7d2178c6e118026d1207794aa591b67514162750d6a3aac04cfc16beb078b74e

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d2178c6e118026d1207794aa591b67514162750d6a3aac04cfc16beb078b74e.exe
Size

307KB
MD5

e68e15a6159758501a688d9dd4700ab9
SHA1

9c1f035ed6816f12563673ac194744a246938f59
SHA256

7d2178c6e118026d1207794aa591b67514162750d6a3aac04cfc16beb078b74e
SHA512

b36c30ad63f9c46123d753333eb9e764c8fbc3721e9d7ab90a6dcb65e16f89476ca65ff7848f1d48a1cd9c4cce1eb72d6e0c88239b11c695c67f9de804dfc656
SSDEEP

3072:RTC7MKza/YY7ESZmU/iq312IuvAVnRvOmzn1aDGrXnrz2UzEJril+T0g0niYlEwD:R+7rEpQUq6yvAddRZrXnuUowl+TNxf0

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
3056	dbilzqh.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\dbilzqh.exe	7d2178c6e118026d1207794aa591b67514162750d6a3aac04cfc16beb078b74e.exe
File created	C:\PROGRA~3\Mozilla\zxoabnc.dll	dbilzqh.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2952	7d2178c6e118026d1207794aa591b67514162750d6a3aac04cfc16beb078b74e.exe
3056	dbilzqh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 3056	2660	taskeng.exe	29
PID 2660 wrote to memory of 3056	2660	taskeng.exe	29
PID 2660 wrote to memory of 3056	2660	taskeng.exe	29
PID 2660 wrote to memory of 3056	2660	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\7d2178c6e118026d1207794aa591b67514162750d6a3aac04cfc16beb078b74e.exe
"C:\Users\Admin\AppData\Local\Temp\7d2178c6e118026d1207794aa591b67514162750d6a3aac04cfc16beb078b74e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2952

C:\Windows\system32\taskeng.exe
taskeng.exe {DA04DF4F-DB89-4625-9606-CB2CB9102377} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2660
- C:\PROGRA~3\Mozilla\dbilzqh.exe
  C:\PROGRA~3\Mozilla\dbilzqh.exe -kwinamg
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\dbilzqh.exe

Filesize
307KB

MD5
8604e9d28311c0733bf9ec9eda7264e0

SHA1
1259ed2a771bc70e4cd000b55bb16db6cc7725cc

SHA256
27b536c6fdbe54a72b400981ca5343126ba2a98e789ca5ea87017c77c218ed1a

SHA512
048af781c899e55af304b627efd900f3abe8561c4a02371f81ee283f019be01bc15f37bbe6d1646511f84c9af765a2f6091a451894dbf5449c27539043aa376c

Download Submit
memory/2952-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2952-1-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/2952-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2952-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3056-7-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/3056-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3056-8-0x0000000000330000-0x000000000038B000-memory.dmp

Filesize
364KB

Download
memory/3056-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download