8ebf0d8fe7350b534809e82c4553b1c8c7cb2f0fefb1e2f5fb9c9c9407e7c82c

Analysis

max time kernel
35s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 14:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8ebf0d8fe7350b534809e82c4553b1c8c7cb2f0fefb1e2f5fb9c9c9407e7c82c.exe
Size

539KB
MD5

436cb37fb536ae0440bb4cba66897680
SHA1

06f7ed79f7223e54a10bb1fafc0b904cf564aa78
SHA256

8ebf0d8fe7350b534809e82c4553b1c8c7cb2f0fefb1e2f5fb9c9c9407e7c82c
SHA512

18b494a060de1fb7dfb4a91109f385cc2499c223568b64137e2ad7530869f65787c8247e2de25ea878cc340117fd2f41ca2d3e5dcaf61adec71117c2f153ccf3
SSDEEP

12288:21iSNkjo6dHkM7dTd7g5dtPG6ia5fpJsnBpxKU:21iJRkMBp7Wte6slKU

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1608	jwufxge.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jwufxge.exe	8ebf0d8fe7350b534809e82c4553b1c8c7cb2f0fefb1e2f5fb9c9c9407e7c82c.exe
File created	C:\PROGRA~3\Mozilla\hvkykah.dll	jwufxge.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1608	1980	taskeng.exe	28
PID 1980 wrote to memory of 1608	1980	taskeng.exe	28
PID 1980 wrote to memory of 1608	1980	taskeng.exe	28
PID 1980 wrote to memory of 1608	1980	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\8ebf0d8fe7350b534809e82c4553b1c8c7cb2f0fefb1e2f5fb9c9c9407e7c82c.exe
"C:\Users\Admin\AppData\Local\Temp\8ebf0d8fe7350b534809e82c4553b1c8c7cb2f0fefb1e2f5fb9c9c9407e7c82c.exe"
1⤵
- Drops file in Program Files directory
PID:1672

C:\Windows\system32\taskeng.exe
taskeng.exe {D1655C93-951E-495C-9D08-3F4F55B73D2A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\PROGRA~3\Mozilla\jwufxge.exe
  C:\PROGRA~3\Mozilla\jwufxge.exe -kqepohf
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1608

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jwufxge.exe

Filesize
539KB

MD5
49a3fd512251ab6fe5f02183ac8f3e37

SHA1
84ddbec4d457d916785c1bb108b6a6984a85fef1

SHA256
a5470ae0e0dd092c4446a899056a94bd7bf99cb2d1e94085cb98c0eda419c2fa

SHA512
74193fa484ae8d36673fddee24e85df657043b0f10f990920d30af4ec9df82287ad07b06cfa57965611840d53f470ce696ee07f618101f30dd5fe745ac6f5585

Download Submit
C:\PROGRA~3\Mozilla\jwufxge.exe

Filesize
539KB

MD5
49a3fd512251ab6fe5f02183ac8f3e37

SHA1
84ddbec4d457d916785c1bb108b6a6984a85fef1

SHA256
a5470ae0e0dd092c4446a899056a94bd7bf99cb2d1e94085cb98c0eda419c2fa

SHA512
74193fa484ae8d36673fddee24e85df657043b0f10f990920d30af4ec9df82287ad07b06cfa57965611840d53f470ce696ee07f618101f30dd5fe745ac6f5585

Download Submit
memory/1672-54-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1672-55-0x0000000075BD1000-0x0000000075BD3000-memory.dmp

Filesize
8KB

Download
memory/1672-56-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download