
ef498eb2fcc69cae333e5dfe0d70cbf5

SHA1
fa186c731a810e30bc5aa6ea075ae92c847d16f6

SHA256
bfb51cfa3dae1dc3477b25e06b047d74e6bece8accf1fedc7e24af7a57fbf8ec

SHA512
ef83b3bcb658a765a1c3329d6aded89a9a0850343d5fd84c9839086cf497a29ad8401626c4d9967eaea29265ed4c2d2e82259525d669d7667c7d5598a1f5483a

Download Submit
C:\ProgramData\Mozilla\lksxdrg.dll

Filesize
47KB

MD5
83e1e47cb88de110861274ae345e6a5e

SHA1
46bfd6ca0514d1dfd288845067f5a28912f72823

SHA256
6051895c049484841fd01ecb397cdee48f8553523e462445d3331607b7d22082

SHA512
91d8a945e3debb3bcaf3548bd791cea0197d372568214fed06cf3517d16a31d359b6686340bec393e0794e3d6f788713ef5abacadc1348d81621368c911ffe8b

Download Submit
memory/3832-17-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/3832-19-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

Filesize
88KB

Download
memory/3832-20-0x0000000000EC0000-0x0000000000ED6000-memory.dmp

Filesize
88KB

Download
memory/3832-18-0x0000000000820000-0x0000000000836000-memory.dmp

Filesize
88KB

Download
memory/3936-8-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3936-9-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/3936-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5096-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5096-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/5096-1-0x00000000005E0000-0x000000000063B000-memory.dmp

Filesize
364KB

Download
memory/5096-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download