806b8555b7c1c0eb27035a59a27ec56a3510a2911255788b0af60fd85949658d

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
14/01/2024, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a1beb459414fce28ae4b67deefc0845.exe
Size

154KB
MD5

5a1beb459414fce28ae4b67deefc0845
SHA1

18b49d86b0f444f173565240a60da23551369cfe
SHA256

806b8555b7c1c0eb27035a59a27ec56a3510a2911255788b0af60fd85949658d
SHA512

c2c5fde7a8af2481a5628c85643f6cb611c2debc1845557386efbc94505b2f2fd72a368d7a229702d2df8fe49a4400b506829d14370e5586e84786649f4941be
SSDEEP

3072:CMftVuhLu/Y34erRH86rPYFAM5vTK3clMdisNDtI1rW:WGY3JdPrBIOiWDKrW

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2672	fbgbeyh.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\bflpuaf.dll	fbgbeyh.exe
File created	C:\PROGRA~3\Mozilla\fbgbeyh.exe	5a1beb459414fce28ae4b67deefc0845.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2672	2400	taskeng.exe	30
PID 2400 wrote to memory of 2672	2400	taskeng.exe	30
PID 2400 wrote to memory of 2672	2400	taskeng.exe	30
PID 2400 wrote to memory of 2672	2400	taskeng.exe	30

C:\Users\Admin\AppData\Local\Temp\5a1beb459414fce28ae4b67deefc0845.exe
"C:\Users\Admin\AppData\Local\Temp\5a1beb459414fce28ae4b67deefc0845.exe"
1⤵
- Drops file in Program Files directory
PID:3064

C:\Windows\system32\taskeng.exe
taskeng.exe {42EC9987-B90B-4D87-9FB6-E495188E9E2C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2400
- C:\PROGRA~3\Mozilla\fbgbeyh.exe
  C:\PROGRA~3\Mozilla\fbgbeyh.exe -srvmkhi
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\fbgbeyh.exe

Filesize
154KB

MD5
bfda0e158e7fe9043b394efefd94139c

SHA1
591d655f55e1771d410aa2632ad196fb149470c5

SHA256
1cf67a062c3143d2cf78d99bb63e163b410877fef3e6e5e7a58fd92c3bebf4ac

SHA512
7e54edbfda639878b6bc761fdee73315eb7d2453ff9cf41bea590a97ea0be72172488f56f3adb6663720cd6d302f392b94114da6ad139d913ed650f7e2f36774

Download Submit
memory/2672-10-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2672-11-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2672-16-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3064-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3064-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3064-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/3064-3-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/3064-7-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download