16098e5d551b9f458b7cabb33e7ee337ae7adbd60c2a6a7499f1cb3c3a4d1fa7

Analysis

max time kernel
46s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 08:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

16098e5d551b9f458b7cabb33e7ee337ae7adbd60c2a6a7499f1cb3c3a4d1fa7.exe
Size

140KB
MD5

57d13a1c54695f9e4455cce3a4b85630
SHA1

125fbb7bdf9a890dfba4c51676cc095dacb69167
SHA256

16098e5d551b9f458b7cabb33e7ee337ae7adbd60c2a6a7499f1cb3c3a4d1fa7
SHA512

1dc47b3774363fab74127a5cb2953cfbfd710fdd8b9d9e0ccc3078110be0a27e9b6814ca0c19f316b11fc2bd79d87cc0e32a4c3d4c72ddce9292629caf762365
SSDEEP

3072:midj6ShhYRa3Sl3xMTOLuIjAYxRwmdPkmkWt+3t97SVKm1:mEjpvYc3QxMI7TwmdMlL992VKm1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1680	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	16098e5d551b9f458b7cabb33e7ee337ae7adbd60c2a6a7499f1cb3c3a4d1fa7.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 460 wrote to memory of 1680	460	taskeng.exe	28
PID 460 wrote to memory of 1680	460	taskeng.exe	28
PID 460 wrote to memory of 1680	460	taskeng.exe	28
PID 460 wrote to memory of 1680	460	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\16098e5d551b9f458b7cabb33e7ee337ae7adbd60c2a6a7499f1cb3c3a4d1fa7.exe
"C:\Users\Admin\AppData\Local\Temp\16098e5d551b9f458b7cabb33e7ee337ae7adbd60c2a6a7499f1cb3c3a4d1fa7.exe"
1⤵
- Drops file in Program Files directory
PID:1444

C:\Windows\system32\taskeng.exe
taskeng.exe {85A65E4D-F3DE-4BA4-9A67-A0973EC996AB} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:460
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1680

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
140KB

MD5
c3de3b10dbe6418bf30433b10ae07a91

SHA1
b3bc002c1142e42a898cc577d24ed0c4b9f0bf33

SHA256
61beea997bb025e3a4394a6d90c80325ea656955f97329fa6604c951a2aff18e

SHA512
67317205e1fc25333c787660e008d85e9e6969a64c967e075a747e8747b99616a50d9f4ff6193e7fb978ff4e1650243c142d6bb527d1a5e605c341c5525969ab

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
140KB

MD5
c3de3b10dbe6418bf30433b10ae07a91

SHA1
b3bc002c1142e42a898cc577d24ed0c4b9f0bf33

SHA256
61beea997bb025e3a4394a6d90c80325ea656955f97329fa6604c951a2aff18e

SHA512
67317205e1fc25333c787660e008d85e9e6969a64c967e075a747e8747b99616a50d9f4ff6193e7fb978ff4e1650243c142d6bb527d1a5e605c341c5525969ab

Download Submit
memory/1444-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1444-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1444-56-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/1680-65-0x0000000000830000-0x000000000088B000-memory.dmp

Filesize
364KB

Download