a2b1bfb706aade1fffebf28e92c64df930bfe6b94aecdab1a7c84b133e00b929

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d2dfd5eb8b88cda513321c4c9bced760_exe32.exe
Size

175KB
MD5

d2dfd5eb8b88cda513321c4c9bced760
SHA1

6b6f648ec24304facd1e84444c32213f99286d01
SHA256

a2b1bfb706aade1fffebf28e92c64df930bfe6b94aecdab1a7c84b133e00b929
SHA512

520f941861d91e8686d425cae5e12f449c6270ea8eb440bc1b1f857edb8d61d49e639496f0d4d57cd36b48865417cab3ab9501599f7928b07c39a05b649bb32e
SSDEEP

3072:mMPrK9vxnULAK202Gd8pqzX2cZVoL8XJsU4z6Z7kYeKBXAJRxddkd4:zP295nKJNGYok4YXeoXkRxka

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1708	eskchkd.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\eskchkd.exe	d2dfd5eb8b88cda513321c4c9bced760_exe32.exe
File created	C:\PROGRA~3\Mozilla\iaxspia.dll	eskchkd.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1708	2160	taskeng.exe	29
PID 2160 wrote to memory of 1708	2160	taskeng.exe	29
PID 2160 wrote to memory of 1708	2160	taskeng.exe	29
PID 2160 wrote to memory of 1708	2160	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\d2dfd5eb8b88cda513321c4c9bced760_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\d2dfd5eb8b88cda513321c4c9bced760_exe32.exe"
1⤵
- Drops file in Program Files directory
PID:2420

C:\Windows\system32\taskeng.exe
taskeng.exe {AD0160C5-FA7B-4CCD-8E49-9B94D1834594} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\PROGRA~3\Mozilla\eskchkd.exe
  C:\PROGRA~3\Mozilla\eskchkd.exe -srskkzl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\eskchkd.exe

Filesize
175KB

MD5
c0040b36e4318278fbbaf36bf4b1021c

SHA1
d01a9cb836adc2a22c3bd0246d0c8fe73b0f39b9

SHA256
8c0df879374d530ece7882effde8623ba2d131f75680f2adae31b712136b95c8

SHA512
3eb4963e2629e472c9776fe9a3a933476d57077f69c3c305d204d6494785940c08b6a51e1b8eaa525eadec7d48a84a30bc9c8b00a347ba077ef032a7e5632e47

Download Submit
C:\PROGRA~3\Mozilla\eskchkd.exe

Filesize
175KB

MD5
c0040b36e4318278fbbaf36bf4b1021c

SHA1
d01a9cb836adc2a22c3bd0246d0c8fe73b0f39b9

SHA256
8c0df879374d530ece7882effde8623ba2d131f75680f2adae31b712136b95c8

SHA512
3eb4963e2629e472c9776fe9a3a933476d57077f69c3c305d204d6494785940c08b6a51e1b8eaa525eadec7d48a84a30bc9c8b00a347ba077ef032a7e5632e47

Download Submit
memory/1708-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1708-11-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/2420-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2420-1-0x0000000000320000-0x000000000037B000-memory.dmp

Filesize
364KB

Download
memory/2420-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download