a43c3265cd2ab36a3b0c8c77f6bc23ae9c770ee33a4485e0f47f26b8a852f59a

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/05/2024, 00:49 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a43c3265cd2ab36a3b0c8c77f6bc23ae9c770ee33a4485e0f47f26b8a852f59a.exe
Size

207KB
MD5

025b1b20a223205d4f566df00f29176b
SHA1

cf0f5263d9d511cbfaece84d05161d1c789e7c26
SHA256

a43c3265cd2ab36a3b0c8c77f6bc23ae9c770ee33a4485e0f47f26b8a852f59a
SHA512

8be183a6c3a47fd17101357c91dffe7b6d6f04488cd22b76f717e98edf679bf63a89e84226cd54dc8c64e04b30dffe068105a6bd9f3b2627a6c888e28de9b45c
SSDEEP

3072:MRSasuUaKjU3TicAHJsow3zpEENchbiMKh5Va79ayi05:MRSasbamcAHJ636+chbiR5Valio

Score

8^/10

persistence

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
2040	anhxrcb.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\anhxrcb.exe	a43c3265cd2ab36a3b0c8c77f6bc23ae9c770ee33a4485e0f47f26b8a852f59a.exe
File created	C:\PROGRA~3\Mozilla\fqurfhn.dll	anhxrcb.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1844 wrote to memory of 2040	1844	taskeng.exe	29
PID 1844 wrote to memory of 2040	1844	taskeng.exe	29
PID 1844 wrote to memory of 2040	1844	taskeng.exe	29
PID 1844 wrote to memory of 2040	1844	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\a43c3265cd2ab36a3b0c8c77f6bc23ae9c770ee33a4485e0f47f26b8a852f59a.exe
"C:\Users\Admin\AppData\Local\Temp\a43c3265cd2ab36a3b0c8c77f6bc23ae9c770ee33a4485e0f47f26b8a852f59a.exe"
1⤵
- Drops file in Program Files directory
PID:2248

C:\Windows\system32\taskeng.exe
taskeng.exe {6F15C756-CAC2-4E91-8F10-DB4AB89C4D1C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1844
- C:\PROGRA~3\Mozilla\anhxrcb.exe
  C:\PROGRA~3\Mozilla\anhxrcb.exe -wxojhrj
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\anhxrcb.exe

Filesize
207KB

MD5
323499b0c2a3c58594083f5d1c5b0c38

SHA1
7201f7a7433f14d7fe9ef40535729578ed726d02

SHA256
3038c60dab074590937f2ad5f8f2b6f4e902b92d651e1fe74adaced4b6bacd11

SHA512
108803300bcd3e20863871c6a25f0ab7c8e63bf966c9a9190a3e8797c234f0f030d134386cd4c586afb7b5a7c68699c3c3b565f8f4bc3648cd832b9c5c25a18e

Download Submit
memory/2040-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2040-14-0x00000000008B0000-0x000000000090B000-memory.dmp

Filesize
364KB

Download
memory/2248-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2248-1-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download
memory/2248-2-0x0000000001BC0000-0x0000000001C1B000-memory.dmp

Filesize
364KB

Download
memory/2248-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2248-10-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download