b1690d26daad3ac88748f86b27c8c12a10d474668383d287af216d57cd59082e

Analysis

max time kernel
57s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b1690d26daad3ac88748f86b27c8c12a10d474668383d287af216d57cd59082e.exe
Size

213KB
MD5

027c6ebe8c862cf372e87a1e6164fe20
SHA1

4e3ebcf41518611d1cc3e1ae57c190bcd7f91261
SHA256

b1690d26daad3ac88748f86b27c8c12a10d474668383d287af216d57cd59082e
SHA512

d1ce392a6ebb7dc3efac92c820f764bd0e5f61b89250859afede771939ad3d78a57ae3451aa17aef38c3ca33fb2b51cc71ee2a0c8798f5b41a48b78a962df99c
SSDEEP

6144:pEjpvYc3YJ/HvD9hTKCyI7TwmdMlL992VKmH33KeJxah2:aVe/v5hGCyB3R2rBm4

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1464	nswitkh.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	b1690d26daad3ac88748f86b27c8c12a10d474668383d287af216d57cd59082e.exe
File created	C:\PROGRA~3\Mozilla\zgooxfa.dll	nswitkh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 1464	1264	taskeng.exe	29
PID 1264 wrote to memory of 1464	1264	taskeng.exe	29
PID 1264 wrote to memory of 1464	1264	taskeng.exe	29
PID 1264 wrote to memory of 1464	1264	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\b1690d26daad3ac88748f86b27c8c12a10d474668383d287af216d57cd59082e.exe
"C:\Users\Admin\AppData\Local\Temp\b1690d26daad3ac88748f86b27c8c12a10d474668383d287af216d57cd59082e.exe"
1⤵
- Drops file in Program Files directory
PID:1812

C:\Windows\system32\taskeng.exe
taskeng.exe {17A5403D-B073-451B-B5C5-FBAE6484911C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1464

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
213KB

MD5
608145dff0c73a3d621f46cf722de00e

SHA1
a9522dade2c457c39ea72e932136eb8759c27aca

SHA256
5fa64f1932315dc8d1c0ccbf894802fad3abb4cee601362dfbe99b7c5e662af2

SHA512
9a24a21cbaec49d3f72f44f1627377ccdbb354dbf85bd0caa1a676365133473ada90d150e67e8da654173e4d49ac6b4c1695ecd19687fe3d617b4d0166d8a810

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
213KB

MD5
608145dff0c73a3d621f46cf722de00e

SHA1
a9522dade2c457c39ea72e932136eb8759c27aca

SHA256
5fa64f1932315dc8d1c0ccbf894802fad3abb4cee601362dfbe99b7c5e662af2

SHA512
9a24a21cbaec49d3f72f44f1627377ccdbb354dbf85bd0caa1a676365133473ada90d150e67e8da654173e4d49ac6b4c1695ecd19687fe3d617b4d0166d8a810

Download Submit
memory/1464-68-0x0000000000430000-0x000000000048B000-memory.dmp

Filesize
364KB

Download
memory/1464-67-0x000000000043A000-0x000000000047D000-memory.dmp

Filesize
268KB

Download
memory/1812-54-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1812-55-0x0000000076411000-0x0000000076413000-memory.dmp

Filesize
8KB

Download
memory/1812-56-0x0000000000320000-0x000000000037B000-memory.dmp

Filesize
364KB

Download