8ffa4e0bcc37f03977ee0eb77dae2639cf360bfadfaead0b0fc304d1dbd8a78f

General

Target

8ffa4e0bcc37f03977ee0eb77dae2639cf360bfadfaead0b0fc304d1dbd8a78f.exe
Size

6.7MB
MD5

50385df19f957b903a16162568d5d844
SHA1

6299602980a42b3b36268581d9f5c1c95edc0c68
SHA256

8ffa4e0bcc37f03977ee0eb77dae2639cf360bfadfaead0b0fc304d1dbd8a78f
SHA512

b440643a8f8e135e2d14ed786e2d085ca5633e09a26eb9a6058d65fb85da071fffac68de0400a5f8a3d1fd58dbe7c36d4e6b5708213aab2f76117f7600cd0804
SSDEEP

196608:iLmZYVW6eOSuI1uJAfiV4Yh/DMsQadFuETY5Wd:iLmr+SuGuCf/w4sQadFuEMO

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2272	anhxrcb.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\anhxrcb.exe	8ffa4e0bcc37f03977ee0eb77dae2639cf360bfadfaead0b0fc304d1dbd8a78f.exe
File created	C:\PROGRA~3\Mozilla\fqurfhn.dll	anhxrcb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2216	8ffa4e0bcc37f03977ee0eb77dae2639cf360bfadfaead0b0fc304d1dbd8a78f.exe
2272	anhxrcb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2272	2700	taskeng.exe	29
PID 2700 wrote to memory of 2272	2700	taskeng.exe	29
PID 2700 wrote to memory of 2272	2700	taskeng.exe	29
PID 2700 wrote to memory of 2272	2700	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\8ffa4e0bcc37f03977ee0eb77dae2639cf360bfadfaead0b0fc304d1dbd8a78f.exe
"C:\Users\Admin\AppData\Local\Temp\8ffa4e0bcc37f03977ee0eb77dae2639cf360bfadfaead0b0fc304d1dbd8a78f.exe"
1⤵
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:2216

C:\Windows\system32\taskeng.exe
taskeng.exe {7620B96C-0EA4-4623-B11E-E76479B76CB7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2700
- C:\PROGRA~3\Mozilla\anhxrcb.exe
  C:\PROGRA~3\Mozilla\anhxrcb.exe -wxojhrj
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\anhxrcb.exe

Filesize
6.7MB

MD5
683e996bb56a86598d0a6c53c7e6c90c

SHA1
21baf18d05b85054b7bdad972a42065d81a2baa6

SHA256
0438fa6e8fa7f8681bc1df6a94bf7782bd864e349a21ed7b52680469e106a4d5

SHA512
7f8534621fc007267405dfe794bf5634cd93e54003d3191dd60f394be2797201058e854782c5989150f713b10bc366fa3fd78faa83c103e0b10fd9db540f4de0

Download Submit
memory/2216-6-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2216-11-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2216-10-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2216-35-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2216-33-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2216-39-0x0000000000FDC000-0x0000000001390000-memory.dmp

Filesize
3.7MB

Download
memory/2216-36-0x0000000000F80000-0x0000000001A41000-memory.dmp

Filesize
10.8MB

Download
memory/2216-30-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2216-40-0x0000000000F80000-0x0000000001A41000-memory.dmp

Filesize
10.8MB

Download
memory/2216-28-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2216-25-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2216-23-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2216-20-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2216-18-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/2216-15-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2216-13-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2216-0-0x0000000000F80000-0x0000000001A41000-memory.dmp

Filesize
10.8MB

Download
memory/2216-8-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2216-5-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2216-1-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2216-43-0x0000000000FDC000-0x0000000001390000-memory.dmp

Filesize
3.7MB

Download
memory/2216-42-0x0000000000F80000-0x0000000001A41000-memory.dmp

Filesize
10.8MB

Download
memory/2216-3-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2272-51-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2272-71-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2272-69-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2272-66-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2272-86-0x0000000000DE0000-0x00000000018A1000-memory.dmp

Filesize
10.8MB

Download
memory/2272-61-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2272-85-0x0000000000DE0000-0x00000000018A1000-memory.dmp

Filesize
10.8MB

Download
memory/2272-46-0x0000000000DE0000-0x00000000018A1000-memory.dmp

Filesize
10.8MB

Download
memory/2272-59-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/2272-56-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2272-54-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2272-64-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/2272-88-0x0000000000DE0000-0x00000000018A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing