9e3b2423e161dff6b197357b696fec6bcba0e201fc277fbdcc515e69c25f4658

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
03-05-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9e3b2423e161dff6b197357b696fec6bcba0e201fc277fbdcc515e69c25f4658.exe
Size

252KB
MD5

376981bf32d6382397cfae32e729b341
SHA1

a45fd94bdd32a4b60f9f919f57f46282cbec06fe
SHA256

9e3b2423e161dff6b197357b696fec6bcba0e201fc277fbdcc515e69c25f4658
SHA512

1d959dc370a4a82e78f7138e7406288d7dcff95011881e31ec30a9f091ad80d2353afc86425b903d41b72dc307ef83a1ff0183eb1811abd11d024d8a3c83b175
SSDEEP

3072:uxGcwApj6FHzId1WmJ+UrdoI5iCCWm2x5wa3ny/7LsMaP8T1YvQd23:uxxpjAHzId1MUeI4CdRYa3ny/7mP823

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1712	eccstpf.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\eccstpf.exe	9e3b2423e161dff6b197357b696fec6bcba0e201fc277fbdcc515e69c25f4658.exe
File created	C:\PROGRA~3\Mozilla\qtlrtjl.dll	eccstpf.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2484	9e3b2423e161dff6b197357b696fec6bcba0e201fc277fbdcc515e69c25f4658.exe
1712	eccstpf.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 1712	1664	taskeng.exe	29
PID 1664 wrote to memory of 1712	1664	taskeng.exe	29
PID 1664 wrote to memory of 1712	1664	taskeng.exe	29
PID 1664 wrote to memory of 1712	1664	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\9e3b2423e161dff6b197357b696fec6bcba0e201fc277fbdcc515e69c25f4658.exe
"C:\Users\Admin\AppData\Local\Temp\9e3b2423e161dff6b197357b696fec6bcba0e201fc277fbdcc515e69c25f4658.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2484

C:\Windows\system32\taskeng.exe
taskeng.exe {FFB08C9A-1FF9-4709-956F-F3B62C11DC4D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1664
- C:\PROGRA~3\Mozilla\eccstpf.exe
  C:\PROGRA~3\Mozilla\eccstpf.exe -ufgsyxd
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\eccstpf.exe

Filesize
252KB

MD5
494a7411ff7fdbb312e4aaa2288e18c4

SHA1
b766cead60dc5d729fe2a1052d0318c632c466a9

SHA256
43bb22fe54921d41f5d4e62c1b4783d544bd8661625af2eb0ea6dda233de7096

SHA512
f26d68a834387261ab5c4fc22782f854bf9eeb9590f0d397da720c2886c3ca407529aa9047d219d419a1fd7fc178bd566f029152b80ecf4980004fcc4ad9d620

Download Submit
memory/1712-7-0x0000000000460000-0x00000000004BB000-memory.dmp

Filesize
364KB

Download
memory/1712-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1712-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2484-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2484-1-0x0000000000490000-0x00000000004EB000-memory.dmp

Filesize
364KB

Download
memory/2484-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2484-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download