d6bf20a5e07be2c1a234b034f25b1bebf7774437915c1678442082a63ee8ee5d

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
24/04/2024, 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d6bf20a5e07be2c1a234b034f25b1bebf7774437915c1678442082a63ee8ee5d.exe
Size

142KB
MD5

49dcbe6791db32b29b9b407d5a56519a
SHA1

e518601ced073245a436dc4544421bae6ff45182
SHA256

d6bf20a5e07be2c1a234b034f25b1bebf7774437915c1678442082a63ee8ee5d
SHA512

f337766c247e95d3be9d351871a24c82d279c4cd266576d05903f9c770a214d612f80d8456069cc57dff2b45a1511dcadcfad1ce305e029a8fa43a391e303f36
SSDEEP

3072:5gjzzvzm/Z7Uy1tVkBiyyUzGBk9VeFS43tqPJpPseX:Ka/ZT/UKBk749CpX

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2128	anhxrcb.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\anhxrcb.exe	d6bf20a5e07be2c1a234b034f25b1bebf7774437915c1678442082a63ee8ee5d.exe
File created	C:\PROGRA~3\Mozilla\fqurfhn.dll	anhxrcb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2128	2008	taskeng.exe	29
PID 2008 wrote to memory of 2128	2008	taskeng.exe	29
PID 2008 wrote to memory of 2128	2008	taskeng.exe	29
PID 2008 wrote to memory of 2128	2008	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\d6bf20a5e07be2c1a234b034f25b1bebf7774437915c1678442082a63ee8ee5d.exe
"C:\Users\Admin\AppData\Local\Temp\d6bf20a5e07be2c1a234b034f25b1bebf7774437915c1678442082a63ee8ee5d.exe"
1⤵
- Drops file in Program Files directory
PID:1724

C:\Windows\system32\taskeng.exe
taskeng.exe {4A4D903B-0371-4F70-AE45-AD97CE52637C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2008
- C:\PROGRA~3\Mozilla\anhxrcb.exe
  C:\PROGRA~3\Mozilla\anhxrcb.exe -wxojhrj
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\anhxrcb.exe

Filesize
142KB

MD5
805656af450de78c5c8978e927c071f6

SHA1
89167b47e9be0a76f56fa0d97c9f8f74f27564a9

SHA256
9593315ce5d4d19930276ebd06d0db554e8c588f318ca6ad96260b9cf9b4f9b6

SHA512
42996bc7fbad5087587ac69cdbce2ccdd4c2a6e1e84e3b39f8b696480df56c063daba8509efad563df8a2fc219adf7a40ba93e13c4583adc3bf03fed6a3c49ed

Download Submit
memory/1724-0-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1724-1-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1724-2-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1724-3-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1724-4-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/1724-8-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2128-11-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2128-12-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download
memory/2128-18-0x0000000000400000-0x0000000000467000-memory.dmp

Filesize
412KB

Download