c2c7af74dd45a98d87db5b092e33428f1dd4aa3b2cca625f4175697d691a8508

Analysis

max time kernel
53s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/10/2022, 06:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c2c7af74dd45a98d87db5b092e33428f1dd4aa3b2cca625f4175697d691a8508.exe
Size

206KB
MD5

a26f6471ecea3fb5e30a369a6cd3e920
SHA1

ce1d9f72e1ebbaa9118565d1fa2e165f391866e9
SHA256

c2c7af74dd45a98d87db5b092e33428f1dd4aa3b2cca625f4175697d691a8508
SHA512

17de3e4c4d17ac185eed811474e5c29dac96f498d69702d55f5103cc5b408ba68b487dcd0818fa9bec9c1ddbbc1429e77cfa3d4a203d53b1760c3f2f9a008af6
SSDEEP

6144:GByL0NrMTObdBq6tsR7rQxFm1u5Gk6R9jh:wXhBqvVcG1LkY9jh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1968	nswitkh.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	c2c7af74dd45a98d87db5b092e33428f1dd4aa3b2cca625f4175697d691a8508.exe
File created	C:\PROGRA~3\Mozilla\zgooxfa.dll	nswitkh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 1968	2008	taskeng.exe	29
PID 2008 wrote to memory of 1968	2008	taskeng.exe	29
PID 2008 wrote to memory of 1968	2008	taskeng.exe	29
PID 2008 wrote to memory of 1968	2008	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\c2c7af74dd45a98d87db5b092e33428f1dd4aa3b2cca625f4175697d691a8508.exe
"C:\Users\Admin\AppData\Local\Temp\c2c7af74dd45a98d87db5b092e33428f1dd4aa3b2cca625f4175697d691a8508.exe"
1⤵
- Drops file in Program Files directory
PID:1680

C:\Windows\system32\taskeng.exe
taskeng.exe {83376865-B24B-454D-8944-8F9AC5506075} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1968

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
206KB

MD5
dbbe9c88b14fa3fec3ab3f1f34a612d7

SHA1
a02a804e9dfae58d77e6b3c783eed1708ea36c27

SHA256
33fa769881cba4d2902412a6c0699588e2bd8b753656d3e74570f2bbfe1018cb

SHA512
144acb5992e544f2853c1311bb7692024cb77528e1511b7ae3de8714ad4afc49f9d39ef832e460c9196572bdbefdcea7ca170d1877bc9851474e4904bc5498a8

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
206KB

MD5
dbbe9c88b14fa3fec3ab3f1f34a612d7

SHA1
a02a804e9dfae58d77e6b3c783eed1708ea36c27

SHA256
33fa769881cba4d2902412a6c0699588e2bd8b753656d3e74570f2bbfe1018cb

SHA512
144acb5992e544f2853c1311bb7692024cb77528e1511b7ae3de8714ad4afc49f9d39ef832e460c9196572bdbefdcea7ca170d1877bc9851474e4904bc5498a8

Download Submit
memory/1680-54-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1680-55-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1680-56-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1680-59-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1680-60-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1968-64-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1968-66-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1968-69-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/1968-70-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download