f786e9b27371ad8087a45fadfbe0bface98c07ccfc5fb4bd8188cbde439da766

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f786e9b27371ad8087a45fadfbe0bface98c07ccfc5fb4bd8188cbde439da766.exe
Size

128KB
MD5

70e7fb1c2faa87b38a7ab84cb1286530
SHA1

ef5e19b5992e803f587a39ea15935ecc02461145
SHA256

f786e9b27371ad8087a45fadfbe0bface98c07ccfc5fb4bd8188cbde439da766
SHA512

5859cba868c136633721ca1f3126399f174379d986d1f35550146da507ed1e25d2e6541496e1f25017883e99e40b308ed200ff64db66c444a4123b03fc52e984
SSDEEP

3072:3IMVZT5GqVXivw0TaWC8hqsCK8k9t3ywG3RY1W9V7K:3IMVhEdo0Tap8hqsChk95yvhO+K

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
332	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	f786e9b27371ad8087a45fadfbe0bface98c07ccfc5fb4bd8188cbde439da766.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 332	904	taskeng.exe	28
PID 904 wrote to memory of 332	904	taskeng.exe	28
PID 904 wrote to memory of 332	904	taskeng.exe	28
PID 904 wrote to memory of 332	904	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\f786e9b27371ad8087a45fadfbe0bface98c07ccfc5fb4bd8188cbde439da766.exe
"C:\Users\Admin\AppData\Local\Temp\f786e9b27371ad8087a45fadfbe0bface98c07ccfc5fb4bd8188cbde439da766.exe"
1⤵
- Drops file in Program Files directory
PID:1184

C:\Windows\system32\taskeng.exe
taskeng.exe {F3F73823-D8A6-4239-B7D7-78C7A9CC7FC5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:904
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
128KB

MD5
d903b8864cc4dcc4e2aa46614bcc61a6

SHA1
4421f0a335ea9f4b994202fb1c60c6cb1238cc46

SHA256
966b8f0678edaac0326a31a02d9464b177409f7371e472398e3a59f36f7ee13f

SHA512
34c9e83069c51a0ee2495c25e89945b918885237a159674d18cc351d7449fb41652805200a4cdfa9070bf86988d68f5a5e57084d856ad261d7c17963e23a555e

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
128KB

MD5
d903b8864cc4dcc4e2aa46614bcc61a6

SHA1
4421f0a335ea9f4b994202fb1c60c6cb1238cc46

SHA256
966b8f0678edaac0326a31a02d9464b177409f7371e472398e3a59f36f7ee13f

SHA512
34c9e83069c51a0ee2495c25e89945b918885237a159674d18cc351d7449fb41652805200a4cdfa9070bf86988d68f5a5e57084d856ad261d7c17963e23a555e

Download Submit
memory/332-65-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/1184-54-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/1184-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1184-56-0x0000000000550000-0x00000000005AB000-memory.dmp

Filesize
364KB

Download