1d50d4bb6f2dd7af520b2d2aebc3fc98092752fad858cbc64860bbd3f42dc706

Analysis

max time kernel
40s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d50d4bb6f2dd7af520b2d2aebc3fc98092752fad858cbc64860bbd3f42dc706.exe
Size

260KB
MD5

846f23d49c42a916ad27cf28997a24f0
SHA1

d9d307c7a7c59d878d522bfce64c3ab1ea607478
SHA256

1d50d4bb6f2dd7af520b2d2aebc3fc98092752fad858cbc64860bbd3f42dc706
SHA512

22d2e48ce820621244802f6ec0417a512a5612c39d119d49f193ef25863d06f82fd682e2d00da5f9a0c0cfbd47f583eaf19633df01c2e78cb19b2c294a1e6dcd
SSDEEP

6144:CDJVazMKV31FdaQvXluxqU+A/0y+nt75voqQEnHv0CxN8H9R/:CDJM/bXntAh+nhZoqQEHvVIz/

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1064	jwufxge.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jwufxge.exe	1d50d4bb6f2dd7af520b2d2aebc3fc98092752fad858cbc64860bbd3f42dc706.exe
File created	C:\PROGRA~3\Mozilla\hvkykah.dll	jwufxge.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 912 wrote to memory of 1064	912	taskeng.exe	27
PID 912 wrote to memory of 1064	912	taskeng.exe	27
PID 912 wrote to memory of 1064	912	taskeng.exe	27
PID 912 wrote to memory of 1064	912	taskeng.exe	27

C:\Users\Admin\AppData\Local\Temp\1d50d4bb6f2dd7af520b2d2aebc3fc98092752fad858cbc64860bbd3f42dc706.exe
"C:\Users\Admin\AppData\Local\Temp\1d50d4bb6f2dd7af520b2d2aebc3fc98092752fad858cbc64860bbd3f42dc706.exe"
1⤵
- Drops file in Program Files directory
PID:1248

C:\Windows\system32\taskeng.exe
taskeng.exe {A6C67369-ED74-42C7-934A-08E9C216F1E6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:912
- C:\PROGRA~3\Mozilla\jwufxge.exe
  C:\PROGRA~3\Mozilla\jwufxge.exe -kqepohf
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jwufxge.exe

Filesize
260KB

MD5
09d1cf6208a63a2e328f0d45e682006a

SHA1
49fae9bf07584fb2fb7a29c6dd892f389f441e7b

SHA256
44de28d194629e40fc24baa6ef66025815c8831a21562018a0807bd42106d539

SHA512
ae4d9263309bdfe1c1bf44e7020b2fbd2b6717263dbc6c2a53c1bb03a5e6977c737c02f800ab4d6074d2bb54cc24c74272772ccd755054118e3e8de9d0656214

Download Submit
C:\PROGRA~3\Mozilla\jwufxge.exe

Filesize
260KB

MD5
09d1cf6208a63a2e328f0d45e682006a

SHA1
49fae9bf07584fb2fb7a29c6dd892f389f441e7b

SHA256
44de28d194629e40fc24baa6ef66025815c8831a21562018a0807bd42106d539

SHA512
ae4d9263309bdfe1c1bf44e7020b2fbd2b6717263dbc6c2a53c1bb03a5e6977c737c02f800ab4d6074d2bb54cc24c74272772ccd755054118e3e8de9d0656214

Download Submit
memory/1064-64-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1064-66-0x0000000000860000-0x00000000008BB000-memory.dmp

Filesize
364KB

Download
memory/1248-54-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1248-55-0x0000000075351000-0x0000000075353000-memory.dmp

Filesize
8KB

Download
memory/1248-56-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download