1cc39838f882b6c8928d629b1242f8c428b0e6de20365e6351b7aba2cbd768fd

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cc39838f882b6c8928d629b1242f8c428b0e6de20365e6351b7aba2cbd768fd.exe
Size

125KB
MD5

c6b20b9aade05a40b065898777b2b7ae
SHA1

e45ea2b91b9ca7999836c2392423fe6340bb7af2
SHA256

1cc39838f882b6c8928d629b1242f8c428b0e6de20365e6351b7aba2cbd768fd
SHA512

9964c2e9feba7a27c4e339e5beb99302a3a2ce9cca834107a29ff3afa15d076b9671fe77788fe5aaa03b603a444b250c295e076796d2dc0b413d9e89cd74b014
SSDEEP

1536:o1amlWVgnVvh71ZxPFyblsmpideum5CnoKuKiROHwCS5A3MIePWJXtgo5b81cY4G:8zlWyhDybme9CnzIOa5zIeuVbub/t

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
3068	wrvdfyg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\wrvdfyg.exe	1cc39838f882b6c8928d629b1242f8c428b0e6de20365e6351b7aba2cbd768fd.exe
File created	C:\PROGRA~3\Mozilla\klztrnd.dll	wrvdfyg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 3068	2540	taskeng.exe	29
PID 2540 wrote to memory of 3068	2540	taskeng.exe	29
PID 2540 wrote to memory of 3068	2540	taskeng.exe	29
PID 2540 wrote to memory of 3068	2540	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\1cc39838f882b6c8928d629b1242f8c428b0e6de20365e6351b7aba2cbd768fd.exe
"C:\Users\Admin\AppData\Local\Temp\1cc39838f882b6c8928d629b1242f8c428b0e6de20365e6351b7aba2cbd768fd.exe"
1⤵
- Drops file in Program Files directory
PID:2292

C:\Windows\system32\taskeng.exe
taskeng.exe {24B386F2-3E6E-4E8E-87E7-34DF06CDA0C0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\PROGRA~3\Mozilla\wrvdfyg.exe
  C:\PROGRA~3\Mozilla\wrvdfyg.exe -hzyjzia
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\wrvdfyg.exe

Filesize
125KB

MD5
9b0844ae2079ceaaea111895151f57b9

SHA1
3d0f7540dafeeecf1de6c07d00ff8eeff366b881

SHA256
0c491f1a8bbc1979c311c2b96bb85047c23363e6ab2930957294a8badfff94b1

SHA512
c8a84cbd59f0d805c2e7e3f6bb7b18078161fe658e22186b3339b523f34addaf77b25df77290ae81b1fd8e93c1d8b085aecbf9d75de92fd212b9a30d1f367718

Download Submit
memory/2292-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2292-1-0x0000000000430000-0x000000000048B000-memory.dmp

Filesize
364KB

Download
memory/2292-7-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3068-10-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3068-11-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/3068-17-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download