d7e2ea70b932d0914c6dffebf580b7ef965d0c0305b95fafd57d71669375c71f

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/03/2024, 00:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d7e2ea70b932d0914c6dffebf580b7ef965d0c0305b95fafd57d71669375c71f.exe
Size

153KB
MD5

bbda038417323fdf69c0d22a3945a612
SHA1

ecd721decf185db461f7f2aadf3897097b326c69
SHA256

d7e2ea70b932d0914c6dffebf580b7ef965d0c0305b95fafd57d71669375c71f
SHA512

bb896a8266d7b41b632dd08e50249b500a6294e012d06b9aa2b01bd361e0d3dc5731c7da6c88f1afd14b69ed021f1eb8b5308b29b24e2b2631afc3a9342bd6e3
SSDEEP

3072:ZHrEI6rvvMV0nE17B+TnFnW5/bi13lNvuCLeEPbUXHrJ61ej/:5wHMV0nE1l+LtuTS/aSUXLJZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2636	ydvbdjf.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\ydvbdjf.exe	d7e2ea70b932d0914c6dffebf580b7ef965d0c0305b95fafd57d71669375c71f.exe
File created	C:\PROGRA~3\Mozilla\agmxqzf.dll	ydvbdjf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2544 wrote to memory of 2636	2544	taskeng.exe	29
PID 2544 wrote to memory of 2636	2544	taskeng.exe	29
PID 2544 wrote to memory of 2636	2544	taskeng.exe	29
PID 2544 wrote to memory of 2636	2544	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\d7e2ea70b932d0914c6dffebf580b7ef965d0c0305b95fafd57d71669375c71f.exe
"C:\Users\Admin\AppData\Local\Temp\d7e2ea70b932d0914c6dffebf580b7ef965d0c0305b95fafd57d71669375c71f.exe"
1⤵
- Drops file in Program Files directory
PID:2084

C:\Windows\system32\taskeng.exe
taskeng.exe {CA71AE65-574A-4FEE-AC3C-62727FFC8721} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2544
- C:\PROGRA~3\Mozilla\ydvbdjf.exe
  C:\PROGRA~3\Mozilla\ydvbdjf.exe -smqpfhe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\ydvbdjf.exe

Filesize
153KB

MD5
84482d6f5ae6a1d969c79e6735f2c8e8

SHA1
8f4a40213959ec826494f506fe8497eca9d11eec

SHA256
2393ba21b93af10647969ba679bd887962c5deae68f11d76e3f24db242550db6

SHA512
e796d24b2950619ee6e6ec462d5f706abe3f6d5aec00bcf0ac4b1818b8c67d70e5af2174db4ea0415689626d7d56332b4c9aac5d9edd9b517ddb1025ba62fccd

Download Submit
memory/2084-0-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2084-1-0x00000000003A0000-0x00000000003A2000-memory.dmp

Filesize
8KB

Download
memory/2084-2-0x0000000000430000-0x000000000048B000-memory.dmp

Filesize
364KB

Download
memory/2084-8-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2636-11-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2636-12-0x0000000000370000-0x00000000003CB000-memory.dmp

Filesize
364KB

Download
memory/2636-18-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download