e468197214441e1317b7f792064ebea12a0b7dafea145c827a4565ee0aa7b4a7

Analysis

max time kernel
119s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 01:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e468197214441e1317b7f792064ebea12a0b7dafea145c827a4565ee0aa7b4a7.exe
Size

150KB
MD5

18cb91f5673a191fe542cdfd294db83f
SHA1

851a6b9b682c64da979ab9cbdcc287e900298d73
SHA256

e468197214441e1317b7f792064ebea12a0b7dafea145c827a4565ee0aa7b4a7
SHA512

1e5120cc499509f743a8f195f8cbb55857c26dc17321103be16e9b1bed53d594851ae15d08f709ecd8061feeefff1cabd2b9d54a45d06ff7a91f1d0556868d4e
SSDEEP

3072:h/BH9p/3K+AEkzgXrGqJM4qd3bGjhkqsXbK:hR9pTAEkz6rGq4Bbq22

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2412	mgbxiii.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\mgbxiii.exe	e468197214441e1317b7f792064ebea12a0b7dafea145c827a4565ee0aa7b4a7.exe
File created	C:\PROGRA~3\Mozilla\iudaoda.dll	mgbxiii.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2412	2700	taskeng.exe	28
PID 2700 wrote to memory of 2412	2700	taskeng.exe	28
PID 2700 wrote to memory of 2412	2700	taskeng.exe	28
PID 2700 wrote to memory of 2412	2700	taskeng.exe	28

C:\Users\Admin\AppData\Local\Temp\e468197214441e1317b7f792064ebea12a0b7dafea145c827a4565ee0aa7b4a7.exe
"C:\Users\Admin\AppData\Local\Temp\e468197214441e1317b7f792064ebea12a0b7dafea145c827a4565ee0aa7b4a7.exe"
1⤵
- Drops file in Program Files directory
PID:2496

C:\Windows\system32\taskeng.exe
taskeng.exe {AF37EC18-8E47-459A-852C-8F63E17C9B9D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\PROGRA~3\Mozilla\mgbxiii.exe
  C:\PROGRA~3\Mozilla\mgbxiii.exe -ccvrhxi
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\mgbxiii.exe

Filesize
150KB

MD5
d790a74fe188376caf01c859366850b9

SHA1
b7beb185d21c70c34e696af400f945cfe9e01f77

SHA256
517363e0f8a4b09162d2081d154f8d606df8c156da6c27db6b437b29dc51516d

SHA512
12e43137e54b64f628c4da2206c87dec4ed8b8c34f57211b4735935a3876c863a44a5ac3d6e4f78e9bdbd5e3b44698efb711a81ba71283aaf6279ac2898f4f2e

Download Submit
memory/2412-10-0x0000000000870000-0x00000000008CB000-memory.dmp

Filesize
364KB

Download
memory/2412-16-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2496-0-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/2496-1-0x0000000000220000-0x000000000027B000-memory.dmp

Filesize
364KB

Download
memory/2496-7-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download