eda495d096971b562078861b5b98f1f95332a511b8778043094d19f7f9d1650c

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
15/03/2024, 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eda495d096971b562078861b5b98f1f95332a511b8778043094d19f7f9d1650c.exe
Size

213KB
MD5

1ccd4beb48b42c3f1851ce1bfacb4aed
SHA1

797373cf4efe06b8e0ffeabdebfdaaa597657bba
SHA256

eda495d096971b562078861b5b98f1f95332a511b8778043094d19f7f9d1650c
SHA512

dfebbec920e3932356ad0ca87cfc4c67a0cfa155995a54cb47a3d02cb26fd30af07d76419b0ecac6cce45b2fa57b6c0215df4068bb59a8940b4f29917cc2d8bd
SSDEEP

6144:p44b7czAEYdlyp6rswaDqKgL08qvFsRca:m4fiQdlnoxgYlvyd

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2560	mgbxiii.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\mgbxiii.exe	eda495d096971b562078861b5b98f1f95332a511b8778043094d19f7f9d1650c.exe
File created	C:\PROGRA~3\Mozilla\iudaoda.dll	mgbxiii.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
936	eda495d096971b562078861b5b98f1f95332a511b8778043094d19f7f9d1650c.exe
2560	mgbxiii.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2560	2968	taskeng.exe	29
PID 2968 wrote to memory of 2560	2968	taskeng.exe	29
PID 2968 wrote to memory of 2560	2968	taskeng.exe	29
PID 2968 wrote to memory of 2560	2968	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\eda495d096971b562078861b5b98f1f95332a511b8778043094d19f7f9d1650c.exe
"C:\Users\Admin\AppData\Local\Temp\eda495d096971b562078861b5b98f1f95332a511b8778043094d19f7f9d1650c.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:936

C:\Windows\system32\taskeng.exe
taskeng.exe {14E70A27-0AB0-4A21-B386-1E0E8514124B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\PROGRA~3\Mozilla\mgbxiii.exe
  C:\PROGRA~3\Mozilla\mgbxiii.exe -ccvrhxi
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\mgbxiii.exe

Filesize
213KB

MD5
ee39aee381569f4214d0cc75d52b8bf8

SHA1
d9521ef479fec3983954462a043ec7606e996a43

SHA256
062b3369917f98f608e24a6847ea92535271c51c207cf979baca04595c66b631

SHA512
634fba7d9dacf66d69d1e93ee3e474a6b900a47f660996897ea2dda5e28cf09127c169bc5aaadda691152193ebc4ae8cb30d65949073b738d5546802db4dc62f

Download Submit
memory/936-0-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/936-1-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/936-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/936-4-0x00000000002F0000-0x000000000034B000-memory.dmp

Filesize
364KB

Download
memory/2560-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2560-7-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2560-11-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/2560-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download