331e489d7a61aef1e69cf20f3d7eea2b51aaab454b2d2390886d343b185f27da

Analysis

max time kernel
44s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 22:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

331e489d7a61aef1e69cf20f3d7eea2b51aaab454b2d2390886d343b185f27da.exe
Size

496KB
MD5

84889d56310d16f9bc41e7dfcaa831b0
SHA1

1ae1eff21be5f3293ae7a190d5e6fd5b4181dc73
SHA256

331e489d7a61aef1e69cf20f3d7eea2b51aaab454b2d2390886d343b185f27da
SHA512

38015e24515ea0552896421a0c0de2f905449d5418aee01c2f1ae604d412b0c9edb21ce55f2453d0ab5bde598f1e12cecfc21abff51868c227d8266092f64b21
SSDEEP

12288:poVHsqvQNaYjemuOCZeR9n9ctmGgBKuOj:CVHskIaYj99cDgi

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
296	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	331e489d7a61aef1e69cf20f3d7eea2b51aaab454b2d2390886d343b185f27da.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 296	1684	taskeng.exe	28
PID 1684 wrote to memory of 296	1684	taskeng.exe	28
PID 1684 wrote to memory of 296	1684	taskeng.exe	28
PID 1684 wrote to memory of 296	1684	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\331e489d7a61aef1e69cf20f3d7eea2b51aaab454b2d2390886d343b185f27da.exe
"C:\Users\Admin\AppData\Local\Temp\331e489d7a61aef1e69cf20f3d7eea2b51aaab454b2d2390886d343b185f27da.exe"
1⤵
- Drops file in Program Files directory
PID:1492

C:\Windows\system32\taskeng.exe
taskeng.exe {56019283-6A09-4C33-82F5-9620522016AA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1684
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:296

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
496KB

MD5
b5b4f164474beb9a488be8149af1327d

SHA1
f5af892c59e61c7e3ad4804190096b54a337f953

SHA256
7720c6b2dfe9f97a59b40df8993635a19f697bcd40f496ee0865339bc604b338

SHA512
149a4eb29e10fd1c3f70b7abbc5df272f8e04204baa849b942f39b423f853b30be5e50e340d80902d1c001680e2945bcd1b44b6dc327a5f5648f7e8ddf6d5835

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
496KB

MD5
b5b4f164474beb9a488be8149af1327d

SHA1
f5af892c59e61c7e3ad4804190096b54a337f953

SHA256
7720c6b2dfe9f97a59b40df8993635a19f697bcd40f496ee0865339bc604b338

SHA512
149a4eb29e10fd1c3f70b7abbc5df272f8e04204baa849b942f39b423f853b30be5e50e340d80902d1c001680e2945bcd1b44b6dc327a5f5648f7e8ddf6d5835

Download Submit
memory/296-62-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/296-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1492-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1492-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1492-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download