e6b0d5b2918cdf866869a07a2ba2cdff6248c66fb75fe76b735920f1ab212e26

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 06:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e6b0d5b2918cdf866869a07a2ba2cdff6248c66fb75fe76b735920f1ab212e26.exe
Size

164KB
MD5

79df60b1842db452583440e91f8fadd0
SHA1

9adc7056bf6e67b947cfd9dc647940cbea18a413
SHA256

e6b0d5b2918cdf866869a07a2ba2cdff6248c66fb75fe76b735920f1ab212e26
SHA512

e414449370357cd6e65bdd7d6576f81cf002d02fef17278ef2eb65ae45ada8c98cf96b3d0f2e1438281f88ef264877a1a42eda35ac9569ebf0be6643e4afa273
SSDEEP

3072:phj0Hzpm9Tcek9R7dE62yiV5AO/aWeVomBhGYt7R:30TpeceRF7aI+rR

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1348	nswitkh.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	e6b0d5b2918cdf866869a07a2ba2cdff6248c66fb75fe76b735920f1ab212e26.exe
File created	C:\PROGRA~3\Mozilla\zgooxfa.dll	nswitkh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 616 wrote to memory of 1348	616	taskeng.exe	28
PID 616 wrote to memory of 1348	616	taskeng.exe	28
PID 616 wrote to memory of 1348	616	taskeng.exe	28
PID 616 wrote to memory of 1348	616	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\e6b0d5b2918cdf866869a07a2ba2cdff6248c66fb75fe76b735920f1ab212e26.exe
"C:\Users\Admin\AppData\Local\Temp\e6b0d5b2918cdf866869a07a2ba2cdff6248c66fb75fe76b735920f1ab212e26.exe"
1⤵
- Drops file in Program Files directory
PID:1944

C:\Windows\system32\taskeng.exe
taskeng.exe {BC5001AD-0C6E-4FD3-A032-91A890EAFC5E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:616
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
164KB

MD5
9775d24d363b9f9598223815b230997e

SHA1
711374f2b7861280e21fefcaf2621c7cc913856a

SHA256
86b5b0a283df1cc86448ff4e1a94d975ecfa66bb2f08e4855407ad0a957439a8

SHA512
55db692e68a958265a253425caba9ef3fa71161609f032b10627d345677ae6fd7ee3dfdd465b038b04750a077bfff84d2ac6155e91ee115b75289ae31d3215b0

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
164KB

MD5
9775d24d363b9f9598223815b230997e

SHA1
711374f2b7861280e21fefcaf2621c7cc913856a

SHA256
86b5b0a283df1cc86448ff4e1a94d975ecfa66bb2f08e4855407ad0a957439a8

SHA512
55db692e68a958265a253425caba9ef3fa71161609f032b10627d345677ae6fd7ee3dfdd465b038b04750a077bfff84d2ac6155e91ee115b75289ae31d3215b0

Download Submit
memory/1348-64-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1348-66-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1348-69-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1348-70-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1944-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1944-54-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1944-56-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1944-59-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1944-60-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download