be58c9ca46cbd4e7c25fa20a6c439d4c54feae1d16b080a61264569aa76ab612

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03/11/2023, 00:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.3d40e68dd70f340105f284072375cb20_JC.exe
Size

197KB
MD5

3d40e68dd70f340105f284072375cb20
SHA1

a418a3691e691f457858df80d2e9b06e94c747cb
SHA256

be58c9ca46cbd4e7c25fa20a6c439d4c54feae1d16b080a61264569aa76ab612
SHA512

2e3403255cd6780ca6b9238299e6aa33e6e44493b714b61dce6b52b0392d5e77bde478f6160b896224d9dd7e1d9ef87e8869fe1e52a50b29d1345bc5b2a5a914
SSDEEP

3072:yhepkjr4O0cx158cZacNNc6eDmtH67gNdP/+nvfbYzHM5Et+ftE:yhepk34mL0+rJWvf0zHbtgE

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2704	zimfrwc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\zimfrwc.exe	NEAS.3d40e68dd70f340105f284072375cb20_JC.exe
File created	C:\PROGRA~3\Mozilla\pjqvbbf.dll	zimfrwc.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 2704	1372	taskeng.exe	31
PID 1372 wrote to memory of 2704	1372	taskeng.exe	31
PID 1372 wrote to memory of 2704	1372	taskeng.exe	31
PID 1372 wrote to memory of 2704	1372	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.3d40e68dd70f340105f284072375cb20_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.3d40e68dd70f340105f284072375cb20_JC.exe"
1⤵
- Drops file in Program Files directory
PID:1568

C:\Windows\system32\taskeng.exe
taskeng.exe {AEB5F8A3-F7C2-497A-AC74-AD73E0C0C5AF} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1372
- C:\PROGRA~3\Mozilla\zimfrwc.exe
  C:\PROGRA~3\Mozilla\zimfrwc.exe -gtjzibe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\zimfrwc.exe

Filesize
197KB

MD5
2ead6634eece1a3f22fb0d6043093803

SHA1
072ba263966bc8f06a8bc2a5a8d659487051a674

SHA256
5a02d4b350df7790a2945afdda2da86401fa62a91042b88b1ebef056e3164450

SHA512
88c088c5a398fd77190a617a5c552f05d295d779e79320840cb3afebc52f9ae731e3396d3e6e4aae68bdf1162baabb2829e4a6fe109fbb317b561c18b727f5af

Download Submit
C:\PROGRA~3\Mozilla\zimfrwc.exe

Filesize
197KB

MD5
2ead6634eece1a3f22fb0d6043093803

SHA1
072ba263966bc8f06a8bc2a5a8d659487051a674

SHA256
5a02d4b350df7790a2945afdda2da86401fa62a91042b88b1ebef056e3164450

SHA512
88c088c5a398fd77190a617a5c552f05d295d779e79320840cb3afebc52f9ae731e3396d3e6e4aae68bdf1162baabb2829e4a6fe109fbb317b561c18b727f5af

Download Submit
memory/1568-0-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1568-1-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1568-2-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1568-3-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1568-7-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/1568-11-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2704-15-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2704-20-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download