479fa26de93db373245a32df72d989934973c8563e79a3d1124b88f971f3a397

Analysis

max time kernel
43s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

479fa26de93db373245a32df72d989934973c8563e79a3d1124b88f971f3a397.exe
Size

181KB
MD5

818b62040e19b4ddff375f6200a7c580
SHA1

23040576c767076e3ca2ff1fab93cce4caf4bad3
SHA256

479fa26de93db373245a32df72d989934973c8563e79a3d1124b88f971f3a397
SHA512

83cbdbd3f30913fd1a81d35816ef7be23f8553cf42c84f32112abde82caead69012cd76397d79635932cdf0326513b07522584899bdf2802b3273a6eb5f7c434
SSDEEP

3072:pidj6ShhYRa3SXjF/HvD9hQU7OCyIjAYxRwmdPkmkWt+3t97SVKmHkAJbbvAKclo:pEjpvYc3YJ/HvD9hTKCyI7TwmdMlL99e

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
580	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	479fa26de93db373245a32df72d989934973c8563e79a3d1124b88f971f3a397.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 580	1756	taskeng.exe	28
PID 1756 wrote to memory of 580	1756	taskeng.exe	28
PID 1756 wrote to memory of 580	1756	taskeng.exe	28
PID 1756 wrote to memory of 580	1756	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\479fa26de93db373245a32df72d989934973c8563e79a3d1124b88f971f3a397.exe
"C:\Users\Admin\AppData\Local\Temp\479fa26de93db373245a32df72d989934973c8563e79a3d1124b88f971f3a397.exe"
1⤵
- Drops file in Program Files directory
PID:1184

C:\Windows\system32\taskeng.exe
taskeng.exe {F3F73823-D8A6-4239-B7D7-78C7A9CC7FC5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:580

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
181KB

MD5
2d083c50e58422a3487ba3ebc9a89821

SHA1
a753173cb5d22acfe5404ab04816c2c0afef1148

SHA256
b0e1293a81df70358834d8ae37d000b1251aaf3693f45af2baf312a2e5d7c48c

SHA512
b48cc13e1c6a9365da2a95124909326861619e4ed86a0be28f84258749384c21df82697fa67959402e644042a83d3f99c5dff451b2dc73bd7c222b59e0bdae03

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
181KB

MD5
2d083c50e58422a3487ba3ebc9a89821

SHA1
a753173cb5d22acfe5404ab04816c2c0afef1148

SHA256
b0e1293a81df70358834d8ae37d000b1251aaf3693f45af2baf312a2e5d7c48c

SHA512
b48cc13e1c6a9365da2a95124909326861619e4ed86a0be28f84258749384c21df82697fa67959402e644042a83d3f99c5dff451b2dc73bd7c222b59e0bdae03

Download Submit
memory/580-68-0x0000000000430000-0x000000000048B000-memory.dmp

Filesize
364KB

Download
memory/580-67-0x000000000043A000-0x000000000047D000-memory.dmp

Filesize
268KB

Download
memory/1184-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1184-55-0x0000000075A11000-0x0000000075A13000-memory.dmp

Filesize
8KB

Download
memory/1184-56-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download