47beaeb5d544eea52cb30481c02b0bf977123a3e1f0f13f61865149052158819

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
03-11-2023 11:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.e2b74def7e72aaeb995684d30cdb7e10.exe
Size

102KB
MD5

e2b74def7e72aaeb995684d30cdb7e10
SHA1

a2f2afa2c2a5f0278c104cf520fdac577ec1f470
SHA256

47beaeb5d544eea52cb30481c02b0bf977123a3e1f0f13f61865149052158819
SHA512

7fae989d3e507a31076beaf4cba89a2bcb8386df89671808335dc604bffc5bec8c5d338f829c6a8bd9b3a4017325d242369c1f1ba5fab9abd4a32f5eb637fe95
SSDEEP

3072:ZHXQcQlZg+6uQw4ruZv2RliS8DnSDxlCFLQKs:BjBrw4ruRElASDqLps

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2324	ajahmjj.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\ajahmjj.exe	NEAS.e2b74def7e72aaeb995684d30cdb7e10.exe
File created	C:\PROGRA~3\Mozilla\ghzyxbm.dll	ajahmjj.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2324	2800	taskeng.exe	31
PID 2800 wrote to memory of 2324	2800	taskeng.exe	31
PID 2800 wrote to memory of 2324	2800	taskeng.exe	31
PID 2800 wrote to memory of 2324	2800	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\NEAS.e2b74def7e72aaeb995684d30cdb7e10.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.e2b74def7e72aaeb995684d30cdb7e10.exe"
1⤵
- Drops file in Program Files directory
PID:2256

C:\Windows\system32\taskeng.exe
taskeng.exe {80E40C3A-9C64-49E0-9284-40E21DC74458} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2800
- C:\PROGRA~3\Mozilla\ajahmjj.exe
  C:\PROGRA~3\Mozilla\ajahmjj.exe -mngyzad
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\ajahmjj.exe

Filesize
102KB

MD5
31adcb4649421944fa4e0cf9069d2f47

SHA1
c820ecf8dc9217e4484c483e5978ce08af1130dc

SHA256
a58fee7804a97ff6d6d772a1c010055c8e96d10bd464b548b700a7eca6e5380d

SHA512
ccc370795634df335439178f0d2ec5229df5587150ad0658a4ffc840fae95ceacc98da152876f45ab1254a8a9ac078643e360f3d871e23aeb3a87996cbed4229

Download Submit
C:\PROGRA~3\Mozilla\ajahmjj.exe

Filesize
102KB

MD5
31adcb4649421944fa4e0cf9069d2f47

SHA1
c820ecf8dc9217e4484c483e5978ce08af1130dc

SHA256
a58fee7804a97ff6d6d772a1c010055c8e96d10bd464b548b700a7eca6e5380d

SHA512
ccc370795634df335439178f0d2ec5229df5587150ad0658a4ffc840fae95ceacc98da152876f45ab1254a8a9ac078643e360f3d871e23aeb3a87996cbed4229

Download Submit
memory/2256-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2256-1-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2256-7-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2324-14-0x00000000001B0000-0x000000000020B000-memory.dmp

Filesize
364KB

Download
memory/2324-20-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download