4a9cde77d0a21a0d326569a8c73f0e08c9c1cfa75de1d7cd95f7b46f1e82a46c

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
11-03-2024 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a9cde77d0a21a0d326569a8c73f0e08c9c1cfa75de1d7cd95f7b46f1e82a46c.exe
Size

229KB
MD5

ab11f3c9d8472a79eb407567b04ad1af
SHA1

1df7ee3354af6faca4837427b5da9584bd6c94ab
SHA256

4a9cde77d0a21a0d326569a8c73f0e08c9c1cfa75de1d7cd95f7b46f1e82a46c
SHA512

e950c14778859cc0d985ff06fe16060c7e8d6b0f1f5b6ca39c9a3487ce952a667d729dd32a6417a5392b9943e00ef3255ae362e1941902bc57b0f91d44b3e686
SSDEEP

3072:R4LLCgTsDAJJRjO6DMhtecMl+Vo0paULFZhh2D+0caj3kyRACXc:R4LLrJJn2Y+K8Rn9ozXc

Score

9^/10

persistence

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 2 IoCs

resource	yara_rule
behavioral1/memory/2460-0-0x0000000000400000-0x000000000045E000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x000c00000001315b-5.dat	INDICATOR_EXE_Packed_MPress

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2524	racmzae.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\racmzae.exe	4a9cde77d0a21a0d326569a8c73f0e08c9c1cfa75de1d7cd95f7b46f1e82a46c.exe
File created	C:\PROGRA~3\Mozilla\ttbtowf.dll	racmzae.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2460	4a9cde77d0a21a0d326569a8c73f0e08c9c1cfa75de1d7cd95f7b46f1e82a46c.exe
2524	racmzae.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1900 wrote to memory of 2524	1900	taskeng.exe	29
PID 1900 wrote to memory of 2524	1900	taskeng.exe	29
PID 1900 wrote to memory of 2524	1900	taskeng.exe	29
PID 1900 wrote to memory of 2524	1900	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\4a9cde77d0a21a0d326569a8c73f0e08c9c1cfa75de1d7cd95f7b46f1e82a46c.exe
"C:\Users\Admin\AppData\Local\Temp\4a9cde77d0a21a0d326569a8c73f0e08c9c1cfa75de1d7cd95f7b46f1e82a46c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2460

C:\Windows\system32\taskeng.exe
taskeng.exe {83A03422-93CE-4946-A2C4-A5AF384EA10B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1900
- C:\PROGRA~3\Mozilla\racmzae.exe
  C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\racmzae.exe

Filesize
229KB

MD5
59fafcea83745250f9065a6c054a4742

SHA1
de53b02f15b11cef7e016b2579acdf16006dd05c

SHA256
9e2f04847e79d025f864fc399e3dfc772d2e6c79a23efc9fa684434ead0265e0

SHA512
22ec21386bdb3ca85e06a6fb620853768f792a3fa12d5012a215956f57c26504efaccc1e007628ed6c8188e3784f95ab273c1648af93b1cbd8f699e1b5d9f5a2

Download Submit
memory/2460-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2460-1-0x0000000000380000-0x00000000003DB000-memory.dmp

Filesize
364KB

Download
memory/2460-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2460-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2524-7-0x00000000008C0000-0x000000000091B000-memory.dmp

Filesize
364KB

Download
memory/2524-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2524-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download