6582aab70a912cc86a133f5b91272ebf681bd0a0247bb33993e796e9787ca46f

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 01:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

6582aab70a912cc86a133f5b91272ebf681bd0a0247bb33993e796e9787ca46f.exe
Size

266KB
MD5

70a1aee69912d7f35ac04c4837a11eb0
SHA1

da0dd5a6ba7eb2a2dac71f434fe4c649a6a845f3
SHA256

6582aab70a912cc86a133f5b91272ebf681bd0a0247bb33993e796e9787ca46f
SHA512

1286c0360c9b5a5a7e2c8aaa14c9ee55441607788d0a53de97409712aa1086c3efd512a96695a92b95b1df94a98ce2ca199b36610208fee67fa66782d5fe606b
SSDEEP

3072:/FT6ZQ8WLjR9mKg9C0ErmMLXLg7jCm+jxqayBTT9LmafsPeHgwS2jbxWGqJsT:R6e8WLjJgk0iX+CZUpTJ9jHgwSbGqJg

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1740	nswitkh.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	6582aab70a912cc86a133f5b91272ebf681bd0a0247bb33993e796e9787ca46f.exe
File created	C:\PROGRA~3\Mozilla\zgooxfa.dll	nswitkh.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1944	6582aab70a912cc86a133f5b91272ebf681bd0a0247bb33993e796e9787ca46f.exe
1740	nswitkh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1380 wrote to memory of 1740	1380	taskeng.exe	28
PID 1380 wrote to memory of 1740	1380	taskeng.exe	28
PID 1380 wrote to memory of 1740	1380	taskeng.exe	28
PID 1380 wrote to memory of 1740	1380	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\6582aab70a912cc86a133f5b91272ebf681bd0a0247bb33993e796e9787ca46f.exe
"C:\Users\Admin\AppData\Local\Temp\6582aab70a912cc86a133f5b91272ebf681bd0a0247bb33993e796e9787ca46f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1944

C:\Windows\system32\taskeng.exe
taskeng.exe {BC5001AD-0C6E-4FD3-A032-91A890EAFC5E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1380
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
266KB

MD5
3bac986baa2c4e3261f7d1962462e0ad

SHA1
ed529a218d016540f4e1993df95acb550d75c913

SHA256
cea1b90465aeecf2cf9b631ef3f300513877560ac019349873bf88ee7991c641

SHA512
c505e2e4150d122d04f5aeec540784acf38276cfa504b50901bbd8392c6317e27da21b4bf8dd8aa61ae4e6f79eb04c5a9840835f0d0f007f6b64b0f7996f1f7e

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
266KB

MD5
3bac986baa2c4e3261f7d1962462e0ad

SHA1
ed529a218d016540f4e1993df95acb550d75c913

SHA256
cea1b90465aeecf2cf9b631ef3f300513877560ac019349873bf88ee7991c641

SHA512
c505e2e4150d122d04f5aeec540784acf38276cfa504b50901bbd8392c6317e27da21b4bf8dd8aa61ae4e6f79eb04c5a9840835f0d0f007f6b64b0f7996f1f7e

Download Submit
memory/1740-64-0x0000000000250000-0x00000000002AC000-memory.dmp

Filesize
368KB

Download
memory/1740-63-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1740-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1944-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1944-55-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1944-56-0x0000000001BF0000-0x0000000001C4C000-memory.dmp

Filesize
368KB

Download
memory/1944-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1944-58-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download