882b63b64fc75884b150e9c120fd83e7e9a261af3ed14cc8167bc58ef784c98d

Analysis

max time kernel
43s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 08:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

882b63b64fc75884b150e9c120fd83e7e9a261af3ed14cc8167bc58ef784c98d.exe
Size

166KB
MD5

374bf0bad748fbcf70ad6de769d302c0
SHA1

dbc08a50d1ced65a8f80247a0be44ba4f9ef96bd
SHA256

882b63b64fc75884b150e9c120fd83e7e9a261af3ed14cc8167bc58ef784c98d
SHA512

02fd4e678f5ff442f8eed64bc11522662bc55b892eb9a15eb068f5ff1f8cad861aca6b0569c56b30533118ab19a592c04699beae4a6be89b2dff2c93bf64d051
SSDEEP

3072:ZliwDUWyFcB9fu+JMl2uU82Ws7f9sjboPACTQembG4hY/i1vA+Ly:ZldD1Yc7GIBgbzjbfLhRW+Ly

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1704	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	882b63b64fc75884b150e9c120fd83e7e9a261af3ed14cc8167bc58ef784c98d.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1704	1224	taskeng.exe	28
PID 1224 wrote to memory of 1704	1224	taskeng.exe	28
PID 1224 wrote to memory of 1704	1224	taskeng.exe	28
PID 1224 wrote to memory of 1704	1224	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\882b63b64fc75884b150e9c120fd83e7e9a261af3ed14cc8167bc58ef784c98d.exe
"C:\Users\Admin\AppData\Local\Temp\882b63b64fc75884b150e9c120fd83e7e9a261af3ed14cc8167bc58ef784c98d.exe"
1⤵
- Drops file in Program Files directory
PID:1672

C:\Windows\system32\taskeng.exe
taskeng.exe {8B9A0BBF-9081-48C3-981D-56B5C84A2657} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1224
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
166KB

MD5
d5c2427d4eb1a5f862e322453865ecf6

SHA1
3d22626ce3e452ab813764b0a89ea96b9fbb82bc

SHA256
cd14da4982b6424743dc72e9716cf535bd4ad12f686c14c8ead1aea6d2e65657

SHA512
86944e96967a53b79507c93c20ea2a6f56286e52f2b1a2c3566534fd58233ba5857217230a09ea9839d0997a2faa5f5a2d139ededfeba7f5d86cce1215941cd9

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
166KB

MD5
d5c2427d4eb1a5f862e322453865ecf6

SHA1
3d22626ce3e452ab813764b0a89ea96b9fbb82bc

SHA256
cd14da4982b6424743dc72e9716cf535bd4ad12f686c14c8ead1aea6d2e65657

SHA512
86944e96967a53b79507c93c20ea2a6f56286e52f2b1a2c3566534fd58233ba5857217230a09ea9839d0997a2faa5f5a2d139ededfeba7f5d86cce1215941cd9

Download Submit
memory/1672-54-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1672-55-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1672-56-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1672-59-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1672-60-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1704-64-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1704-65-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1704-67-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1704-70-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download