21b11aafabeae101c2478cf98ca2da2859feaee76bc775479b5fb6a0ab11a167

Analysis

max time kernel
159s
max time network
131s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
04/11/2023, 10:23

Target

NEAS.35b06e4fb26d65a19768a3a424e4bbe0_JC.exe
Size

107KB
MD5

35b06e4fb26d65a19768a3a424e4bbe0
SHA1

dee4edcc6990b062b0275c38efcb848e2c97803a
SHA256

21b11aafabeae101c2478cf98ca2da2859feaee76bc775479b5fb6a0ab11a167
SHA512

d9e87c95b2a36e8313f9b4d92fa31deb5c7a810329db1af5e9393c14d375252f95f84df8a6638a7817d67366234f85c77f013a33eda861c9aa7e87a0b8141af9
SSDEEP

3072:i+Oa8AFGusZI5e+Mp+BC3K5eqU+BC3K5eqYro+x:NIAFG3IaDK70K7qx

Score

7^/10

Executes dropped EXE 1 IoCs

pid	Process
2108	zimfrwc.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\zimfrwc.exe	NEAS.35b06e4fb26d65a19768a3a424e4bbe0_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1280	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	zimfrwc.exe
Token: SeDebugPrivilege	1280	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2108	2112	taskeng.exe	28
PID 2112 wrote to memory of 2108	2112	taskeng.exe	28
PID 2112 wrote to memory of 2108	2112	taskeng.exe	28
PID 2112 wrote to memory of 2108	2112	taskeng.exe	28
PID 2108 wrote to memory of 1280	2108	zimfrwc.exe	7

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1280
- C:\Users\Admin\AppData\Local\Temp\NEAS.35b06e4fb26d65a19768a3a424e4bbe0_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.35b06e4fb26d65a19768a3a424e4bbe0_JC.exe"
  2⤵
  - Drops file in Program Files directory
  PID:1672

C:\Windows\system32\taskeng.exe
taskeng.exe {B1963E01-2112-4589-AB4D-51590E5D4C5D} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\PROGRA~3\Mozilla\zimfrwc.exe
  C:\PROGRA~3\Mozilla\zimfrwc.exe -gtjzibe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2108

C:\PROGRA~3\Mozilla\zimfrwc.exe

Filesize
107KB

MD5
fc01d5d66effb40521721339c0e4d1be

SHA1
291fe6fd293b429ca24e133aed70d8f3aa4eb001

SHA256
0533da164a80762e15c34e5b318bfabb53d32cb84073cd73aa0b772e76e693db

SHA512
270517d2dfcaf029f9cb8750e9494685b15786abce88fbe0c90c7d4611d4c175cd122eb3cece5e654a8e8dbe0885e14cbe26a955a9d6563609272c3aa9063b6d

Download Submit
C:\PROGRA~3\Mozilla\zimfrwc.exe

Filesize
107KB

MD5
fc01d5d66effb40521721339c0e4d1be

SHA1
291fe6fd293b429ca24e133aed70d8f3aa4eb001

SHA256
0533da164a80762e15c34e5b318bfabb53d32cb84073cd73aa0b772e76e693db

SHA512
270517d2dfcaf029f9cb8750e9494685b15786abce88fbe0c90c7d4611d4c175cd122eb3cece5e654a8e8dbe0885e14cbe26a955a9d6563609272c3aa9063b6d

Download Submit
memory/1280-3-0x0000000002A20000-0x0000000002A3C000-memory.dmp

Filesize
112KB

Download
memory/1280-5-0x0000000002A20000-0x0000000002A3C000-memory.dmp

Filesize
112KB

Download