2169738a12ac4d0b05854f526248f175825038172550c29da4186fa77be1b06e

Analysis

max time kernel
29s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 08:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2169738a12ac4d0b05854f526248f175825038172550c29da4186fa77be1b06e.exe
Size

138KB
MD5

613f1efe35856a4a4e5511a51160ea70
SHA1

39a82f5a0f4e7522a3ac30bbb1d925c29aa3f626
SHA256

2169738a12ac4d0b05854f526248f175825038172550c29da4186fa77be1b06e
SHA512

1d8011bde724eb872b46cea14ab7567e78f806288c17030d68b46964d7ececb6dd3142603a4219815ffaf3ea5a31de8d00077634a9eb38c16443bb9161284c58
SSDEEP

3072:Lm1tmS7+mI+N9khWs0fHyLZEs+G8izV1beXdKBQzL2gM5VO:ydLI6WWs0fHyLWf4zVkXI5xu

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2032	nswitkh.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	2169738a12ac4d0b05854f526248f175825038172550c29da4186fa77be1b06e.exe
File created	C:\PROGRA~3\Mozilla\zgooxfa.dll	nswitkh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 2032	992	taskeng.exe	29
PID 992 wrote to memory of 2032	992	taskeng.exe	29
PID 992 wrote to memory of 2032	992	taskeng.exe	29
PID 992 wrote to memory of 2032	992	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\2169738a12ac4d0b05854f526248f175825038172550c29da4186fa77be1b06e.exe
"C:\Users\Admin\AppData\Local\Temp\2169738a12ac4d0b05854f526248f175825038172550c29da4186fa77be1b06e.exe"
1⤵
- Drops file in Program Files directory
PID:112

C:\Windows\system32\taskeng.exe
taskeng.exe {57223B53-58C0-4E63-93F3-45FC2E609EF8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:992
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
138KB

MD5
4cd36dc13f531f3266bac746c3380267

SHA1
8c13c8e715a2b42ca4c364077b905801eabf0996

SHA256
a5374f19f8feb18de9464a333945919ac2d1d44684a021c2a7d44bbeb6216e92

SHA512
66c3caab1584d7056184fd2d249d95b22e9b577f8ccb15ddc6773fb0e1f672c8907580727e11821bc2ed18b8f1089af388f71127be8ea1b6346f4d4c74809310

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
138KB

MD5
4cd36dc13f531f3266bac746c3380267

SHA1
8c13c8e715a2b42ca4c364077b905801eabf0996

SHA256
a5374f19f8feb18de9464a333945919ac2d1d44684a021c2a7d44bbeb6216e92

SHA512
66c3caab1584d7056184fd2d249d95b22e9b577f8ccb15ddc6773fb0e1f672c8907580727e11821bc2ed18b8f1089af388f71127be8ea1b6346f4d4c74809310

Download Submit
memory/112-55-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/112-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/112-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download