2469ded0527a7bf35bc4f82ac80c7d6c35efcdd96be6740310155cc6d9ea3466

Analysis

max time kernel
119s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40850b39c72e2546cf633558e20455aa.exe
Size

128KB
MD5

40850b39c72e2546cf633558e20455aa
SHA1

8c955094bf632a97153d764d4f8e801591673a2d
SHA256

2469ded0527a7bf35bc4f82ac80c7d6c35efcdd96be6740310155cc6d9ea3466
SHA512

bddc6049a29d0b3e6421a4d3b22382512c54bb401360ede931f921924a40dd6db7a0a756c965f3ffded049e8d23da8d7dee55fc8c0aaa46b8a9e7ec6af70f690
SSDEEP

3072:VC2sGFK+HlPMhxp6+Td83EMb3AG50Wld5I:2b+dMhEDAG5blXI

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1664	tbckyxk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\tbckyxk.exe	40850b39c72e2546cf633558e20455aa.exe
File created	C:\PROGRA~3\Mozilla\newtrln.dll	tbckyxk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1784 wrote to memory of 1664	1784	taskeng.exe	29
PID 1784 wrote to memory of 1664	1784	taskeng.exe	29
PID 1784 wrote to memory of 1664	1784	taskeng.exe	29
PID 1784 wrote to memory of 1664	1784	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\40850b39c72e2546cf633558e20455aa.exe
"C:\Users\Admin\AppData\Local\Temp\40850b39c72e2546cf633558e20455aa.exe"
1⤵
- Drops file in Program Files directory
PID:1932

C:\Windows\system32\taskeng.exe
taskeng.exe {3ED2D991-848E-479D-BF56-6FBCAEBA318E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1784
- C:\PROGRA~3\Mozilla\tbckyxk.exe
  C:\PROGRA~3\Mozilla\tbckyxk.exe -gqpcbye
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\tbckyxk.exe

Filesize
128KB

MD5
fa027896635f8d9e3e74417314c2e59f

SHA1
68057e05d66487d8f2ac4d2eecfb08d6f6a4267b

SHA256
35637442ccb206a26c2ab5d65b21e222132f04b26b1711ef9c83a68bd92f54e1

SHA512
7e7dcfec74d7473710666ce3ce09be4eb3829092c3b34c90ab8753cdfd4fb7db0d35b4ca43f9c79d42839c377e4edfbd6169f1be4061cbf149d68c5464696e44

Download Submit
memory/1664-10-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1664-11-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1664-12-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1664-16-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1932-2-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1932-3-0x00000000000F0000-0x00000000000F1000-memory.dmp

Filesize
4KB

Download
memory/1932-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/1932-7-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download