aa8897704b8e8525c2accaf3678a8dcefbdf80a484b5faf1a0987cc856e93702

Analysis

max time kernel
42s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aa8897704b8e8525c2accaf3678a8dcefbdf80a484b5faf1a0987cc856e93702.exe
Size

141KB
MD5

78e80fc33a8ef1e8e8b84d40b20f3c30
SHA1

e4e2948663283929a955b9d95d6492ead1a6e3c5
SHA256

aa8897704b8e8525c2accaf3678a8dcefbdf80a484b5faf1a0987cc856e93702
SHA512

cf47e80c1c8d7ef1d818e6852d6766158eeac9f3183e6fcdd0aa3500c973dc7aa0d596c8514dcf0d1ff24b7399b0e87421e6e91c7379aac578c70f51ad26d5c0
SSDEEP

3072:T6/T4OO+Ig7j1RKBvxf5GQUCQB0vpe+cD0bCVUhP/Ro:sEjFKj1wh5GQLksxcDJVqP/u

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1932	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	aa8897704b8e8525c2accaf3678a8dcefbdf80a484b5faf1a0987cc856e93702.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 768 wrote to memory of 1932	768	taskeng.exe	28
PID 768 wrote to memory of 1932	768	taskeng.exe	28
PID 768 wrote to memory of 1932	768	taskeng.exe	28
PID 768 wrote to memory of 1932	768	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\aa8897704b8e8525c2accaf3678a8dcefbdf80a484b5faf1a0987cc856e93702.exe
"C:\Users\Admin\AppData\Local\Temp\aa8897704b8e8525c2accaf3678a8dcefbdf80a484b5faf1a0987cc856e93702.exe"
1⤵
- Drops file in Program Files directory
PID:1516

C:\Windows\system32\taskeng.exe
taskeng.exe {8B9A0BBF-9081-48C3-981D-56B5C84A2657} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:768
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
141KB

MD5
55d6b528d5e09935658bfdefddd7ab03

SHA1
25c3f5f7079680204ca7830ec1cd4b1111694127

SHA256
eba4788f29fa59757096ea13223a96481b3ebabf76576b56b3df057fd3dfe9b2

SHA512
c3f070e731a862983ba2385a4163181ed54fb53a40fdc3f9ba463b91f593061a70fbb6d2fa790859d7efaa34d313ac4c51a4f2ae1f16c0cf8ad71abf0bf4d4b0

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
141KB

MD5
55d6b528d5e09935658bfdefddd7ab03

SHA1
25c3f5f7079680204ca7830ec1cd4b1111694127

SHA256
eba4788f29fa59757096ea13223a96481b3ebabf76576b56b3df057fd3dfe9b2

SHA512
c3f070e731a862983ba2385a4163181ed54fb53a40fdc3f9ba463b91f593061a70fbb6d2fa790859d7efaa34d313ac4c51a4f2ae1f16c0cf8ad71abf0bf4d4b0

Download Submit
memory/1516-54-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1516-55-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1516-56-0x00000000005C0000-0x000000000061B000-memory.dmp

Filesize
364KB

Download
memory/1516-61-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1932-65-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1932-70-0x0000000000430000-0x000000000048B000-memory.dmp

Filesize
364KB

Download
memory/1932-69-0x000000000043A000-0x000000000047D000-memory.dmp

Filesize
268KB

Download