56366ae1f6e1f11e380f4aa7c6d17e876a220e2e8630073385f7f0d7056d8f6a

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29/10/2022, 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

56366ae1f6e1f11e380f4aa7c6d17e876a220e2e8630073385f7f0d7056d8f6a.exe
Size

139KB
MD5

0c07981a673ed47799a2faeec44722f0
SHA1

a94f8a3a3553dfce0c9aef4171471497ba2ca067
SHA256

56366ae1f6e1f11e380f4aa7c6d17e876a220e2e8630073385f7f0d7056d8f6a
SHA512

af44660e51d1b2c8c11c62d9ba1b238fb9ea54c381aa209143227949b6789f13c191888c54c143dc199b8455c8fb8f5fcd666e15fea8521d18e7ff2acfed8f27
SSDEEP

3072:Ag80rFQjzNbHUrRVJ/F0MKmPNdpBTeG+ueunR8JjKGBhcy:r80SYpqMKmPNdnXWeM5fcy

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1272	nswitkh.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	56366ae1f6e1f11e380f4aa7c6d17e876a220e2e8630073385f7f0d7056d8f6a.exe
File created	C:\PROGRA~3\Mozilla\zgooxfa.dll	nswitkh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 952 wrote to memory of 1272	952	taskeng.exe	29
PID 952 wrote to memory of 1272	952	taskeng.exe	29
PID 952 wrote to memory of 1272	952	taskeng.exe	29
PID 952 wrote to memory of 1272	952	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\56366ae1f6e1f11e380f4aa7c6d17e876a220e2e8630073385f7f0d7056d8f6a.exe
"C:\Users\Admin\AppData\Local\Temp\56366ae1f6e1f11e380f4aa7c6d17e876a220e2e8630073385f7f0d7056d8f6a.exe"
1⤵
- Drops file in Program Files directory
PID:1052

C:\Windows\system32\taskeng.exe
taskeng.exe {09DDB1F4-0980-403A-B34B-67C76804AC3A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:952
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
38KB

MD5
52c51d1df43a7f30cda08a77f0e9ee09

SHA1
7245ee0ad593f6a73d3c29c77ae82493b34e18d1

SHA256
e569d1ad7dfb98efac11d2a42c8adb4ac06694c58531f2f9c290b4c604eecf80

SHA512
c73f4da10e652c0e2e614a3f84b5ce5a74672b7f9551576277bcd67905fd02dcb92c06719041db898e48da1bd258678f98d8a25ef7056481655591c77b76f8db

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
32KB

MD5
1fb0d90a6cf4c531d55aa8da210a1f01

SHA1
54c14b1dc81ff36a6279866ef0e6ce7a0179756f

SHA256
d5bf1394477f9ffe5471a062b2075eb199fa6159aa06eb2d6fc12240008fa60c

SHA512
a86ff8443cdfd29e8786418ed7c820ca0dd635e9c94836944ef478e9010b065ab7d9f1e76a20be4764c7fd215057a9789c0dd3a56c327d91c5f3b149cec6c621

Download Submit
memory/1052-54-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1052-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1052-56-0x0000000000320000-0x000000000037B000-memory.dmp

Filesize
364KB

Download
memory/1272-64-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1272-69-0x0000000000430000-0x000000000048B000-memory.dmp

Filesize
364KB

Download
memory/1272-68-0x000000000043A000-0x000000000047D000-memory.dmp

Filesize
268KB

Download