1ef6bcd84eb530609d194f6b3961d3dbe99fb5d3d23d9fca07a420c1e3f774dd

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ef6bcd84eb530609d194f6b3961d3dbe99fb5d3d23d9fca07a420c1e3f774dd.exe
Size

561KB
MD5

eda2cb25ddd98efd096529388d38e9b0
SHA1

24dccce9998dbd42f3c303a32f80a2eb2e09d5b2
SHA256

1ef6bcd84eb530609d194f6b3961d3dbe99fb5d3d23d9fca07a420c1e3f774dd
SHA512

a7a2e561329f9359f630e65305cdd5115db3198db5eaaa7d6784dc209d6b97aed694da44ba843acd3b331cd81a74b71540d9bbd46063555319a9d87d0efb7460
SSDEEP

12288:tBXXXXXXXXXAXX7hx6UhqXmZ1Xok3IpaZQ10hSnA/Qz5wYGfU:sx6Uo01j3IsprI7GfU

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
2920	arjskvg.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\arjskvg.exe	1ef6bcd84eb530609d194f6b3961d3dbe99fb5d3d23d9fca07a420c1e3f774dd.exe
File created	C:\PROGRA~3\Mozilla\eekvruj.dll	arjskvg.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1696	1ef6bcd84eb530609d194f6b3961d3dbe99fb5d3d23d9fca07a420c1e3f774dd.exe
2920	arjskvg.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2920	3044	taskeng.exe	29
PID 3044 wrote to memory of 2920	3044	taskeng.exe	29
PID 3044 wrote to memory of 2920	3044	taskeng.exe	29
PID 3044 wrote to memory of 2920	3044	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\1ef6bcd84eb530609d194f6b3961d3dbe99fb5d3d23d9fca07a420c1e3f774dd.exe
"C:\Users\Admin\AppData\Local\Temp\1ef6bcd84eb530609d194f6b3961d3dbe99fb5d3d23d9fca07a420c1e3f774dd.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1696

C:\Windows\system32\taskeng.exe
taskeng.exe {FC381750-8AF3-461C-ACBC-12052D41C4A9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:3044
- C:\PROGRA~3\Mozilla\arjskvg.exe
  C:\PROGRA~3\Mozilla\arjskvg.exe -plisyaa
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\arjskvg.exe

Filesize
561KB

MD5
aa690b6593e6a0efafb907865681b5be

SHA1
a6fd9fcb49b315eb3c4e9482eb13f385279bc5b6

SHA256
8e5ebff7c1423fb647fdabdc0fe044a197f7134a98a788578aedbc65acd15627

SHA512
25c359805823c6bcf7db7b598d17d8a9bbc71c0186608e3f668ff6dab785d25ef892bd84e666a2a54c677ff0879feb209642f4ea7193502b3fc13640494f1249

Download Submit
memory/1696-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1696-1-0x0000000000260000-0x00000000002BB000-memory.dmp

Filesize
364KB

Download
memory/1696-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1696-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2920-7-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2920-9-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2920-8-0x0000000000660000-0x00000000006BB000-memory.dmp

Filesize
364KB

Download
memory/2920-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download