ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a

Analysis

max time kernel
86s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 08:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a.exe
Size

208KB
MD5

5696470dab2dd05cc18b4c194e584240
SHA1

e2e294a21ccc0ea6e30a80001436ff273b2e1bd8
SHA256

ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a
SHA512

5707972208b1254a379babf050cadfedcfa2b3b34b45ff463f169da61c0f4669110c24b8d308f2b760d48add4a80d3542e12b97a1675386f38eb81edd7fb38aa
SSDEEP

6144:GByL0NrMTObdBq6tsR7rQxFm1u5Gk6R9jw+:wXhBqvVcG1LkY9jw+

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1916	nswitkh.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a.exe
File created	C:\PROGRA~3\Mozilla\zgooxfa.dll	nswitkh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1916	1684	taskeng.exe	28
PID 1684 wrote to memory of 1916	1684	taskeng.exe	28
PID 1684 wrote to memory of 1916	1684	taskeng.exe	28
PID 1684 wrote to memory of 1916	1684	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a.exe
"C:\Users\Admin\AppData\Local\Temp\ac001d06651ca66b17576e961fb01c90c821461497040a33780dc573babeec7a.exe"
1⤵
- Drops file in Program Files directory
PID:1108

C:\Windows\system32\taskeng.exe
taskeng.exe {F0C44BA1-99BD-4D47-BAE0-B5C84329EC1D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
208KB

MD5
eff393397e69399bfe1d65fe31dc6f01

SHA1
f7175f17d096c458ed0c5827932115deaca3f0e9

SHA256
8139488fe6f97cb82fafe827e8eebc9f0e6fc7cb2194585d06139bb59e78b1d9

SHA512
7a8175c966ac31c3cf3f147fdb326f41f160d520c7ad423e20f31474b4aa50ae9db5567d546d335ef92da1f15db84991402768c1c514d477ecc80fd1e9617067

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
208KB

MD5
eff393397e69399bfe1d65fe31dc6f01

SHA1
f7175f17d096c458ed0c5827932115deaca3f0e9

SHA256
8139488fe6f97cb82fafe827e8eebc9f0e6fc7cb2194585d06139bb59e78b1d9

SHA512
7a8175c966ac31c3cf3f147fdb326f41f160d520c7ad423e20f31474b4aa50ae9db5567d546d335ef92da1f15db84991402768c1c514d477ecc80fd1e9617067

Download Submit
memory/1108-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1108-55-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1108-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1108-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1108-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1916-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1916-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1916-69-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1916-70-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download