4743379d71616bcb671416d64ced8ea1c9779f2d76c6f73d8a2a0082ced894a3

Analysis

max time kernel
45s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
25/05/2023, 04:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4743379d71616bcb671416d64ced8ea1c9779f2d76c6f73d8a2a0082ced894a3.exe
Size

7.1MB
MD5

eaee7a5d73cab217533f3c9b7f7658a4
SHA1

e1960e10c06374bd81f7d5512d66b9aecff6eb47
SHA256

4743379d71616bcb671416d64ced8ea1c9779f2d76c6f73d8a2a0082ced894a3
SHA512

d483f91f80359d74bbd3961a8161b083d1e37a954d28c4a02529b711f5c45c8119697a237d056bc11f2c0bdd66cc8042735212c35df685284e79e01abe4a685c
SSDEEP

98304:q1w7BkKSmIysFQ1zGogIm+8+2IpZeH9wLbZy:q18kKSmVsCN16l1i0Ong

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
908	Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-QMU3.3.4.4.exe

Loads dropped DLL 1 IoCs

pid	Process
1472	4743379d71616bcb671416d64ced8ea1c9779f2d76c6f73d8a2a0082ced894a3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run	4743379d71616bcb671416d64ced8ea1c9779f2d76c6f73d8a2a0082ced894a3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows\CurrentVersion\Run\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-QMU3.3.4.4 = "C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-QMU3.3.4.4\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-QMU3.3.4.4.exe"	4743379d71616bcb671416d64ced8ea1c9779f2d76c6f73d8a2a0082ced894a3.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 908	1472	4743379d71616bcb671416d64ced8ea1c9779f2d76c6f73d8a2a0082ced894a3.exe	28
PID 1472 wrote to memory of 908	1472	4743379d71616bcb671416d64ced8ea1c9779f2d76c6f73d8a2a0082ced894a3.exe	28
PID 1472 wrote to memory of 908	1472	4743379d71616bcb671416d64ced8ea1c9779f2d76c6f73d8a2a0082ced894a3.exe	28

C:\Users\Admin\AppData\Local\Temp\4743379d71616bcb671416d64ced8ea1c9779f2d76c6f73d8a2a0082ced894a3.exe
"C:\Users\Admin\AppData\Local\Temp\4743379d71616bcb671416d64ced8ea1c9779f2d76c6f73d8a2a0082ced894a3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1472
- C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-QMU3.3.4.4\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-QMU3.3.4.4.exe
  C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-QMU3.3.4.4\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-QMU3.3.4.4.exe
  2⤵
  - Executes dropped EXE
  PID:908

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-QMU3.3.4.4\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-QMU3.3.4.4.exe

Filesize
757.1MB

MD5
c4bcf29b441e736e9e01104e9092359b

SHA1
4864601d944c8092fa6e88697feefe27eab93698

SHA256
bf764222a738e6b8aa5d6fb8057f89ddd2afb0fa919c47e36bc257bf9414d260

SHA512
dc9710ee4a2a4d4597bcc979d7b1e4a94caba0cad2ab9b5e37be4814e4f3ba2c24a3f31536f4d2cad7d4a509e92a47da56068c5d8716685031f35bfc522aa072

Download Submit
\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-QMU3.3.4.4\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38Microsoft-QMU3.3.4.4.exe

Filesize
757.1MB

MD5
c4bcf29b441e736e9e01104e9092359b

SHA1
4864601d944c8092fa6e88697feefe27eab93698

SHA256
bf764222a738e6b8aa5d6fb8057f89ddd2afb0fa919c47e36bc257bf9414d260

SHA512
dc9710ee4a2a4d4597bcc979d7b1e4a94caba0cad2ab9b5e37be4814e4f3ba2c24a3f31536f4d2cad7d4a509e92a47da56068c5d8716685031f35bfc522aa072

Download Submit
memory/908-59-0x000000013F450000-0x000000013FB6A000-memory.dmp

Filesize
7.1MB

Download
memory/1472-54-0x000000013F260000-0x000000013F97A000-memory.dmp

Filesize
7.1MB

Download