155fa636098441cfa5c112c091f939b80a7c62c1355e0053a61fec0ac29f3932

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 09:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

155fa636098441cfa5c112c091f939b80a7c62c1355e0053a61fec0ac29f3932.exe
Size

161KB
MD5

5b401eed7ea7f5cfc35c1c874d59c760
SHA1

9ad8977a3f607bf412dbc6e310ea307dc78794ed
SHA256

155fa636098441cfa5c112c091f939b80a7c62c1355e0053a61fec0ac29f3932
SHA512

5029246f11a0b8daf32631ea9329debf7986d2bd8161a6cb2f7b2f69ccbe3c03d2869cd50b57ac1f207a9329ce22066f2d5168ca1cc54a6bd751f2fa8f61dbc0
SSDEEP

3072:ZliwDUWyFcB9fu+JMl2uU82Ws7f9sjboPACTQembG4hY/i1vL:ZldD1Yc7GIBgbzjbfLhRV

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
576	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	155fa636098441cfa5c112c091f939b80a7c62c1355e0053a61fec0ac29f3932.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1360 wrote to memory of 576	1360	taskeng.exe	28
PID 1360 wrote to memory of 576	1360	taskeng.exe	28
PID 1360 wrote to memory of 576	1360	taskeng.exe	28
PID 1360 wrote to memory of 576	1360	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\155fa636098441cfa5c112c091f939b80a7c62c1355e0053a61fec0ac29f3932.exe
"C:\Users\Admin\AppData\Local\Temp\155fa636098441cfa5c112c091f939b80a7c62c1355e0053a61fec0ac29f3932.exe"
1⤵
- Drops file in Program Files directory
PID:1484

C:\Windows\system32\taskeng.exe
taskeng.exe {56019283-6A09-4C33-82F5-9620522016AA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1360
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:576

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
161KB

MD5
6e79a6d4aa0b0cf6783421f9e8d41876

SHA1
5cc2846f6bc4fca3768bf29f111b82af0f4917cf

SHA256
a2a86decec3251718a0e90884511540712538577b86b64dd237a872df395694c

SHA512
c5bbfdb091e9b5c74c4d73962bb6e1c79f7ccda21a38fad4da9f615ac282e30d1bf0f76a50bafe3c7169ffad5c4603adf663be1a94185afb85c70b570e6a6f54

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
161KB

MD5
6e79a6d4aa0b0cf6783421f9e8d41876

SHA1
5cc2846f6bc4fca3768bf29f111b82af0f4917cf

SHA256
a2a86decec3251718a0e90884511540712538577b86b64dd237a872df395694c

SHA512
c5bbfdb091e9b5c74c4d73962bb6e1c79f7ccda21a38fad4da9f615ac282e30d1bf0f76a50bafe3c7169ffad5c4603adf663be1a94185afb85c70b570e6a6f54

Download Submit
memory/576-64-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/576-65-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/576-67-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/576-70-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1484-54-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1484-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1484-56-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1484-59-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1484-60-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download