9e67f6ea2ea9992ac36f731434e92e6771151e879710b66f9b85179d4ee48da0

Analysis

max time kernel
51s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 10:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e67f6ea2ea9992ac36f731434e92e6771151e879710b66f9b85179d4ee48da0.exe
Size

453KB
MD5

23688f1a40c658e9ea5de69855b928d0
SHA1

4b035737859338bb891a239a64d71c45918c2426
SHA256

9e67f6ea2ea9992ac36f731434e92e6771151e879710b66f9b85179d4ee48da0
SHA512

d3a2a7033582343b6dce2904405ec79c8ab5d1169345458ff92a81f184045c714f77931ae1ea3f3968e895ad4bca1a5c2c2f44a91e7b66acebd63e75322dfe96
SSDEEP

12288:Gf048mOK64VKHlxKInfZXjU9b7VU+S6hMI+Cw:Gc4sCViKog9b7e+SqMIE

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
468	nswitkh.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\zgooxfa.dll	nswitkh.exe
File created	C:\PROGRA~3\Mozilla\nswitkh.exe	9e67f6ea2ea9992ac36f731434e92e6771151e879710b66f9b85179d4ee48da0.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
896	9e67f6ea2ea9992ac36f731434e92e6771151e879710b66f9b85179d4ee48da0.exe
468	nswitkh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 468	2004	taskeng.exe	29
PID 2004 wrote to memory of 468	2004	taskeng.exe	29
PID 2004 wrote to memory of 468	2004	taskeng.exe	29
PID 2004 wrote to memory of 468	2004	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\9e67f6ea2ea9992ac36f731434e92e6771151e879710b66f9b85179d4ee48da0.exe
"C:\Users\Admin\AppData\Local\Temp\9e67f6ea2ea9992ac36f731434e92e6771151e879710b66f9b85179d4ee48da0.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:896

C:\Windows\system32\taskeng.exe
taskeng.exe {57223B53-58C0-4E63-93F3-45FC2E609EF8} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\PROGRA~3\Mozilla\nswitkh.exe
  C:\PROGRA~3\Mozilla\nswitkh.exe -vhgoixm
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:468

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
453KB

MD5
e0996dbaff7d88303fb5888de6c4d438

SHA1
fc22c0d854786a3687a1c1a802651de604b651d9

SHA256
eee0c749c07e4f460f15510b10de564bc89b95840ed892ecd5327388de836ef4

SHA512
d00eba5971f898d5bc9b114de026496f228749c6217c7eceeae12c872de07b417961839d4ae14a95e6f496c0df3bd1cefe49a6c31757494f07d0575fdd4a1203

Download Submit
C:\PROGRA~3\Mozilla\nswitkh.exe

Filesize
453KB

MD5
e0996dbaff7d88303fb5888de6c4d438

SHA1
fc22c0d854786a3687a1c1a802651de604b651d9

SHA256
eee0c749c07e4f460f15510b10de564bc89b95840ed892ecd5327388de836ef4

SHA512
d00eba5971f898d5bc9b114de026496f228749c6217c7eceeae12c872de07b417961839d4ae14a95e6f496c0df3bd1cefe49a6c31757494f07d0575fdd4a1203

Download Submit
memory/468-63-0x0000000000280000-0x00000000002DB000-memory.dmp

Filesize
364KB

Download
memory/468-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/468-65-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/896-54-0x0000000075E31000-0x0000000075E33000-memory.dmp

Filesize
8KB

Download
memory/896-55-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/896-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/896-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/896-58-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download