24a22fdc2befc773a725b68d6b42c942afeaae59032b8bea34d8028d42e63bb4

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
01/10/2022, 22:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24a22fdc2befc773a725b68d6b42c942afeaae59032b8bea34d8028d42e63bb4.exe
Size

655KB
MD5

72e577a6b32de43aa7d746fe63ccdab0
SHA1

39161d75e0ed5eb44f38d16fa3dd7a18451e6435
SHA256

24a22fdc2befc773a725b68d6b42c942afeaae59032b8bea34d8028d42e63bb4
SHA512

a4768908655f23bc09211261874efd15791ce6b715872a88563de58f80df0fc4f29547d154b4b6c6f7fac09806b2a64aeff0d36c5e65c6f1bc33489d7ee63cdd
SSDEEP

12288:PEFmKTTlheOxKPkNEzeRZ7MyuW2RW2ERo9QJdE8VxQiHPU5M0d:8FJheNeRFMu2w2yDdE8VxQ6sy0d

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
456	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	24a22fdc2befc773a725b68d6b42c942afeaae59032b8bea34d8028d42e63bb4.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 456	1020	taskeng.exe	28
PID 1020 wrote to memory of 456	1020	taskeng.exe	28
PID 1020 wrote to memory of 456	1020	taskeng.exe	28
PID 1020 wrote to memory of 456	1020	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\24a22fdc2befc773a725b68d6b42c942afeaae59032b8bea34d8028d42e63bb4.exe
"C:\Users\Admin\AppData\Local\Temp\24a22fdc2befc773a725b68d6b42c942afeaae59032b8bea34d8028d42e63bb4.exe"
1⤵
- Drops file in Program Files directory
PID:1284

C:\Windows\system32\taskeng.exe
taskeng.exe {BFC5BC3E-20D2-4101-A07E-520C2BDDAFFC} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1020
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
655KB

MD5
f7d97c0fb044ddf0f682de399db70d5c

SHA1
fea5efc8fc31c165e8baf3b4f3ac5deffd616f2c

SHA256
bbbdc2b3c4a10d4b018a7976fe29dcf9644879f2e747e7a5fd0d6260c74f458c

SHA512
183e194d3b4c865dcdf911b1d640f70ecc022c17918e48acd63be4fc9780c3fdf1719ef84c230da7b071b076e3ec8c18ff27a98ff499edd445d941b10dfa2bd9

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
655KB

MD5
f7d97c0fb044ddf0f682de399db70d5c

SHA1
fea5efc8fc31c165e8baf3b4f3ac5deffd616f2c

SHA256
bbbdc2b3c4a10d4b018a7976fe29dcf9644879f2e747e7a5fd0d6260c74f458c

SHA512
183e194d3b4c865dcdf911b1d640f70ecc022c17918e48acd63be4fc9780c3fdf1719ef84c230da7b071b076e3ec8c18ff27a98ff499edd445d941b10dfa2bd9

Download Submit
memory/456-68-0x0000000000430000-0x000000000048B000-memory.dmp

Filesize
364KB

Download
memory/456-67-0x000000000043A000-0x000000000047D000-memory.dmp

Filesize
268KB

Download
memory/1284-54-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1284-55-0x00000000762E1000-0x00000000762E3000-memory.dmp

Filesize
8KB

Download
memory/1284-56-0x0000000001CD0000-0x0000000001D2B000-memory.dmp

Filesize
364KB

Download