ada423d848e5e724f24e918086d7802abf217328cb139dbe71a2d7229a9271c5

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
28/11/2022, 00:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ada423d848e5e724f24e918086d7802abf217328cb139dbe71a2d7229a9271c5.exe
Size

168KB
MD5

487bed241af2669d3f3ad40aa8d88fab
SHA1

f456033768632a7776c1d26eb9e9c8a4399ad689
SHA256

ada423d848e5e724f24e918086d7802abf217328cb139dbe71a2d7229a9271c5
SHA512

f7e3940411aa6f7f9796fb8c361efc82aac56eab8496c5b4fd7bbbb04ae65cc3299b859cfaeda7dbef5add9d503ff233087c45af69ee7e79520515ff21d48592
SSDEEP

3072:Wbg/Zb5PCiXYteEp/tJzRg5eoEHhxAlJyRGQCfeypNfzSeKkCc:vBdPDIFJ/zRVoE8lJyJC2yp4e9

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1476	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	ada423d848e5e724f24e918086d7802abf217328cb139dbe71a2d7229a9271c5.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 568 wrote to memory of 1476	568	taskeng.exe	28
PID 568 wrote to memory of 1476	568	taskeng.exe	28
PID 568 wrote to memory of 1476	568	taskeng.exe	28
PID 568 wrote to memory of 1476	568	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\ada423d848e5e724f24e918086d7802abf217328cb139dbe71a2d7229a9271c5.exe
"C:\Users\Admin\AppData\Local\Temp\ada423d848e5e724f24e918086d7802abf217328cb139dbe71a2d7229a9271c5.exe"
1⤵
- Drops file in Program Files directory
PID:1396

C:\Windows\system32\taskeng.exe
taskeng.exe {DE647017-4BD3-4A96-BC70-3DB7F9F23F8C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:568
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1476

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
168KB

MD5
50cdcf2b2d218718e88a860bb7277672

SHA1
9a613bfdb3b49d8acbfed398be7f549953a33299

SHA256
087c393a864fc934d1a7252b2d6a5102a28a79be2d42983c40c8a06740bb21d9

SHA512
4d090aa5d1e088ba665726897328ad9261e352bcaf738c812049891202e46126c9593bdeb53464e745484adfc13dbcde9d59017cf53f2d65d90c1fb3d75f7fc8

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
168KB

MD5
50cdcf2b2d218718e88a860bb7277672

SHA1
9a613bfdb3b49d8acbfed398be7f549953a33299

SHA256
087c393a864fc934d1a7252b2d6a5102a28a79be2d42983c40c8a06740bb21d9

SHA512
4d090aa5d1e088ba665726897328ad9261e352bcaf738c812049891202e46126c9593bdeb53464e745484adfc13dbcde9d59017cf53f2d65d90c1fb3d75f7fc8

Download Submit
memory/1396-54-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1396-56-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/1396-55-0x00000000760E1000-0x00000000760E3000-memory.dmp

Filesize
8KB

Download
memory/1476-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-66-0x00000000002B0000-0x000000000030B000-memory.dmp

Filesize
364KB

Download