004fd7fcbc35ba4e1cc9a3c16fe7c38813d757448ead97562866aeb03a968561

Analysis

max time kernel
54s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06-11-2022 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

004fd7fcbc35ba4e1cc9a3c16fe7c38813d757448ead97562866aeb03a968561.exe
Size

249KB
MD5

124d60218c293cee96474ebdeaf3b25f
SHA1

fb8923ab42686c1746de00ac597f2ead296a5f65
SHA256

004fd7fcbc35ba4e1cc9a3c16fe7c38813d757448ead97562866aeb03a968561
SHA512

ab3f0222ff894d57a5597333e866e9d0f15dbdc54bfa04fb1cb32a0d274d40f80dab18f4e69556bbe894ff2c992bf93caacd2b6d9ffedd5aac364bfcb4d5a061
SSDEEP

6144:IiV3M7tydyE7ztsY4yTr8bjeJwj2EItHp4Pl6yzm:Iu3URWtsYf8PemjE8m

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1528	nswitkh.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	004fd7fcbc35ba4e1cc9a3c16fe7c38813d757448ead97562866aeb03a968561.exe
File created	C:\PROGRA~3\Mozilla\zgooxfa.dll	nswitkh.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2016	004fd7fcbc35ba4e1cc9a3c16fe7c38813d757448ead97562866aeb03a968561.exe
1528	nswitkh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 1528	1376	taskeng.exe	28
PID 1376 wrote to memory of 1528	1376	taskeng.exe	28
PID 1376 wrote to memory of 1528	1376	taskeng.exe	28
PID 1376 wrote to memory of 1528	1376	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\004fd7fcbc35ba4e1cc9a3c16fe7c38813d757448ead97562866aeb03a968561.exe
"C:\Users\Admin\AppData\Local\Temp\004fd7fcbc35ba4e1cc9a3c16fe7c38813d757448ead97562866aeb03a968561.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2016

C:\Windows\system32\taskeng.exe
taskeng.exe {E8514208-E8DE-4A86-86A3-94A7A84EF02B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1376
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1528

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
249KB

MD5
b9f4f5d6ffe2483217789eddaa855685

SHA1
ef3077ab7250f923c5e6ad7d05a3a6c0f7fb7d1d

SHA256
c5be125947a0430ec66f66569425237b07211f9f916e8cef4f1b76488779ca8a

SHA512
2f4e55d5c92237b2ee1e8fcd0daf5c76bddf023effbea76fbeb664ba353c2ce2ac63eceafec5bc0690bd1ce00e3f6c6b5f5b32fafca00f1ef7b125b66c1ee507

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
249KB

MD5
b9f4f5d6ffe2483217789eddaa855685

SHA1
ef3077ab7250f923c5e6ad7d05a3a6c0f7fb7d1d

SHA256
c5be125947a0430ec66f66569425237b07211f9f916e8cef4f1b76488779ca8a

SHA512
2f4e55d5c92237b2ee1e8fcd0daf5c76bddf023effbea76fbeb664ba353c2ce2ac63eceafec5bc0690bd1ce00e3f6c6b5f5b32fafca00f1ef7b125b66c1ee507

Download Submit
memory/1528-60-0x0000000000000000-mapping.dmp

Download
memory/1528-63-0x00000000004D0000-0x000000000052B000-memory.dmp

Filesize
364KB

Download
memory/1528-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1528-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2016-54-0x00000000761F1000-0x00000000761F3000-memory.dmp

Filesize
8KB

Download
memory/2016-55-0x0000000000280000-0x00000000002DB000-memory.dmp

Filesize
364KB

Download
memory/2016-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2016-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2016-58-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download