9d205ce8a1618cb2e85b23b7ebe0aec20c142e13f61fd26654baedc459da2602

Analysis

max time kernel
41s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/10/2022, 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d205ce8a1618cb2e85b23b7ebe0aec20c142e13f61fd26654baedc459da2602.exe
Size

125KB
MD5

a18fce92e9f4c10276d0a0fdcba2f970
SHA1

bcec3d067139ba9a496b6ee0f9207aecbfe29c5b
SHA256

9d205ce8a1618cb2e85b23b7ebe0aec20c142e13f61fd26654baedc459da2602
SHA512

651d10e100aec0ae886f738e33fd15407ebccaca48fd082d4aa43905f6897716ab288d17a72ae0baeb52285695845ea1f41e904444b437bf855bf40f409f41f0
SSDEEP

3072:AV6rSz5J236UHNSWvpeK0is8YRIzxugjv5FO0+JxS7G281p:vrS5M3L9e8YUxugJGl

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1228	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	9d205ce8a1618cb2e85b23b7ebe0aec20c142e13f61fd26654baedc459da2602.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 1228	2028	taskeng.exe	28
PID 2028 wrote to memory of 1228	2028	taskeng.exe	28
PID 2028 wrote to memory of 1228	2028	taskeng.exe	28
PID 2028 wrote to memory of 1228	2028	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\9d205ce8a1618cb2e85b23b7ebe0aec20c142e13f61fd26654baedc459da2602.exe
"C:\Users\Admin\AppData\Local\Temp\9d205ce8a1618cb2e85b23b7ebe0aec20c142e13f61fd26654baedc459da2602.exe"
1⤵
- Drops file in Program Files directory
PID:1128

C:\Windows\system32\taskeng.exe
taskeng.exe {062F8956-B5D5-4C4F-81CC-1F23CEB99284} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2028
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
125KB

MD5
d3fb7659220a28bc74328aa6f02a4f6e

SHA1
ccd5817353d366e472a1312b7eb23816215f8a7f

SHA256
e6420649063e40a5adad3457f9e3b1b47954dccb44040f4415f0c47da8788ba3

SHA512
21d9be3fab3979e1a0d09f36c352e205e4a727810ba4490bd989f236d8a1a6f627cef80d03a76b5c65cac27e2daa409731eec3b184d8504d778abc0367abe168

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
125KB

MD5
d3fb7659220a28bc74328aa6f02a4f6e

SHA1
ccd5817353d366e472a1312b7eb23816215f8a7f

SHA256
e6420649063e40a5adad3457f9e3b1b47954dccb44040f4415f0c47da8788ba3

SHA512
21d9be3fab3979e1a0d09f36c352e205e4a727810ba4490bd989f236d8a1a6f627cef80d03a76b5c65cac27e2daa409731eec3b184d8504d778abc0367abe168

Download Submit
memory/1128-54-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1128-55-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1128-56-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1128-59-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1128-60-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1228-64-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1228-66-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1228-69-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1228-70-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download