79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 23:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833.exe
Size

387KB
MD5

95cd409be3248392817650834e2e007f
SHA1

e37b0a054e1e5c8b1a7f05e33675ef5ee093e542
SHA256

79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833
SHA512

62362ef0eed6e0b31037737e91e43b0ad375f97c15de5763af89f6e8df96e0e6dff9fe92308627d636edd23754806d17ab6176c5b0c31a26792a70e229377285
SSDEEP

6144:7ST2k0YujF59B+SNiT1SRws339pnPJ7ImcZBTbn:SFxujX9B+lAb9Im+BTr

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2940	racmzae.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\racmzae.exe	79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833.exe
File created	C:\PROGRA~3\Mozilla\ttbtowf.dll	racmzae.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1148	79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833.exe
2940	racmzae.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 2940	1324	taskeng.exe	29
PID 1324 wrote to memory of 2940	1324	taskeng.exe	29
PID 1324 wrote to memory of 2940	1324	taskeng.exe	29
PID 1324 wrote to memory of 2940	1324	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833.exe
"C:\Users\Admin\AppData\Local\Temp\79ba75c2bc3b232fb2d849ca2cf71f10eea9958a084b2bf1a05d2e29fcaea833.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1148

C:\Windows\system32\taskeng.exe
taskeng.exe {9D252D83-6D40-45E5-8FE4-698252152134} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1324
- C:\PROGRA~3\Mozilla\racmzae.exe
  C:\PROGRA~3\Mozilla\racmzae.exe -cddhnyc
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\racmzae.exe

Filesize
387KB

MD5
33f93e6597e6931cb636d62cdb70a992

SHA1
5e9cbdc20f76708afd749d6dd96d0f7231a2abf7

SHA256
b5866ae538660e0c86e65d84ca4be4f08c437d40a143961e697d6f9e1640ede1

SHA512
f1a1f72ba466f6a7469a4adecfcb571bc04468bb737ddf4f31cddb5d1ceaa883c918c80c8235071e962980b3d98c364f228669d424b33179046ddf58b66c657e

Download Submit
memory/1148-1-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1148-0-0x0000000000490000-0x00000000004EB000-memory.dmp

Filesize
364KB

Download
memory/1148-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2940-6-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/2940-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2940-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download