c9e4c500199fcf2dd0fe7b9a282efc00c675f0404fa0156a475e7527f15e1e69

Analysis

max time kernel
151s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/02/2023, 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a53227f8f605a9c35844b3850b010c08116c042b.exe
Size

19KB
MD5

2cdc3c87432058f55ce8bfae8c2029b1
SHA1

a53227f8f605a9c35844b3850b010c08116c042b
SHA256

c9e4c500199fcf2dd0fe7b9a282efc00c675f0404fa0156a475e7527f15e1e69
SHA512

2ef9cde5073a96e4a8fa677e31176fd25e889c511d41b9f29bcbdc02d0e569e7e6d6329ff24c7413f7df5b1db6233a9931bb9e45ecc84d223d1769e9fe843847
SSDEEP

384:/5T8elDXgIkAtb886QgJ9/vwRDcV1e+rgbKnR+Cg7v+S6UQkpBE+n:hT8eNPtmnZJxvIOVrgsQmOBE+n

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
836	a53227f8f605a9c35844b3850b010c08116c042b.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RUN\fmsjhif = "C:\\Windows\\fmsjhif.exe"	a53227f8f605a9c35844b3850b010c08116c042b.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fmsjhif.dll	a53227f8f605a9c35844b3850b010c08116c042b.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fmsjhif.exe	a53227f8f605a9c35844b3850b010c08116c042b.exe
File created	C:\Windows\fmsjhif.exe	a53227f8f605a9c35844b3850b010c08116c042b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
836	a53227f8f605a9c35844b3850b010c08116c042b.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
836	a53227f8f605a9c35844b3850b010c08116c042b.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 1220	836	a53227f8f605a9c35844b3850b010c08116c042b.exe	14
PID 836 wrote to memory of 1220	836	a53227f8f605a9c35844b3850b010c08116c042b.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\a53227f8f605a9c35844b3850b010c08116c042b.exe
  "C:\Users\Admin\AppData\Local\Temp\a53227f8f605a9c35844b3850b010c08116c042b.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\fmsjhif.dll

Filesize
29KB

MD5
1b2600cfd4ffafb464d3ed1b4aad590d

SHA1
301a3ab3fb777bf14975689b13ea138370077988

SHA256
1a73743acaf84c2b3906808885ece0c674c8440291d8f9613262e9a40ebb5d3d

SHA512
f449b6b5ca69fd8f0ab775d9940e4f4acd1920bc55e3a07f5f8f19842047520fd4fbc3d7aadc01e1ccbe1bd5085b9c632c25fde679bb3f50ee17a33487654bc5

Download Submit