940d559d4765f9af16a89b937a35d441c4aad0850b401347fe16b8265ff37797

Analysis

max time kernel
52s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 07:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

940d559d4765f9af16a89b937a35d441c4aad0850b401347fe16b8265ff37797.exe
Size

129KB
MD5

60ad83458816780b7ce4ec61232aa540
SHA1

627b89a03f02e5050f7db3600e62cdcd0d82f5ec
SHA256

940d559d4765f9af16a89b937a35d441c4aad0850b401347fe16b8265ff37797
SHA512

2ed3fb2a0a9d2daefb3a3113e13e0e2cecdf30fd70fd9cd3ecfe950614a74ec59d648867bde2e0c399e7591e5b846da8e0ee1adc76214190e52bc467fdb56b69
SSDEEP

3072:7kVXMiPtt6zN18Qap579Kj2bTo7SVAEFSi70:7kVXvA8KjR7SV3g

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1348	nswitkh.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	940d559d4765f9af16a89b937a35d441c4aad0850b401347fe16b8265ff37797.exe
File created	C:\PROGRA~3\Mozilla\zgooxfa.dll	nswitkh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1348	1724	taskeng.exe	29
PID 1724 wrote to memory of 1348	1724	taskeng.exe	29
PID 1724 wrote to memory of 1348	1724	taskeng.exe	29
PID 1724 wrote to memory of 1348	1724	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\940d559d4765f9af16a89b937a35d441c4aad0850b401347fe16b8265ff37797.exe
"C:\Users\Admin\AppData\Local\Temp\940d559d4765f9af16a89b937a35d441c4aad0850b401347fe16b8265ff37797.exe"
1⤵
- Drops file in Program Files directory
PID:1648

C:\Windows\system32\taskeng.exe
taskeng.exe {15CD5328-37FC-4AD2-9F4A-B007E8C8A588} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1724
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
129KB

MD5
0f640bb066d34bbafd3722952e1f0c68

SHA1
2c91b1fd39c6ef6b0e583ddea7b919331da1d783

SHA256
92e5a2dc1bd000823d1cde39317169fbf814e5f7a019c29402ee057bfd2ab61e

SHA512
91f34e619507c05e2ff75d40387e4013d964a276182a6eae7e5d55bea0b07296f55aa6650d5e8f856efb30e4b92f8740d14ff6fb956a266f35e3584be64dbe53

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
129KB

MD5
0f640bb066d34bbafd3722952e1f0c68

SHA1
2c91b1fd39c6ef6b0e583ddea7b919331da1d783

SHA256
92e5a2dc1bd000823d1cde39317169fbf814e5f7a019c29402ee057bfd2ab61e

SHA512
91f34e619507c05e2ff75d40387e4013d964a276182a6eae7e5d55bea0b07296f55aa6650d5e8f856efb30e4b92f8740d14ff6fb956a266f35e3584be64dbe53

Download Submit
memory/1348-60-0x0000000000000000-mapping.dmp

Download
memory/1348-62-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1348-64-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1648-54-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1648-56-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1648-55-0x0000000075811000-0x0000000075813000-memory.dmp

Filesize
8KB

Download