0c30b2526424377599435b172f39a3278bdc91a38f07c38fb39c31d82ada8a68

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
13/03/2024, 17:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c30b2526424377599435b172f39a3278bdc91a38f07c38fb39c31d82ada8a68.exe
Size

183KB
MD5

2935f5ded0da7b053f994bec9fb6875c
SHA1

cb987c012ee47cff80111b132bd0fc0c031841b5
SHA256

0c30b2526424377599435b172f39a3278bdc91a38f07c38fb39c31d82ada8a68
SHA512

f5a0249b41c23551eb48e93425892af2b5fa7eeb481e5652055ec3b686638d191afcd76e7df80b7f44d3a54409401f22ace6c60389285c94da0e31fbe46d80ca
SSDEEP

3072:6wxPlpDVfFQI2+o/lHBo7QemfNAqpMBmIyp/mLevqbpiTR:LxtaIQ6vgjVl

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2228	wrvdfyg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\wrvdfyg.exe	0c30b2526424377599435b172f39a3278bdc91a38f07c38fb39c31d82ada8a68.exe
File created	C:\PROGRA~3\Mozilla\klztrnd.dll	wrvdfyg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 2228	2472	taskeng.exe	29
PID 2472 wrote to memory of 2228	2472	taskeng.exe	29
PID 2472 wrote to memory of 2228	2472	taskeng.exe	29
PID 2472 wrote to memory of 2228	2472	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\0c30b2526424377599435b172f39a3278bdc91a38f07c38fb39c31d82ada8a68.exe
"C:\Users\Admin\AppData\Local\Temp\0c30b2526424377599435b172f39a3278bdc91a38f07c38fb39c31d82ada8a68.exe"
1⤵
- Drops file in Program Files directory
PID:1620

C:\Windows\system32\taskeng.exe
taskeng.exe {92A0871B-52F0-4E13-8B08-708435AE30BA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2472
- C:\PROGRA~3\Mozilla\wrvdfyg.exe
  C:\PROGRA~3\Mozilla\wrvdfyg.exe -hzyjzia
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\wrvdfyg.exe

Filesize
183KB

MD5
ca1d5c84e6626cd0f3d7ae5c973c8169

SHA1
a5088f9c8033e145a758df129073e8697f1a9f80

SHA256
37c43dab19168260cc123884e02a965c19fdeea3215ac557128bc4c73e698718

SHA512
5cc562593feed5f830238eb9149c0811c04666b415fea1cd97a8462051aca865e1036b50eb4a0ada0829c72ee270163a4b59e2d266e50bf1a69699577d870909

Download Submit
memory/1620-0-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1620-1-0x0000000000440000-0x000000000049B000-memory.dmp

Filesize
364KB

Download
memory/1620-7-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2228-10-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2228-17-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download