cda7c2b046508b91d56857afb974e203c6879bfd04ca1016b992decb691f628e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 02:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

371f4606ca0cb189fc3d29c40efb16f0N.exe
Size

223KB
MD5

371f4606ca0cb189fc3d29c40efb16f0
SHA1

097564c4bdba04937757b1bcf727f394bfe809dd
SHA256

cda7c2b046508b91d56857afb974e203c6879bfd04ca1016b992decb691f628e
SHA512

0bcfacc7f041d07b316292f991a739cbbe297faa71e57e2af2b300b0c7d2e0dde6fc166136eeb88d87f9da4b70638a4d3d4b2d6d5c42cd38077d7f019214c109
SSDEEP

3072:/DSp4183Sf3/pF79wS6o+gUCebPmKmh6WPsbs9L1qu/Ptm3Jqyd/4XKr:C4/LuS+WcPmKmsEsY9RqSs3JqyiXKr

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
2944	yhlxibj.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\yhlxibj.exe	371f4606ca0cb189fc3d29c40efb16f0N.exe
File created	C:\PROGRA~3\Mozilla\jlulpen.dll	yhlxibj.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
2680	371f4606ca0cb189fc3d29c40efb16f0N.exe
2944	yhlxibj.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 2944	2804	taskeng.exe	31
PID 2804 wrote to memory of 2944	2804	taskeng.exe	31
PID 2804 wrote to memory of 2944	2804	taskeng.exe	31
PID 2804 wrote to memory of 2944	2804	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\371f4606ca0cb189fc3d29c40efb16f0N.exe
"C:\Users\Admin\AppData\Local\Temp\371f4606ca0cb189fc3d29c40efb16f0N.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:2680

C:\Windows\system32\taskeng.exe
taskeng.exe {4188D5ED-1B53-4011-8BF2-686FC7B5ECB1} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\PROGRA~3\Mozilla\yhlxibj.exe
  C:\PROGRA~3\Mozilla\yhlxibj.exe -yhkgcym
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\yhlxibj.exe

Filesize
223KB

MD5
6310d7256df1d2be6d72821d0973d6d7

SHA1
1f200ae9b3877cac6908af9e40674898b2cec550

SHA256
5ff5df7e50dd73a6a92de82069b6c1c0bc49022ac51565d5925bdf0fcc0009bd

SHA512
84bad05bd2b8b18be308375e28f058580b96459f37ca72849f22e9ca4fbdaf930b23198295be501d2e85ed3e353ecba839639d4754c6009444660232c8530364

Download Submit
memory/2680-0-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2680-2-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2680-1-0x0000000000330000-0x000000000038B000-memory.dmp

Filesize
364KB

Download
memory/2680-4-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2944-7-0x0000000000890000-0x00000000008EB000-memory.dmp

Filesize
364KB

Download
memory/2944-8-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2944-10-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download