2f76323dd3bd6d1544d31a8cbc12b2186f5203a1811010f03e405ba2ec83d063

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f76323dd3bd6d1544d31a8cbc12b2186f5203a1811010f03e405ba2ec83d063.exe
Size

175KB
MD5

a91199d51ab0098002d9e21f1e449771
SHA1

f30673631a0a5900e67bf7f9c801b3dc48874c19
SHA256

2f76323dd3bd6d1544d31a8cbc12b2186f5203a1811010f03e405ba2ec83d063
SHA512

92dfb3c94384d344875db8c81c4d070b8fdffe93775ce73c91e82f30b6b35c352448f20526d9831eeefa9b91abd7e2cc0deee7a9dc0aed398c4560cf2a950c84
SSDEEP

3072:mMPrK9vxnULAK202Gd8pqzX2cZVoL8XJsU4z6Z7kYeKBXAJRxddkZ:zP295nKJNGYok4YXeoXkRxkZ

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
3064	anhxrcb.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\anhxrcb.exe	2f76323dd3bd6d1544d31a8cbc12b2186f5203a1811010f03e405ba2ec83d063.exe
File created	C:\PROGRA~3\Mozilla\fqurfhn.dll	anhxrcb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 3064	2968	taskeng.exe	29
PID 2968 wrote to memory of 3064	2968	taskeng.exe	29
PID 2968 wrote to memory of 3064	2968	taskeng.exe	29
PID 2968 wrote to memory of 3064	2968	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\2f76323dd3bd6d1544d31a8cbc12b2186f5203a1811010f03e405ba2ec83d063.exe
"C:\Users\Admin\AppData\Local\Temp\2f76323dd3bd6d1544d31a8cbc12b2186f5203a1811010f03e405ba2ec83d063.exe"
1⤵
- Drops file in Program Files directory
PID:1404

C:\Windows\system32\taskeng.exe
taskeng.exe {7F6BAC4B-B648-4C24-8D19-CF6D0D0D4918} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\PROGRA~3\Mozilla\anhxrcb.exe
  C:\PROGRA~3\Mozilla\anhxrcb.exe -wxojhrj
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\anhxrcb.exe

Filesize
175KB

MD5
f80798151bfa9d1b6cfb074510fce43a

SHA1
5537130e32fabe8755724816256b853a48556b67

SHA256
d4ed131560a892d3a26763dd5bef4311f1d5b0382606324a04c492fb7747bea8

SHA512
6f1c68feb76aa65a248ab90f334205b14ae5db2ba4fff6c78a40d682bfd39c438474c0675699f55ec825cc8ff62968b8cedc07a3efc9a2b889fc1f6f8f5d7878

Download Submit
memory/1404-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-1-0x0000000000390000-0x00000000003EB000-memory.dmp

Filesize
364KB

Download
memory/3064-10-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download