154415960cc11af75f58e48dd3263d4a31e0ceb3033a32a410c6902def359174

Resubmissions

07/03/2024, 17:52

240307-wf55sshd44 3

07/03/2024, 17:49

240307-wec3maab9x 8

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
07/03/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

154415960cc11af75f58e48dd3263d4a31e0ceb3033a32a410c6902def359174.exe
Size

137KB
MD5

2627c2d3ca0a62ea13f3351e6c15c0b3
SHA1

cfb41b9e4274fb7a1ebaa49ade3d38ceacedc246
SHA256

154415960cc11af75f58e48dd3263d4a31e0ceb3033a32a410c6902def359174
SHA512

a0660a8d99bdf89ea5eba8b6b0764a85741eb61d21227e9fbfd0421ae1d2868d30b0a9bcd69510a9e4920a86d0978fb6117838d3ac9d3dba0d0f3fbc1888f70f
SSDEEP

3072:0c3EU6VeJj5Mw4lhAFDp2HiJ+cV6J060VU/t6S8lae4bB1wT:f3pjixWJoCUcAJl0e/t690XbB1wT

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2612	gjsfhjk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\gjsfhjk.exe	154415960cc11af75f58e48dd3263d4a31e0ceb3033a32a410c6902def359174.exe
File created	C:\PROGRA~3\Mozilla\eurgebe.dll	gjsfhjk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 2612	3060	taskeng.exe	29
PID 3060 wrote to memory of 2612	3060	taskeng.exe	29
PID 3060 wrote to memory of 2612	3060	taskeng.exe	29
PID 3060 wrote to memory of 2612	3060	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\154415960cc11af75f58e48dd3263d4a31e0ceb3033a32a410c6902def359174.exe
"C:\Users\Admin\AppData\Local\Temp\154415960cc11af75f58e48dd3263d4a31e0ceb3033a32a410c6902def359174.exe"
1⤵
- Drops file in Program Files directory
PID:2328

C:\Windows\system32\taskeng.exe
taskeng.exe {0E7A5E31-500E-48F6-97E4-0F579353D8F5} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:3060
- C:\PROGRA~3\Mozilla\gjsfhjk.exe
  C:\PROGRA~3\Mozilla\gjsfhjk.exe -tuxiydl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\gjsfhjk.exe

Filesize
137KB

MD5
c4f415b6e53464f5de880f672407979f

SHA1
4253c85fc8771c8542d0135bfd98ddb96125ffa2

SHA256
cb618b591adbd31d1ccac1c2c57005fca6f9a33379d965ca5c57229ecbef8dec

SHA512
f340ed175d3604442a2b4a3e15ab342d5035c99a0e9985613c1ade458c86252b3a4ecb0782fa16a324b3309ba4f6e9f77b00ee58baffec6584704e8b971d43ed

Download Submit
memory/2328-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2328-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2328-4-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2328-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2612-15-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download