fb5b82efd2a67768b8d0b454ba0090d6efa251831949dd522f0e64e9aaea7b87

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02-10-2022 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb5b82efd2a67768b8d0b454ba0090d6efa251831949dd522f0e64e9aaea7b87.exe
Size

470KB
MD5

4cf95efe37da0fe5aa01e38d6a498820
SHA1

3a46d731c2544672c02b1296ff66aa96e1611c30
SHA256

fb5b82efd2a67768b8d0b454ba0090d6efa251831949dd522f0e64e9aaea7b87
SHA512

463d98beb4f9814048dae0a97567b65108930c889efb9b89736453b2034fde152685fa0c91aa7e36f4d3c35f1db816df81cfaafb336cdadcf7bde1f6286670a4
SSDEEP

12288:51i/ljo6d94Z2NC+H07HQP4pgIHy0/GqBcL4DGsxv3FAh:51i9Igs57HQPzIXGqy0K2tw

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1100	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	fb5b82efd2a67768b8d0b454ba0090d6efa251831949dd522f0e64e9aaea7b87.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 1100	764	taskeng.exe	28
PID 764 wrote to memory of 1100	764	taskeng.exe	28
PID 764 wrote to memory of 1100	764	taskeng.exe	28
PID 764 wrote to memory of 1100	764	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\fb5b82efd2a67768b8d0b454ba0090d6efa251831949dd522f0e64e9aaea7b87.exe
"C:\Users\Admin\AppData\Local\Temp\fb5b82efd2a67768b8d0b454ba0090d6efa251831949dd522f0e64e9aaea7b87.exe"
1⤵
- Drops file in Program Files directory
PID:620

C:\Windows\system32\taskeng.exe
taskeng.exe {DECE5F90-1854-404B-8368-1EC8A2313614} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:764
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1100

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
470KB

MD5
dfed96034f9e23e3e9d470f42b1e5d45

SHA1
62c6b1f07e26e37b9f42dc3334a31934f868d92b

SHA256
a6cb806e14b33c41419a502910704c7aafffa2f71f558d0632cfa4b1e9f05dc3

SHA512
d33ccaecf655c22be1eede9310ba5fa3f4a0c5475c68a5b7dcb3c9626bc42e17d308564ea86310990772c5cb0b95bafd2c69dd770560d59e2ef4b8f7e1416929

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
470KB

MD5
dfed96034f9e23e3e9d470f42b1e5d45

SHA1
62c6b1f07e26e37b9f42dc3334a31934f868d92b

SHA256
a6cb806e14b33c41419a502910704c7aafffa2f71f558d0632cfa4b1e9f05dc3

SHA512
d33ccaecf655c22be1eede9310ba5fa3f4a0c5475c68a5b7dcb3c9626bc42e17d308564ea86310990772c5cb0b95bafd2c69dd770560d59e2ef4b8f7e1416929

Download Submit
memory/620-54-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/620-55-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/620-56-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download