a7f6d045d1a78e7bb56ab8e5691c871985fd114ef10cfcb8e95f07c7936a5e95

Analysis

max time kernel
42s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a7f6d045d1a78e7bb56ab8e5691c871985fd114ef10cfcb8e95f07c7936a5e95.exe
Size

200KB
MD5

7945743f3d02c4b1e3a3af2465590b10
SHA1

f15984509b5904ad705ac868970a1feafb95bbdd
SHA256

a7f6d045d1a78e7bb56ab8e5691c871985fd114ef10cfcb8e95f07c7936a5e95
SHA512

ffa3980d78554c2b26ced244dc2573de74ffcec2645cd010cafe13f35aa165212a07f92e6f68bcb5cf39d4a36b8ffdd5cd4e3d1091ade4e8d3a9e477d1e8d9c8
SSDEEP

3072:+eDJHh2QdP8cIltNnTbNf1TTU0cl4UdbI3Cdic1h6qFs3DXwUSxgBR:hNwmoNnTd1vqTI3H6h60wDAKBR

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1236	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	a7f6d045d1a78e7bb56ab8e5691c871985fd114ef10cfcb8e95f07c7936a5e95.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1760	a7f6d045d1a78e7bb56ab8e5691c871985fd114ef10cfcb8e95f07c7936a5e95.exe
1236	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1236	2040	taskeng.exe	28
PID 2040 wrote to memory of 1236	2040	taskeng.exe	28
PID 2040 wrote to memory of 1236	2040	taskeng.exe	28
PID 2040 wrote to memory of 1236	2040	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\a7f6d045d1a78e7bb56ab8e5691c871985fd114ef10cfcb8e95f07c7936a5e95.exe
"C:\Users\Admin\AppData\Local\Temp\a7f6d045d1a78e7bb56ab8e5691c871985fd114ef10cfcb8e95f07c7936a5e95.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1760

C:\Windows\system32\taskeng.exe
taskeng.exe {F95A1556-D807-491F-811E-016B114CBC69} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2040
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
200KB

MD5
25864cb6780fb772279289e4732211ae

SHA1
b268c46dbc094f536c12d97f868f861477522b65

SHA256
028266959b31e2e4383e3705ff39fca004f98f2a3b9b39a142db30ab1347abc5

SHA512
6e29361c610aa71bd6ae2d937c7a82b9c6ca75027eda22e468a79ae422e5a4301ef259fa8e8079955c6296a1d054cde055b42803d4cbe1763f923d3af6089b0a

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
200KB

MD5
25864cb6780fb772279289e4732211ae

SHA1
b268c46dbc094f536c12d97f868f861477522b65

SHA256
028266959b31e2e4383e3705ff39fca004f98f2a3b9b39a142db30ab1347abc5

SHA512
6e29361c610aa71bd6ae2d937c7a82b9c6ca75027eda22e468a79ae422e5a4301ef259fa8e8079955c6296a1d054cde055b42803d4cbe1763f923d3af6089b0a

Download Submit
memory/1236-62-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/1236-63-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1236-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1760-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1760-55-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1760-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1760-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download