Analysis
-
max time kernel
40s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
27-11-2022 16:36
Static task
static1
Behavioral task
behavioral1
Sample
1b62834e351b1d9fbb419cbd2a26fc6b202a9de46b0e821900d8f538881928b4.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1b62834e351b1d9fbb419cbd2a26fc6b202a9de46b0e821900d8f538881928b4.exe
Resource
win10v2004-20220812-en
General
-
Target
1b62834e351b1d9fbb419cbd2a26fc6b202a9de46b0e821900d8f538881928b4.exe
-
Size
178KB
-
MD5
2e8a00eadb1bad304b3fd838e4394065
-
SHA1
8ca00cccbe760bd45b5c7b64a88a4082d7ec6d41
-
SHA256
1b62834e351b1d9fbb419cbd2a26fc6b202a9de46b0e821900d8f538881928b4
-
SHA512
99169d4e41ac9e04ddd8c31140bfc14fb3399f8a172d11ef9ef9c111f11d3e72e131823e1f1be7e95ce6e54a781e8e07c951061d8db0a14a6f06bfe5aa9fa6ba
-
SSDEEP
3072:ETIw/g8ZIogicblSGPkxNem8sNAZtXGZi5ysdAMvI0ox5HyWTQs5R6bTWXS:ET1/g8+JxNc/VPGHgoyOAqsQ70i
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
nswitkh.exepid process 2020 nswitkh.exe -
Modifies AppInit DLL entries 2 TTPs
-
Drops file in Program Files directory 2 IoCs
Processes:
1b62834e351b1d9fbb419cbd2a26fc6b202a9de46b0e821900d8f538881928b4.exenswitkh.exedescription ioc process File created C:\PROGRA~3\Mozilla\nswitkh.exe 1b62834e351b1d9fbb419cbd2a26fc6b202a9de46b0e821900d8f538881928b4.exe File created C:\PROGRA~3\Mozilla\zgooxfa.dll nswitkh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
taskeng.exedescription pid process target process PID 1480 wrote to memory of 2020 1480 taskeng.exe nswitkh.exe PID 1480 wrote to memory of 2020 1480 taskeng.exe nswitkh.exe PID 1480 wrote to memory of 2020 1480 taskeng.exe nswitkh.exe PID 1480 wrote to memory of 2020 1480 taskeng.exe nswitkh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b62834e351b1d9fbb419cbd2a26fc6b202a9de46b0e821900d8f538881928b4.exe"C:\Users\Admin\AppData\Local\Temp\1b62834e351b1d9fbb419cbd2a26fc6b202a9de46b0e821900d8f538881928b4.exe"1⤵
- Drops file in Program Files directory
-
C:\Windows\system32\taskeng.exetaskeng.exe {190C66A0-FB44-444B-B7B3-1F0574B5D3D4} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~3\Mozilla\nswitkh.exeC:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm2⤵
- Executes dropped EXE
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Mozilla\nswitkh.exeFilesize
178KB
MD5a4a02a381151729f0a3bf41ac7595a23
SHA1e2bd5ac7640e979dd5dac8634fbccdb3c90cf8c0
SHA256410cc2b7a48a38c56651fac8485432a4182a174e4b39061ff4e3e6d97447460d
SHA5127fdf2f7f3b6d7c16dceae9ae5339e3768e5ea18f3eb828b7494c51609bc0a7f337dc07627422204ed4d9bb1c353862403b2d4cc60edac4199f11c3fccaacfdd5
-
C:\PROGRA~3\Mozilla\nswitkh.exeFilesize
178KB
MD5a4a02a381151729f0a3bf41ac7595a23
SHA1e2bd5ac7640e979dd5dac8634fbccdb3c90cf8c0
SHA256410cc2b7a48a38c56651fac8485432a4182a174e4b39061ff4e3e6d97447460d
SHA5127fdf2f7f3b6d7c16dceae9ae5339e3768e5ea18f3eb828b7494c51609bc0a7f337dc07627422204ed4d9bb1c353862403b2d4cc60edac4199f11c3fccaacfdd5
-
memory/1504-54-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/1504-55-0x0000000075FB1000-0x0000000075FB3000-memory.dmpFilesize
8KB
-
memory/1504-56-0x0000000000320000-0x000000000037B000-memory.dmpFilesize
364KB
-
memory/1504-61-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/2020-63-0x0000000000000000-mapping.dmp
-
memory/2020-66-0x0000000000490000-0x00000000004EB000-memory.dmpFilesize
364KB