249160cc11f007a7c490853f9ec181285f9edd65e4b58ac442fd3100cf8711e6

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
08/04/2024, 19:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

249160cc11f007a7c490853f9ec181285f9edd65e4b58ac442fd3100cf8711e6.exe
Size

312KB
MD5

d108f9619486aafdbc1bb14c858f4eb0
SHA1

be124d06d484c3cbc84d1ee2d74a0c4996490197
SHA256

249160cc11f007a7c490853f9ec181285f9edd65e4b58ac442fd3100cf8711e6
SHA512

134943d3d798ffc050ac602e331daca1fe2a43987b22fc73ec3238311692f0e1838f17875fa9b918e2cbb99aee279d81366e35e62f765fb21829e32d38cd0ed6
SSDEEP

6144:YGOXfUdRT6mCo4Em3d1k91UmaFycSbGqJWs6eQ/gY:YGOSRT6mChEm3dOXURtS96H/gY

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
3036	racmzae.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\racmzae.exe	249160cc11f007a7c490853f9ec181285f9edd65e4b58ac442fd3100cf8711e6.exe
File created	C:\PROGRA~3\Mozilla\ttbtowf.dll	racmzae.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1732	249160cc11f007a7c490853f9ec181285f9edd65e4b58ac442fd3100cf8711e6.exe
3036	racmzae.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3036	1980	taskeng.exe	29
PID 1980 wrote to memory of 3036	1980	taskeng.exe	29
PID 1980 wrote to memory of 3036	1980	taskeng.exe	29
PID 1980 wrote to memory of 3036	1980	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\249160cc11f007a7c490853f9ec181285f9edd65e4b58ac442fd3100cf8711e6.exe
"C:\Users\Admin\AppData\Local\Temp\249160cc11f007a7c490853f9ec181285f9edd65e4b58ac442fd3100cf8711e6.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1732

C:\Windows\system32\taskeng.exe
taskeng.exe {BC32F0ED-2BE6-495F-B4BE-17858FED7AE1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1980
- C:\PROGRA~3\Mozilla\racmzae.exe
  C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\racmzae.exe

Filesize
312KB

MD5
4c6cac340ba2d1c1e4b76c57ccd610d8

SHA1
b9a226f2f10b1fe9c42473b77e4e6b7bfeb95165

SHA256
70eab0a1a11832337767d6466ac0e370e049985825db6178d2aeb869a608c80a

SHA512
b84e973e03e2a06a2ccf82b93a03e48ab0f7e5f51e219feb003a3d7370c5f5dcedc2bd1634d10d4e446e810f8c1afe9bca37472366daf1a586141d6f1655646b

Download Submit
memory/1732-1-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1732-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1732-2-0x0000000000490000-0x00000000004EC000-memory.dmp

Filesize
368KB

Download
memory/1732-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3036-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3036-8-0x0000000000460000-0x00000000004BC000-memory.dmp

Filesize
368KB

Download
memory/3036-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3036-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download