eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51

Analysis

max time kernel
44s
max time network
48s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51.exe
Size

26KB
MD5

677a64057860321c21b6220c60fb9f3c
SHA1

349ff0fdd83455b982994e6d983b647a31002d1a
SHA256

eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51
SHA512

68a189f55d0c15cb67d0f5609b4451f35c4a752f6aa5b84fde78f90b987120a176ec5ad18877fe141f6e3985d10473c9d111b881082f9e794267804e733b45ca
SSDEEP

384:jkhg9eVjAWkYznhNLFkEMrRdIvViwhUZl0mDWoaeyaxeXjVDFi:Ahg9ehdzhNLFktO4/4mKonx+jG

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1724	firefox.exe

Loads dropped DLL 2 IoCs

pid	Process
1080	cmd.exe
1080	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java Update = "C:\\Users\\Admin\\AppData\\Local\\Temp\\firefox.exe"	eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
828	PING.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 1080	1056	eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51.exe	26
PID 1056 wrote to memory of 1080	1056	eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51.exe	26
PID 1056 wrote to memory of 1080	1056	eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51.exe	26
PID 1056 wrote to memory of 1080	1056	eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51.exe	26
PID 1080 wrote to memory of 828	1080	cmd.exe	28
PID 1080 wrote to memory of 828	1080	cmd.exe	28
PID 1080 wrote to memory of 828	1080	cmd.exe	28
PID 1080 wrote to memory of 828	1080	cmd.exe	28
PID 1080 wrote to memory of 1724	1080	cmd.exe	29
PID 1080 wrote to memory of 1724	1080	cmd.exe	29
PID 1080 wrote to memory of 1724	1080	cmd.exe	29
PID 1080 wrote to memory of 1724	1080	cmd.exe	29

C:\Users\Admin\AppData\Local\Temp\eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51.exe
"C:\Users\Admin\AppData\Local\Temp\eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "C:\Users\Admin\AppData\Local\Temp\batfile.bat"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1080
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 6 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:828
- - C:\Users\Admin\AppData\Local\Temp\firefox.exe
    "C:\Users\Admin\AppData\Local\Temp\firefox.exe"
    3⤵
    - Executes dropped EXE
    PID:1724

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\batfile.bat

Filesize
256B

MD5
75c9a3a0a02e06a41dddb988e8bab3b0

SHA1
bce918d413a42fa377499a4c15ccf4fa52731271

SHA256
da68484923fe544c335bebca6155117b4f8aacd4d32d8a6d320980e0a5de7a57

SHA512
61a34f824be234c3d6a1b4e18ed649b7a4d8223ec682631b72b9dc784dad415440ac84165bc6aaf7ca06b044e479dd332013fe7b04ce9074e3bd65f14963692b

Download Submit
C:\Users\Admin\AppData\Local\Temp\firefox.exe

Filesize
26KB

MD5
677a64057860321c21b6220c60fb9f3c

SHA1
349ff0fdd83455b982994e6d983b647a31002d1a

SHA256
eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51

SHA512
68a189f55d0c15cb67d0f5609b4451f35c4a752f6aa5b84fde78f90b987120a176ec5ad18877fe141f6e3985d10473c9d111b881082f9e794267804e733b45ca

Download Submit
\Users\Admin\AppData\Local\Temp\firefox.exe

Filesize
26KB

MD5
677a64057860321c21b6220c60fb9f3c

SHA1
349ff0fdd83455b982994e6d983b647a31002d1a

SHA256
eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51

SHA512
68a189f55d0c15cb67d0f5609b4451f35c4a752f6aa5b84fde78f90b987120a176ec5ad18877fe141f6e3985d10473c9d111b881082f9e794267804e733b45ca

Download Submit
\Users\Admin\AppData\Local\Temp\firefox.exe

Filesize
26KB

MD5
677a64057860321c21b6220c60fb9f3c

SHA1
349ff0fdd83455b982994e6d983b647a31002d1a

SHA256
eac908d6d0308d0b140c749b2bd9f9ca0fb8c77411c5ffad56ce2b60a156aa51

SHA512
68a189f55d0c15cb67d0f5609b4451f35c4a752f6aa5b84fde78f90b987120a176ec5ad18877fe141f6e3985d10473c9d111b881082f9e794267804e733b45ca

Download Submit