58a249d20c9cb84084a1aa9e221fadff6ff2b6b0ebd81cfea14b667f9dc0c919

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 03:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58a249d20c9cb84084a1aa9e221fadff6ff2b6b0ebd81cfea14b667f9dc0c919.exe
Size

206KB
MD5

619b2bb8b28523fc1c12f6d2c9f2c270
SHA1

6b037d0977a4309f99f66796084e8fc8eb3028d4
SHA256

58a249d20c9cb84084a1aa9e221fadff6ff2b6b0ebd81cfea14b667f9dc0c919
SHA512

87611f46cca1d5bb50bf32acf667909cd2cd1379c39faad534bec927dd62351cb260ba989058b3d69e98696478fd1afaa4abedc5806ae7bf7d0bee315eaac866
SSDEEP

6144:GByL0NrMTObdBq6tsR7rQxFm1u5Gk6R9z:wXhBqvVcG1LkY9z

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1704	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	58a249d20c9cb84084a1aa9e221fadff6ff2b6b0ebd81cfea14b667f9dc0c919.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1704	1224	taskeng.exe	28
PID 1224 wrote to memory of 1704	1224	taskeng.exe	28
PID 1224 wrote to memory of 1704	1224	taskeng.exe	28
PID 1224 wrote to memory of 1704	1224	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\58a249d20c9cb84084a1aa9e221fadff6ff2b6b0ebd81cfea14b667f9dc0c919.exe
"C:\Users\Admin\AppData\Local\Temp\58a249d20c9cb84084a1aa9e221fadff6ff2b6b0ebd81cfea14b667f9dc0c919.exe"
1⤵
- Drops file in Program Files directory
PID:1672

C:\Windows\system32\taskeng.exe
taskeng.exe {8B9A0BBF-9081-48C3-981D-56B5C84A2657} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
206KB

MD5
a8f80708b5def5ec1821c547e7fe7378

SHA1
ff819c60d10e4b8a30dd12c751cb774f9bb5a000

SHA256
f4624a4ec73cd8f89d4511772383b05f66ef5c11b6966ece28ba675f77e96b71

SHA512
37957c5fdac097e43e27d46d966ad2b1a1066c0b61223012a5d0680f5859f9cc3ea3d7219655a02bdd686d649a93c7dba090b184cb3b0e68ce7be8ef92fde18d

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
206KB

MD5
a8f80708b5def5ec1821c547e7fe7378

SHA1
ff819c60d10e4b8a30dd12c751cb774f9bb5a000

SHA256
f4624a4ec73cd8f89d4511772383b05f66ef5c11b6966ece28ba675f77e96b71

SHA512
37957c5fdac097e43e27d46d966ad2b1a1066c0b61223012a5d0680f5859f9cc3ea3d7219655a02bdd686d649a93c7dba090b184cb3b0e68ce7be8ef92fde18d

Download Submit
memory/1672-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1672-55-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1672-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1672-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1672-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1704-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1704-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1704-69-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1704-70-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download