f2651441c8e15066d0fca7dd609e4d8070218fc767506af091ff0561ee82dde9

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-10-2022 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f2651441c8e15066d0fca7dd609e4d8070218fc767506af091ff0561ee82dde9.exe
Size

222KB
MD5

5e4c3e876c2f70f7c24898c012556840
SHA1

182755ba7283ff55281b5eb22261ef9f86c22985
SHA256

f2651441c8e15066d0fca7dd609e4d8070218fc767506af091ff0561ee82dde9
SHA512

d1c9c639c02490a4831d1ea953ed4e8b77525dbb6b4c9b768b895c1aa6909adf0f3a2361668197398ebe258174d2c50778384fd6b8740190e92c2be1083924ce
SSDEEP

3072:DJC7MKza/YmV7R+y8Io5VHPCaROG2/1iDg61Oe65HvOmzn1aDGrXi:Dw7r6RUxvrOG2/1iDsDRZrXi

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
284	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	f2651441c8e15066d0fca7dd609e4d8070218fc767506af091ff0561ee82dde9.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1492	f2651441c8e15066d0fca7dd609e4d8070218fc767506af091ff0561ee82dde9.exe
284	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 284	1160	taskeng.exe	28
PID 1160 wrote to memory of 284	1160	taskeng.exe	28
PID 1160 wrote to memory of 284	1160	taskeng.exe	28
PID 1160 wrote to memory of 284	1160	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\f2651441c8e15066d0fca7dd609e4d8070218fc767506af091ff0561ee82dde9.exe
"C:\Users\Admin\AppData\Local\Temp\f2651441c8e15066d0fca7dd609e4d8070218fc767506af091ff0561ee82dde9.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1492

C:\Windows\system32\taskeng.exe
taskeng.exe {56019283-6A09-4C33-82F5-9620522016AA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1160
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
222KB

MD5
bcf28d622d87d9417f2931330b83eb3d

SHA1
aa2a4026a46dbf3d8915b17663d12eab485d9091

SHA256
d83618989fb813bbe7bc3a561c0b1852a00b243abe979d2702dbcd62e5ed323a

SHA512
821e971f02d0b015b1bd778d1652bb79bc412eddc3c1daa3b4056845a217ef1ea3097e3425c24459ffd8a342207012ed22e83a5a64ebd8b14c26eb1b95f06365

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
222KB

MD5
bcf28d622d87d9417f2931330b83eb3d

SHA1
aa2a4026a46dbf3d8915b17663d12eab485d9091

SHA256
d83618989fb813bbe7bc3a561c0b1852a00b243abe979d2702dbcd62e5ed323a

SHA512
821e971f02d0b015b1bd778d1652bb79bc412eddc3c1daa3b4056845a217ef1ea3097e3425c24459ffd8a342207012ed22e83a5a64ebd8b14c26eb1b95f06365

Download Submit
memory/284-59-0x0000000000000000-mapping.dmp

Download
memory/284-61-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/284-63-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/284-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/284-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1492-55-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1492-56-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1492-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download