7c3caed1d850a40e77e2654d19d98d6a36f54382f1992b09c3047465848c5a21

Analysis

max time kernel
44s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 13:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c3caed1d850a40e77e2654d19d98d6a36f54382f1992b09c3047465848c5a21.exe
Size

233KB
MD5

0a267f63996352a88fe6bca877d36270
SHA1

944de8db25cba6506c360033f5dba41b4d3cd916
SHA256

7c3caed1d850a40e77e2654d19d98d6a36f54382f1992b09c3047465848c5a21
SHA512

92fb3eaefdf2e51ff585c5167cfd91c414942ab1f8184abaa270c4ef36395c79b9246a3acc792d8681d99389b0b64bbdd2617790c05ca06fae6e64371039a4cf
SSDEEP

6144:VSH4NMEb+s3T+HcWZOcT/IrqxXnlw/xfnj5htK:VSH9Eb+o/SVTaqJ4j5ho

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1328	jjruejn.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jjruejn.exe	7c3caed1d850a40e77e2654d19d98d6a36f54382f1992b09c3047465848c5a21.exe
File created	C:\PROGRA~3\Mozilla\segfnra.dll	jjruejn.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1352	7c3caed1d850a40e77e2654d19d98d6a36f54382f1992b09c3047465848c5a21.exe
1328	jjruejn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 1328	1324	taskeng.exe	27
PID 1324 wrote to memory of 1328	1324	taskeng.exe	27
PID 1324 wrote to memory of 1328	1324	taskeng.exe	27
PID 1324 wrote to memory of 1328	1324	taskeng.exe	27

C:\Users\Admin\AppData\Local\Temp\7c3caed1d850a40e77e2654d19d98d6a36f54382f1992b09c3047465848c5a21.exe
"C:\Users\Admin\AppData\Local\Temp\7c3caed1d850a40e77e2654d19d98d6a36f54382f1992b09c3047465848c5a21.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1352

C:\Windows\system32\taskeng.exe
taskeng.exe {CB1FA215-913C-4EDB-AF46-94EAA2E50D08} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\PROGRA~3\Mozilla\jjruejn.exe
  C:\PROGRA~3\Mozilla\jjruejn.exe -npivonl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
233KB

MD5
3004b26c88643f5f3dc87c1ce175df6d

SHA1
d535a9c242ee30351d652994378de4c0f7751a18

SHA256
091834ce75430fbf64913910960c95c9dc8e9ecd3c0202955363bde20b2f31c5

SHA512
259c5ab8a354541b4acac7855377eda2cbde890157c0e5f6015d2b6e3853e95de0fca3de5c4f6ba237bc8d204b5b09dd216e3ac57842f378d784981888d878e6

Download Submit
C:\PROGRA~3\Mozilla\jjruejn.exe

Filesize
233KB

MD5
3004b26c88643f5f3dc87c1ce175df6d

SHA1
d535a9c242ee30351d652994378de4c0f7751a18

SHA256
091834ce75430fbf64913910960c95c9dc8e9ecd3c0202955363bde20b2f31c5

SHA512
259c5ab8a354541b4acac7855377eda2cbde890157c0e5f6015d2b6e3853e95de0fca3de5c4f6ba237bc8d204b5b09dd216e3ac57842f378d784981888d878e6

Download Submit
memory/1328-62-0x00000000008A0000-0x00000000008FB000-memory.dmp

Filesize
364KB

Download
memory/1328-63-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1328-64-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1352-54-0x0000000075B51000-0x0000000075B53000-memory.dmp

Filesize
8KB

Download
memory/1352-55-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/1352-56-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1352-57-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download