f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19/04/2024, 04:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05.exe
Size

3.7MB
MD5

1be3d8dd02bfb17424b29b4682b92a5e
SHA1

7183fb8947bbd08526b10ce05529b5bbf2ecf3f1
SHA256

f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05
SHA512

248c68dad18b4dbb1da91676a7676f8578684d86ca4648df5ba4eb4c051611bfb52e65e0fd4e224871d8fcd487d714a78bf0820fc8688b8a80a8f185e9214cd3
SSDEEP

49152:31akMEEnoAXaLetR9wLm7dEgHghWvU+H/TfgKfiKXHoFcI13+mr2LFIIv:QkMEEULetUm6hhMTgfUoz13x2GIv

Score

9^/10

persistence

Malware Config

Signatures

Detects executables packed with VMProtect. 5 IoCs

resource	yara_rule
behavioral1/memory/2040-0-0x0000000000400000-0x00000000009A5000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2040-1-0x0000000000400000-0x00000000009A5000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/files/0x0008000000012249-7.dat	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2508-9-0x0000000000400000-0x00000000009A5000-memory.dmp	INDICATOR_EXE_Packed_VMProtect
behavioral1/memory/2508-10-0x0000000000400000-0x00000000009A5000-memory.dmp	INDICATOR_EXE_Packed_VMProtect

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2508	ujnwrxk.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\ujnwrxk.exe	f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05.exe
File created	C:\PROGRA~3\Mozilla\klvnttl.dll	ujnwrxk.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2040	f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05.exe
2508	ujnwrxk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3040 wrote to memory of 2508	3040	taskeng.exe	29
PID 3040 wrote to memory of 2508	3040	taskeng.exe	29
PID 3040 wrote to memory of 2508	3040	taskeng.exe	29
PID 3040 wrote to memory of 2508	3040	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05.exe
"C:\Users\Admin\AppData\Local\Temp\f3e54cc35c682858c085f3297febc3bd41417d356061ef2a8e214afa7cb4fa05.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2040

C:\Windows\system32\taskeng.exe
taskeng.exe {7A382BFA-15AD-4653-BE79-69F5D4C7F820} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:3040
- C:\PROGRA~3\Mozilla\ujnwrxk.exe
  C:\PROGRA~3\Mozilla\ujnwrxk.exe -eagoxym
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\ujnwrxk.exe

Filesize
3.7MB

MD5
650a12eb0bb3ad780ee3a654791fdbd8

SHA1
80d4ced4ed92a9406a9dd4b44b4073f23f94998f

SHA256
7ea9859092fe6b1608cdea10812936a96a254b9cf881969e77551229f774f10a

SHA512
d726918d9f9d50e93718010f22654864712dc3e52dcaa2ac9a1393ba8fee4aec227dad5922255d27cce2ff533f2a566efac644486d3ca581a1c397b8cff5e42a

Download Submit
memory/2040-0-0x0000000000400000-0x00000000009A5000-memory.dmp

Filesize
5.6MB

Download
memory/2040-1-0x0000000000400000-0x00000000009A5000-memory.dmp

Filesize
5.6MB

Download
memory/2040-2-0x00000000002E0000-0x000000000033C000-memory.dmp

Filesize
368KB

Download
memory/2040-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2040-6-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2508-9-0x0000000000400000-0x00000000009A5000-memory.dmp

Filesize
5.6MB

Download
memory/2508-10-0x0000000000400000-0x00000000009A5000-memory.dmp

Filesize
5.6MB

Download
memory/2508-11-0x0000000000A70000-0x0000000000ACC000-memory.dmp

Filesize
368KB

Download
memory/2508-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2508-14-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download