Analysis
-
max time kernel
159s -
max time network
131s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
04/11/2023, 10:23
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.35b06e4fb26d65a19768a3a424e4bbe0_JC.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.35b06e4fb26d65a19768a3a424e4bbe0_JC.exe
Resource
win10v2004-20231020-en
General
-
Target
NEAS.35b06e4fb26d65a19768a3a424e4bbe0_JC.exe
-
Size
107KB
-
MD5
35b06e4fb26d65a19768a3a424e4bbe0
-
SHA1
dee4edcc6990b062b0275c38efcb848e2c97803a
-
SHA256
21b11aafabeae101c2478cf98ca2da2859feaee76bc775479b5fb6a0ab11a167
-
SHA512
d9e87c95b2a36e8313f9b4d92fa31deb5c7a810329db1af5e9393c14d375252f95f84df8a6638a7817d67366234f85c77f013a33eda861c9aa7e87a0b8141af9
-
SSDEEP
3072:i+Oa8AFGusZI5e+Mp+BC3K5eqU+BC3K5eqYro+x:NIAFG3IaDK70K7qx
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2108 zimfrwc.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\zimfrwc.exe NEAS.35b06e4fb26d65a19768a3a424e4bbe0_JC.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2108 zimfrwc.exe 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE 1280 Explorer.EXE -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1280 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2108 zimfrwc.exe Token: SeDebugPrivilege 1280 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1280 Explorer.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2108 2112 taskeng.exe 28 PID 2112 wrote to memory of 2108 2112 taskeng.exe 28 PID 2112 wrote to memory of 2108 2112 taskeng.exe 28 PID 2112 wrote to memory of 2108 2112 taskeng.exe 28 PID 2108 wrote to memory of 1280 2108 zimfrwc.exe 7
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1280 -
C:\Users\Admin\AppData\Local\Temp\NEAS.35b06e4fb26d65a19768a3a424e4bbe0_JC.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.35b06e4fb26d65a19768a3a424e4bbe0_JC.exe"2⤵
- Drops file in Program Files directory
PID:1672
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B1963E01-2112-4589-AB4D-51590E5D4C5D} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\PROGRA~3\Mozilla\zimfrwc.exeC:\PROGRA~3\Mozilla\zimfrwc.exe -gtjzibe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2108
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
107KB
MD5fc01d5d66effb40521721339c0e4d1be
SHA1291fe6fd293b429ca24e133aed70d8f3aa4eb001
SHA2560533da164a80762e15c34e5b318bfabb53d32cb84073cd73aa0b772e76e693db
SHA512270517d2dfcaf029f9cb8750e9494685b15786abce88fbe0c90c7d4611d4c175cd122eb3cece5e654a8e8dbe0885e14cbe26a955a9d6563609272c3aa9063b6d
-
Filesize
107KB
MD5fc01d5d66effb40521721339c0e4d1be
SHA1291fe6fd293b429ca24e133aed70d8f3aa4eb001
SHA2560533da164a80762e15c34e5b318bfabb53d32cb84073cd73aa0b772e76e693db
SHA512270517d2dfcaf029f9cb8750e9494685b15786abce88fbe0c90c7d4611d4c175cd122eb3cece5e654a8e8dbe0885e14cbe26a955a9d6563609272c3aa9063b6d