cc34b2c51735bf57f41a994dc0ab24e47312c5cbc40bfcac885846b0129c2bfb

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
08/05/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc34b2c51735bf57f41a994dc0ab24e47312c5cbc40bfcac885846b0129c2bfb.exe
Size

238KB
MD5

bafa7938f25883fa4e8977e215904adf
SHA1

704bb2d7a81167fb28a00bbbf31c3a2fc950b337
SHA256

cc34b2c51735bf57f41a994dc0ab24e47312c5cbc40bfcac885846b0129c2bfb
SHA512

cb1445e3b328aca0eed3377731f881cea67cd3fe41e6e1d1cd06c65817ee6cf8c8d4f2d15acbee8ace55b43756821f11cecb97f3ce5c75b7a4d3f32e6331e4f2
SSDEEP

3072:HC8yyfHyhB/qY4dMflRvPRxkWFDqsNFmyTK4LxjxkXPxJVo8zixOgqAv:HCrGHs9qlMfznbFGsNwy+4LVxk/NBul

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2552	pfwoyhh.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\pfwoyhh.exe	cc34b2c51735bf57f41a994dc0ab24e47312c5cbc40bfcac885846b0129c2bfb.exe
File created	C:\PROGRA~3\Mozilla\bjvdwgg.dll	pfwoyhh.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1700	cc34b2c51735bf57f41a994dc0ab24e47312c5cbc40bfcac885846b0129c2bfb.exe
2552	pfwoyhh.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2552	2032	taskeng.exe	29
PID 2032 wrote to memory of 2552	2032	taskeng.exe	29
PID 2032 wrote to memory of 2552	2032	taskeng.exe	29
PID 2032 wrote to memory of 2552	2032	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\cc34b2c51735bf57f41a994dc0ab24e47312c5cbc40bfcac885846b0129c2bfb.exe
"C:\Users\Admin\AppData\Local\Temp\cc34b2c51735bf57f41a994dc0ab24e47312c5cbc40bfcac885846b0129c2bfb.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1700

C:\Windows\system32\taskeng.exe
taskeng.exe {D0584316-D93F-4342-A973-232D07DF0D52} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2032
- C:\PROGRA~3\Mozilla\pfwoyhh.exe
  C:\PROGRA~3\Mozilla\pfwoyhh.exe -zhxzcvh
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\pfwoyhh.exe

Filesize
238KB

MD5
e0a43b3382c7db187157497ea6938a38

SHA1
0c43e01afeda0400f0cef83c986df4529890cea6

SHA256
921cc004be9ba9cf639e69f0c5b8eb8279715385475e224314b1af836b4832de

SHA512
2bbf5037f1dc4dc05f4b473733c581b7f94eab73c2159c2b28cd00be78ddd153b66b2c671d25a4bcd6440999c8303d8c7251df69e0804af5a28c3ac374733cac

Download Submit
memory/1700-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1700-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1700-1-0x0000000000270000-0x00000000002CB000-memory.dmp

Filesize
364KB

Download
memory/1700-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2552-7-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2552-8-0x0000000000330000-0x000000000038B000-memory.dmp

Filesize
364KB

Download
memory/2552-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2552-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download