e07146ab2498fbdaaeb9371c506f12b88bffc216c0a6c541cb0f3d2e0e0dd704

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

30129f55e0ddbc3c8b916f3f17a33bf4.exe
Size

212KB
MD5

30129f55e0ddbc3c8b916f3f17a33bf4
SHA1

f32aa55c54a094b3bbf33438cd08910f375c56e0
SHA256

e07146ab2498fbdaaeb9371c506f12b88bffc216c0a6c541cb0f3d2e0e0dd704
SHA512

f4c8beca426443300dfa44db72229a32bff11056857391029171a1df1d00a28bca6c0d3dd93d5f900b23bf812cdcbb143fc899c786453830b31ac1e287d6394f
SSDEEP

6144:T21pbX5wvz8zE14KpxxbxDxxxx155nZxs1UoKn:Kdw6E14KxxbxDxxxx15VZxx

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
3068	gjsfhjk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\gjsfhjk.exe	30129f55e0ddbc3c8b916f3f17a33bf4.exe
File created	C:\PROGRA~3\Mozilla\eurgebe.dll	gjsfhjk.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2212	30129f55e0ddbc3c8b916f3f17a33bf4.exe
3068	gjsfhjk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 3068	2100	taskeng.exe	29
PID 2100 wrote to memory of 3068	2100	taskeng.exe	29
PID 2100 wrote to memory of 3068	2100	taskeng.exe	29
PID 2100 wrote to memory of 3068	2100	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\30129f55e0ddbc3c8b916f3f17a33bf4.exe
"C:\Users\Admin\AppData\Local\Temp\30129f55e0ddbc3c8b916f3f17a33bf4.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2212

C:\Windows\system32\taskeng.exe
taskeng.exe {6822F5DC-3970-4455-A0A4-302D5543153A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2100
- C:\PROGRA~3\Mozilla\gjsfhjk.exe
  C:\PROGRA~3\Mozilla\gjsfhjk.exe -tuxiydl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\gjsfhjk.exe

Filesize
212KB

MD5
575c67572422a09f99a0431fb501c9cf

SHA1
f872e46dc155f8deb9e1f31000f0ccef9697351e

SHA256
6e671140fcd8d70712e562991d7a7c9175c5384e7d17d24a45cdbed98f3d0af5

SHA512
82a495a709ed46f3fc297d811553d8da7b84b18e4d5cd9e1da9860f75b8bd06d99983ee729bdc6ddf1f950abe5805263bac42758d436d9d6f6bc0897e1df46e3

Download Submit
memory/2212-2-0x0000000001C40000-0x0000000001C9B000-memory.dmp

Filesize
364KB

Download
memory/2212-1-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2212-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2212-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3068-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3068-8-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/3068-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3068-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download