e7ef55418dd6a6544e87c7dee0665240a1aaaf8d9837025649ea598a011ca5bb

Analysis

max time kernel
41s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 09:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7ef55418dd6a6544e87c7dee0665240a1aaaf8d9837025649ea598a011ca5bb.exe
Size

186KB
MD5

0c1dc8d190c4452e123f41e1138c4560
SHA1

4ff9ef171d13ae2a03df53cc055fba6a36c98f2d
SHA256

e7ef55418dd6a6544e87c7dee0665240a1aaaf8d9837025649ea598a011ca5bb
SHA512

4860884034eeb5d54e625d8758492f82249783c314367801384a61eb743e834ffa137ec3682c53437028b2ec9d8c39ca087ae51cbe0bd0b31dafd76321353e3c
SSDEEP

3072:pidj6ShhYRa3SXjF/HvD9hQU7OCyIjAYxRwmdPkmkWt+3t97SVKmHkAJbbvAKclb:pEjpvYc3YJ/HvD9hTKCyI7TwmdMlL99l

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1644	jwufxge.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\hvkykah.dll	jwufxge.exe
File created	C:\PROGRA~3\Mozilla\jwufxge.exe	e7ef55418dd6a6544e87c7dee0665240a1aaaf8d9837025649ea598a011ca5bb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1644	1756	taskeng.exe	27
PID 1756 wrote to memory of 1644	1756	taskeng.exe	27
PID 1756 wrote to memory of 1644	1756	taskeng.exe	27
PID 1756 wrote to memory of 1644	1756	taskeng.exe	27

C:\Users\Admin\AppData\Local\Temp\e7ef55418dd6a6544e87c7dee0665240a1aaaf8d9837025649ea598a011ca5bb.exe
"C:\Users\Admin\AppData\Local\Temp\e7ef55418dd6a6544e87c7dee0665240a1aaaf8d9837025649ea598a011ca5bb.exe"
1⤵
- Drops file in Program Files directory
PID:2044

C:\Windows\system32\taskeng.exe
taskeng.exe {FCD45B74-650C-409F-8341-6AF0268EB0A2} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1756
- C:\PROGRA~3\Mozilla\jwufxge.exe
  C:\PROGRA~3\Mozilla\jwufxge.exe -kqepohf
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jwufxge.exe

Filesize
186KB

MD5
d2ab1ca7d535ea3f087b24b872936075

SHA1
10e8ed843f9b2b7d90e004ef4e853540e5e33774

SHA256
fc0561f2bf66ec0276bc0646c75f8c8aee4360f2e15e8a4ba1be2d46447195e0

SHA512
84489a52ef794049cc4ad9d8739ad158cee0ba334d7d85ec23b6b67dea9e6b9ec4bd278732a115868782ed6db99c9b61081780cd8e52a2c7e7b129e5553873d4

Download Submit
C:\PROGRA~3\Mozilla\jwufxge.exe

Filesize
186KB

MD5
d2ab1ca7d535ea3f087b24b872936075

SHA1
10e8ed843f9b2b7d90e004ef4e853540e5e33774

SHA256
fc0561f2bf66ec0276bc0646c75f8c8aee4360f2e15e8a4ba1be2d46447195e0

SHA512
84489a52ef794049cc4ad9d8739ad158cee0ba334d7d85ec23b6b67dea9e6b9ec4bd278732a115868782ed6db99c9b61081780cd8e52a2c7e7b129e5553873d4

Download Submit
memory/2044-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/2044-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/2044-56-0x0000000000320000-0x000000000037B000-memory.dmp

Filesize
364KB

Download