49e932884330de25011ed074a980936abd8181e2daf3de40a3de171d1825341f

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
22/10/2023, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.ccf77b21ac8b60c8ab71bfba2dc77cd0.exe
Size

112KB
MD5

ccf77b21ac8b60c8ab71bfba2dc77cd0
SHA1

af842cbec42c1399d973256f606faadc7f8c1772
SHA256

49e932884330de25011ed074a980936abd8181e2daf3de40a3de171d1825341f
SHA512

38aac6bcb141a93c592a3c47b591bc58040d2f8741064caa2b81402b2f43757ebcac8b1bb0d55e27fe0e72349f0be15e1222b3589e1c443e6f74288e97eeee4d
SSDEEP

3072:bigRqGiY/IA8wD5iZ4gKczBxGV6+UIXlaMA+uzlC1:yw/IFwDox+UGg5XzlC1

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2604	adxhgfe.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\adxhgfe.exe	NEAS.ccf77b21ac8b60c8ab71bfba2dc77cd0.exe
File created	C:\PROGRA~3\Mozilla\torzssd.dll	adxhgfe.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 2604	1704	taskeng.exe	29
PID 1704 wrote to memory of 2604	1704	taskeng.exe	29
PID 1704 wrote to memory of 2604	1704	taskeng.exe	29
PID 1704 wrote to memory of 2604	1704	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\NEAS.ccf77b21ac8b60c8ab71bfba2dc77cd0.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.ccf77b21ac8b60c8ab71bfba2dc77cd0.exe"
1⤵
- Drops file in Program Files directory
PID:2196

C:\Windows\system32\taskeng.exe
taskeng.exe {FBB36A8F-7521-40E7-9775-4F6648968352} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1704
- C:\PROGRA~3\Mozilla\adxhgfe.exe
  C:\PROGRA~3\Mozilla\adxhgfe.exe -iwcrppa
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\adxhgfe.exe

Filesize
112KB

MD5
6c86a14d223630971c6aa45d4dc210c3

SHA1
4e9723f6d8f581510244a0ac9aa6647a5b1cdf37

SHA256
95a1fc11d481120ce708f073356f6c93ecf895cb29546187a34e5da66f06aaa5

SHA512
20232117925dee891bd31cf94e7be06a696bbb7a1fae7c22a0bdba499b7bc4d10d4105f252580edaf5066e4b9ae7bb8b04c37fd369b4b551c4e8e6dc6ae130ad

Download Submit
C:\PROGRA~3\Mozilla\adxhgfe.exe

Filesize
112KB

MD5
6c86a14d223630971c6aa45d4dc210c3

SHA1
4e9723f6d8f581510244a0ac9aa6647a5b1cdf37

SHA256
95a1fc11d481120ce708f073356f6c93ecf895cb29546187a34e5da66f06aaa5

SHA512
20232117925dee891bd31cf94e7be06a696bbb7a1fae7c22a0bdba499b7bc4d10d4105f252580edaf5066e4b9ae7bb8b04c37fd369b4b551c4e8e6dc6ae130ad

Download Submit
memory/2196-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2196-1-0x0000000000230000-0x000000000028B000-memory.dmp

Filesize
364KB

Download
memory/2196-7-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2604-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2604-11-0x00000000002D0000-0x000000000032B000-memory.dmp

Filesize
364KB

Download
memory/2604-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download