af19676afd6877219dd7e4464614f48bdd3f3206e2433108fdc55a8659947f67

Analysis

max time kernel
35s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af19676afd6877219dd7e4464614f48bdd3f3206e2433108fdc55a8659947f67.exe
Size

141KB
MD5

4ec138f7c09f34d0f59be36d97ca9140
SHA1

cbfb3f02f81d3094a69dd50d4fd31e0f18c724c0
SHA256

af19676afd6877219dd7e4464614f48bdd3f3206e2433108fdc55a8659947f67
SHA512

f7b19051b661ce527035e5dab3ec0026875144b7ed36d9e58559342fd294fc50d8732a5141e8159ee27fa514494c4735f6a98391b0dc8f904fd36ed32c798530
SSDEEP

3072:ixHEI6rvvMV0nE17B+TnFnvcwHdtTQ3lNvuCLeEPbUXHrxe:ixkHMV0nE1l+LtvcwHbo/aSUXLxe

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1760	jwufxge.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\hvkykah.dll	jwufxge.exe
File created	C:\PROGRA~3\Mozilla\jwufxge.exe	af19676afd6877219dd7e4464614f48bdd3f3206e2433108fdc55a8659947f67.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1652 wrote to memory of 1760	1652	taskeng.exe	27
PID 1652 wrote to memory of 1760	1652	taskeng.exe	27
PID 1652 wrote to memory of 1760	1652	taskeng.exe	27
PID 1652 wrote to memory of 1760	1652	taskeng.exe	27

C:\Users\Admin\AppData\Local\Temp\af19676afd6877219dd7e4464614f48bdd3f3206e2433108fdc55a8659947f67.exe
"C:\Users\Admin\AppData\Local\Temp\af19676afd6877219dd7e4464614f48bdd3f3206e2433108fdc55a8659947f67.exe"
1⤵
- Drops file in Program Files directory
PID:1508

C:\Windows\system32\taskeng.exe
taskeng.exe {2A63D31B-6602-4EED-8C4F-0443C88AD2B1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\PROGRA~3\Mozilla\jwufxge.exe
  C:\PROGRA~3\Mozilla\jwufxge.exe -kqepohf
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jwufxge.exe

Filesize
141KB

MD5
516fb71def4de2ab3a516032ea015da7

SHA1
11942e9b69f483a9d2ae4dc7a476c496a767343a

SHA256
f619766a57b0c495159d6410107823a4826c697c45d03622143e87e6fad18b98

SHA512
b4d6f15cc85a4870bb3966e6c361c63b206ee57944d9da66b5f8ef5e21013090fbbb4ddfea5e7e5cc7978ebc03b4f752778e2f58d3eea6ed7a68e2e6342e07e4

Download Submit
C:\PROGRA~3\Mozilla\jwufxge.exe

Filesize
141KB

MD5
516fb71def4de2ab3a516032ea015da7

SHA1
11942e9b69f483a9d2ae4dc7a476c496a767343a

SHA256
f619766a57b0c495159d6410107823a4826c697c45d03622143e87e6fad18b98

SHA512
b4d6f15cc85a4870bb3966e6c361c63b206ee57944d9da66b5f8ef5e21013090fbbb4ddfea5e7e5cc7978ebc03b4f752778e2f58d3eea6ed7a68e2e6342e07e4

Download Submit
memory/1508-54-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/1508-55-0x0000000000230000-0x000000000028B000-memory.dmp

Filesize
364KB

Download
memory/1760-66-0x000000000043A000-0x000000000047D000-memory.dmp

Filesize
268KB

Download
memory/1760-67-0x0000000000430000-0x000000000048B000-memory.dmp

Filesize
364KB

Download