Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
24/04/2024, 14:04
Static task
static1
Behavioral task
behavioral1
Sample
255bbe0a32256eced328d38e936ec7388e4d6770529df661f1ffa9e4dc746190.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
255bbe0a32256eced328d38e936ec7388e4d6770529df661f1ffa9e4dc746190.exe
Resource
win10v2004-20240412-en
General
-
Target
255bbe0a32256eced328d38e936ec7388e4d6770529df661f1ffa9e4dc746190.exe
-
Size
328KB
-
MD5
47f3bc9a62d7d67357e6b500615865d4
-
SHA1
1ab49a5c9d0234efb37b338a1da4957b18eca5bd
-
SHA256
255bbe0a32256eced328d38e936ec7388e4d6770529df661f1ffa9e4dc746190
-
SHA512
436655cdb6953d497c665ff0a936ee4d0a2367d040c54633c882b63b8684fdb2f0587ba930e4e7408e7c1733e132c937e4893d940526d02105a40a51463b036f
-
SSDEEP
3072:xANA6IMfSLilGMXEVP79SE8pve/RysNPDuIvT4FBDv1KS2jbxWGqJs3:WiMF/X479SEAanPSIv0FB5KSbGqJs
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Executes dropped EXE 1 IoCs
pid Process 2080 anhxrcb.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\PROGRA~3\Mozilla\anhxrcb.exe 255bbe0a32256eced328d38e936ec7388e4d6770529df661f1ffa9e4dc746190.exe File created C:\PROGRA~3\Mozilla\fqurfhn.dll anhxrcb.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2372 255bbe0a32256eced328d38e936ec7388e4d6770529df661f1ffa9e4dc746190.exe 2080 anhxrcb.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2548 wrote to memory of 2080 2548 taskeng.exe 29 PID 2548 wrote to memory of 2080 2548 taskeng.exe 29 PID 2548 wrote to memory of 2080 2548 taskeng.exe 29 PID 2548 wrote to memory of 2080 2548 taskeng.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\255bbe0a32256eced328d38e936ec7388e4d6770529df661f1ffa9e4dc746190.exe"C:\Users\Admin\AppData\Local\Temp\255bbe0a32256eced328d38e936ec7388e4d6770529df661f1ffa9e4dc746190.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2372
-
C:\Windows\system32\taskeng.exetaskeng.exe {0A095DC4-E200-4C38-9C37-C3FF634AB7BA} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\PROGRA~3\Mozilla\anhxrcb.exeC:\PROGRA~3\Mozilla\anhxrcb.exe -wxojhrj2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
328KB
MD5a4bb2dd8802cd54a3948aa2a2026e622
SHA1a47b7168c083ccfc06200ed75aa4208f494d6b19
SHA256392ba5f41bc98ced0432e70a002bb88df0ac6118615999cd53671c60c03b6ee1
SHA512856fc7e2f96a9ee7bc5f9eee2059c2ca522a056fa44807a0ad004951c3582d552521aadd741f63ecc4bddbecc6242df6835f516f64ca2bbe20be573e617f5e4f