Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06-03-2024 18:37
Static task
static1
Behavioral task
behavioral1
Sample
2ddaaf5fad0dd05ce2e7fa24f22c4ec92659253de3db2a3c0abda2d8a21912a8.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2ddaaf5fad0dd05ce2e7fa24f22c4ec92659253de3db2a3c0abda2d8a21912a8.exe
Resource
win10v2004-20240226-en
General
-
Target
2ddaaf5fad0dd05ce2e7fa24f22c4ec92659253de3db2a3c0abda2d8a21912a8.exe
-
Size
213KB
-
MD5
019b1c16d2d9003f04c2d7efa9917059
-
SHA1
dda80eda77dd345219bab319d4766602f9335699
-
SHA256
2ddaaf5fad0dd05ce2e7fa24f22c4ec92659253de3db2a3c0abda2d8a21912a8
-
SHA512
e393e0f7d3a26a1013b873d41193e27b06e85565e6a8d613da854ab56dfb41df63eefa2e85c61fd933f7702728169e1f6650ec92c0ad2332dfc8c7f78780a247
-
SSDEEP
6144:p44b7czAEYdlyp6rswaDqKgL08qvFsRc2:m4fiQdlnoxgYlvy1
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 3008 pfwoyhh.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\pfwoyhh.exe 2ddaaf5fad0dd05ce2e7fa24f22c4ec92659253de3db2a3c0abda2d8a21912a8.exe File created C:\PROGRA~3\Mozilla\bjvdwgg.dll pfwoyhh.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2100 2ddaaf5fad0dd05ce2e7fa24f22c4ec92659253de3db2a3c0abda2d8a21912a8.exe 3008 pfwoyhh.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2464 wrote to memory of 3008 2464 taskeng.exe 29 PID 2464 wrote to memory of 3008 2464 taskeng.exe 29 PID 2464 wrote to memory of 3008 2464 taskeng.exe 29 PID 2464 wrote to memory of 3008 2464 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ddaaf5fad0dd05ce2e7fa24f22c4ec92659253de3db2a3c0abda2d8a21912a8.exe"C:\Users\Admin\AppData\Local\Temp\2ddaaf5fad0dd05ce2e7fa24f22c4ec92659253de3db2a3c0abda2d8a21912a8.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2100
-
C:\Windows\system32\taskeng.exetaskeng.exe {66B7BB6E-E411-46AD-8C5C-878FC2BF6C06} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\PROGRA~3\Mozilla\pfwoyhh.exeC:\PROGRA~3\Mozilla\pfwoyhh.exe -zhxzcvh2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
213KB
MD5e1e2a902b601be238397b490244a6908
SHA1ec18f7a5eda7e5654b52bb2dd63adc70e2fde314
SHA256b4ba5f7c30a47200bbadc1a79165c87a6b5bc9395a1b170111a19aca0c4715a2
SHA512ec0cd48e1131fa9df74994dee66033ebf3ed2395b76bd7825d7ee12d9f50dd1c2b07cf779e9f1db558dc0fae855b525c9ad228de7a17deec3392a80841361e73