a68a2792b93d887f49c0e42497db22164cdc19d3615084d6c4b086412841af67

Analysis

max time kernel
37s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a68a2792b93d887f49c0e42497db22164cdc19d3615084d6c4b086412841af67.exe
Size

156KB
MD5

10d96803a0150901fa567935867cbb20
SHA1

80d364798104c7c7fb37f18327f0f56fef30c5a7
SHA256

a68a2792b93d887f49c0e42497db22164cdc19d3615084d6c4b086412841af67
SHA512

5002d508c646bae5bcb1cf1056a67a27b53c6f0695b1f1fc6eccaf6621ead048fb86d55dee9bbf28187fc234ed9082bbd7932feebc3d96e4afef287377689c1e
SSDEEP

3072:g7KEcx/PGumsUbjdor/7BS4e9rPSFgLccpFQSZK+IyrfY2Nmoh:gGt/hU1YjBS4A7SqRhjrfYozh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1460	jwufxge.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jwufxge.exe	a68a2792b93d887f49c0e42497db22164cdc19d3615084d6c4b086412841af67.exe
File created	C:\PROGRA~3\Mozilla\hvkykah.dll	jwufxge.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1860 wrote to memory of 1460	1860	taskeng.exe	27
PID 1860 wrote to memory of 1460	1860	taskeng.exe	27
PID 1860 wrote to memory of 1460	1860	taskeng.exe	27
PID 1860 wrote to memory of 1460	1860	taskeng.exe	27

C:\Users\Admin\AppData\Local\Temp\a68a2792b93d887f49c0e42497db22164cdc19d3615084d6c4b086412841af67.exe
"C:\Users\Admin\AppData\Local\Temp\a68a2792b93d887f49c0e42497db22164cdc19d3615084d6c4b086412841af67.exe"
1⤵
- Drops file in Program Files directory
PID:1752

C:\Windows\system32\taskeng.exe
taskeng.exe {72B8A792-96E3-4F2A-A712-F716EC16ACBD} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1860
- C:\PROGRA~3\Mozilla\jwufxge.exe
  C:\PROGRA~3\Mozilla\jwufxge.exe -kqepohf
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1460

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jwufxge.exe

Filesize
156KB

MD5
971a323eb8b4e0733952e36cc19fe9ef

SHA1
6be2a7696a0b2c3fa2b3ce37ce66119652295563

SHA256
15be4215883df542a0c3c7b00100f3bc62763f091de12aeefcf3a047181f6595

SHA512
039b40065bf8d22bcc9b72718266e22636f4cfd809519b1944d08fa0205c5850c2586364482eb3039daa9789b47515ee1c99324c36923a43c9f86d179b3ae37b

Download Submit
C:\PROGRA~3\Mozilla\jwufxge.exe

Filesize
156KB

MD5
971a323eb8b4e0733952e36cc19fe9ef

SHA1
6be2a7696a0b2c3fa2b3ce37ce66119652295563

SHA256
15be4215883df542a0c3c7b00100f3bc62763f091de12aeefcf3a047181f6595

SHA512
039b40065bf8d22bcc9b72718266e22636f4cfd809519b1944d08fa0205c5850c2586364482eb3039daa9789b47515ee1c99324c36923a43c9f86d179b3ae37b

Download Submit
memory/1460-64-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1460-66-0x0000000000390000-0x00000000003EB000-memory.dmp

Filesize
364KB

Download
memory/1752-54-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1752-55-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/1752-56-0x00000000002D0000-0x000000000032B000-memory.dmp

Filesize
364KB

Download