41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871

Analysis

max time kernel
36s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 20:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871.exe
Size

133KB
MD5

a03b16f4e03f6b67fb5943fd078a4d50
SHA1

4e5c187bb1442ce7dcd828bcd2f26884c45a98c2
SHA256

41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871
SHA512

f6083ae30a4e2f75a27ef3e65124f746fc246e4874d2488fe4a4d5b154ff80a789d2a5a08199ca06f4f2406ddb043dcedc1a2c04453cef8841662e89672265ea
SSDEEP

3072:HAwEvRRdqcqpaiVPfGHO4xATzlypxd7CQn3pij:TcRWcslXWRpjCS5M

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1904	nswitkh.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871.exe
File created	C:\PROGRA~3\Mozilla\zgooxfa.dll	nswitkh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 1904	820	taskeng.exe	29
PID 820 wrote to memory of 1904	820	taskeng.exe	29
PID 820 wrote to memory of 1904	820	taskeng.exe	29
PID 820 wrote to memory of 1904	820	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871.exe
"C:\Users\Admin\AppData\Local\Temp\41181c0919e27ea8774065c3e79485356adc53d7d32f6fe270802780b5abe871.exe"
1⤵
- Drops file in Program Files directory
PID:952

C:\Windows\system32\taskeng.exe
taskeng.exe {B22488B7-5A8F-4C04-916F-5BDFAB68C106} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:820
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1904

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
133KB

MD5
d41d81b450004fe8a3f6b373788b6977

SHA1
bd46b8db2e79a2f7d92d0e97a46329ac55f05aa1

SHA256
d285aeee5df87f5db6858fecf0b398a5eec48a3ca05296b7fd26517785aafb96

SHA512
3a455d2026146a07710d9fa51a411ec9999336e4251a5d565338ccc798b9d6c0117af59117bc0eeb417426980c08fa45e2a67fcefb96fda31e615c8f082a0cf2

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
133KB

MD5
d41d81b450004fe8a3f6b373788b6977

SHA1
bd46b8db2e79a2f7d92d0e97a46329ac55f05aa1

SHA256
d285aeee5df87f5db6858fecf0b398a5eec48a3ca05296b7fd26517785aafb96

SHA512
3a455d2026146a07710d9fa51a411ec9999336e4251a5d565338ccc798b9d6c0117af59117bc0eeb417426980c08fa45e2a67fcefb96fda31e615c8f082a0cf2

Download Submit
memory/952-54-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/952-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/952-56-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download