957882460a071cfa0cc0859701a24f7ec12d4729cf816b0899a0d0dca298b638

Analysis

max time kernel
74s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

957882460a071cfa0cc0859701a24f7ec12d4729cf816b0899a0d0dca298b638.exe
Size

304KB
MD5

71beaba0e5b85d6f24b58dd2a3c5eaa0
SHA1

0aaffa33a2b4c5e1249cee6dc038db7452e75bea
SHA256

957882460a071cfa0cc0859701a24f7ec12d4729cf816b0899a0d0dca298b638
SHA512

db7c84f2175f816d504dff9ed7c0045a3410ac87be707dec61ee920b67b518f3d60b5c11b594aaca07e4e834cebe1d217adbb52b5482dfe464d99a4d4b33b251
SSDEEP

6144:T44b7czK+MOjoF3/di++08qvFsRcfJgohePbrzZ7tfYIKpnzrF:84fijVjo1FimlvybohePptgIqt

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2036	nswitkh.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	957882460a071cfa0cc0859701a24f7ec12d4729cf816b0899a0d0dca298b638.exe
File created	C:\PROGRA~3\Mozilla\zgooxfa.dll	nswitkh.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1832	957882460a071cfa0cc0859701a24f7ec12d4729cf816b0899a0d0dca298b638.exe
2036	nswitkh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 2036	2024	taskeng.exe	28
PID 2024 wrote to memory of 2036	2024	taskeng.exe	28
PID 2024 wrote to memory of 2036	2024	taskeng.exe	28
PID 2024 wrote to memory of 2036	2024	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\957882460a071cfa0cc0859701a24f7ec12d4729cf816b0899a0d0dca298b638.exe
"C:\Users\Admin\AppData\Local\Temp\957882460a071cfa0cc0859701a24f7ec12d4729cf816b0899a0d0dca298b638.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1832

C:\Windows\system32\taskeng.exe
taskeng.exe {67A561F8-0A9F-4B32-9A57-A4D704C276B6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2024
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2036

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
304KB

MD5
e99613b2e83a884c7d5cd35969fcd6a4

SHA1
f4630fd39d16aeef3a1299f5a89b2f27e3f57888

SHA256
93b4e75122ef56b4f4cbe2f5133c8f0effa25b140412b976b75fad469500782f

SHA512
1f4f9ae19e014bd617729a047cf2e98c806f0e56dde6cdeb8b4c6a668620ee96c662cd6ceb5b8de633d963ce317cdbb16f9f73deb9a726326f6ea6e753b642bd

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
304KB

MD5
e99613b2e83a884c7d5cd35969fcd6a4

SHA1
f4630fd39d16aeef3a1299f5a89b2f27e3f57888

SHA256
93b4e75122ef56b4f4cbe2f5133c8f0effa25b140412b976b75fad469500782f

SHA512
1f4f9ae19e014bd617729a047cf2e98c806f0e56dde6cdeb8b4c6a668620ee96c662cd6ceb5b8de633d963ce317cdbb16f9f73deb9a726326f6ea6e753b642bd

Download Submit
memory/1832-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1832-55-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/1832-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1832-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1832-58-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2036-63-0x0000000000900000-0x000000000095B000-memory.dmp

Filesize
364KB

Download
memory/2036-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2036-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download