46e0077ac320858ec82a987c62c8c6af31b6b5ad4bf7c0c3f306aec745af0373

Analysis

max time kernel
40s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 18:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

46e0077ac320858ec82a987c62c8c6af31b6b5ad4bf7c0c3f306aec745af0373.exe
Size

334KB
MD5

1a361cdf434d11a0626f110e19deff29
SHA1

34f691032676aef368ed88c2111ed3e6024de313
SHA256

46e0077ac320858ec82a987c62c8c6af31b6b5ad4bf7c0c3f306aec745af0373
SHA512

f1913fe72df428589428e3418a8b29cc7f619d27bbc537a5e7577fd42a60bf6f9d3bc1a491a560588fe51c0c01b4722674691ce15254a05c6e6920056bddd46d
SSDEEP

6144:E54YVdtta+3CTj1PCmv0LhQZ++EmZ77YIaSFuRE1sFlrL1BtzdEXKIl4o6r:E5ntta+Ejp0LhJ+x7YIRup5Pth+KIKoy

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1900	jwufxge.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jwufxge.exe	46e0077ac320858ec82a987c62c8c6af31b6b5ad4bf7c0c3f306aec745af0373.exe
File created	C:\PROGRA~3\Mozilla\hvkykah.dll	jwufxge.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1900	1444	taskeng.exe	27
PID 1444 wrote to memory of 1900	1444	taskeng.exe	27
PID 1444 wrote to memory of 1900	1444	taskeng.exe	27
PID 1444 wrote to memory of 1900	1444	taskeng.exe	27

C:\Users\Admin\AppData\Local\Temp\46e0077ac320858ec82a987c62c8c6af31b6b5ad4bf7c0c3f306aec745af0373.exe
"C:\Users\Admin\AppData\Local\Temp\46e0077ac320858ec82a987c62c8c6af31b6b5ad4bf7c0c3f306aec745af0373.exe"
1⤵
- Drops file in Program Files directory
PID:2020

C:\Windows\system32\taskeng.exe
taskeng.exe {2A63D31B-6602-4EED-8C4F-0443C88AD2B1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1444
- C:\PROGRA~3\Mozilla\jwufxge.exe
  C:\PROGRA~3\Mozilla\jwufxge.exe -kqepohf
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jwufxge.exe

Filesize
334KB

MD5
d2abead10ff2059dcbc6f4969fd4cf11

SHA1
e897d131bb73dec5c4ddea83acbb1cdc72527a2c

SHA256
06fb7b82e4a0cfb8ab50a6b21d47833ab1c7ad343303f05a033598402620c652

SHA512
b77ca20867405f78328347c659d93171f2d74e495a9e15237ddedac0a77bee453ca96e39dc9ec55c33969eb6b95f711d567078c9bbeaf535210a98e39272c47f

Download Submit
C:\PROGRA~3\Mozilla\jwufxge.exe

Filesize
334KB

MD5
d2abead10ff2059dcbc6f4969fd4cf11

SHA1
e897d131bb73dec5c4ddea83acbb1cdc72527a2c

SHA256
06fb7b82e4a0cfb8ab50a6b21d47833ab1c7ad343303f05a033598402620c652

SHA512
b77ca20867405f78328347c659d93171f2d74e495a9e15237ddedac0a77bee453ca96e39dc9ec55c33969eb6b95f711d567078c9bbeaf535210a98e39272c47f

Download Submit
memory/1900-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1900-69-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1900-70-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2020-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2020-55-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/2020-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2020-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2020-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download