Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
18/04/2024, 23:37
Static task
static1
Behavioral task
behavioral1
Sample
79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833.exe
Resource
win10v2004-20240412-en
General
-
Target
79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833.exe
-
Size
387KB
-
MD5
95cd409be3248392817650834e2e007f
-
SHA1
e37b0a054e1e5c8b1a7f05e33675ef5ee093e542
-
SHA256
79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833
-
SHA512
62362ef0eed6e0b31037737e91e43b0ad375f97c15de5763af89f6e8df96e0e6dff9fe92308627d636edd23754806d17ab6176c5b0c31a26792a70e229377285
-
SSDEEP
6144:7ST2k0YujF59B+SNiT1SRws339pnPJ7ImcZBTbn:SFxujX9B+lAb9Im+BTr
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2940 racmzae.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\racmzae.exe 79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833.exe File created C:\PROGRA~3\Mozilla\ttbtowf.dll racmzae.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 1148 79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833.exe 2940 racmzae.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1324 wrote to memory of 2940 1324 taskeng.exe 29 PID 1324 wrote to memory of 2940 1324 taskeng.exe 29 PID 1324 wrote to memory of 2940 1324 taskeng.exe 29 PID 1324 wrote to memory of 2940 1324 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833.exe"C:\Users\Admin\AppData\Local\Temp\79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1148
-
C:\Windows\system32\taskeng.exetaskeng.exe {9D252D83-6D40-45E5-8FE4-698252152134} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\PROGRA~3\Mozilla\racmzae.exeC:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2940
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
387KB
MD533f93e6597e6931cb636d62cdb70a992
SHA15e9cbdc20f76708afd749d6dd96d0f7231a2abf7
SHA256b5866ae538660e0c86e65d84ca4be4f08c437d40a143961e697d6f9e1640ede1
SHA512f1a1f72ba466f6a7469a4adecfcb571bc04468bb737ddf4f31cddb5d1ceaa883c918c80c8235071e962980b3d98c364f228669d424b33179046ddf58b66c657e