2e698586e4341da73b89c74db4e275bf1c73dc99186ce01ec5a378d68c422ed8

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 21:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cb42e9ad739c9babef32fa029598000N.exe
Size

129KB
MD5

0cb42e9ad739c9babef32fa029598000
SHA1

fe40949c9b47cbd3822b0934a95c171d3b60a1a6
SHA256

2e698586e4341da73b89c74db4e275bf1c73dc99186ce01ec5a378d68c422ed8
SHA512

fab95aec976083931e4348678ddcc623545043709b92c2c102c4438d0ba81938a1976e0225e1c76c53d26b0a9fc1e9369c34baa93dd88db503ec1d7f1df05a8a
SSDEEP

3072:knZjfso0f5z9f57fgDWChiOzl0LEnFvUf4FnWRYCdB:kndp0f5z77fgDNlzl0L0dUf2WRNdB

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
2008	qrggcen.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\qrggcen.exe	0cb42e9ad739c9babef32fa029598000N.exe
File created	C:\PROGRA~3\Mozilla\zwjbghb.dll	qrggcen.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 2008	1256	taskeng.exe	32
PID 1256 wrote to memory of 2008	1256	taskeng.exe	32
PID 1256 wrote to memory of 2008	1256	taskeng.exe	32
PID 1256 wrote to memory of 2008	1256	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\0cb42e9ad739c9babef32fa029598000N.exe
"C:\Users\Admin\AppData\Local\Temp\0cb42e9ad739c9babef32fa029598000N.exe"
1⤵
- Drops file in Program Files directory
PID:2304

C:\Windows\system32\taskeng.exe
taskeng.exe {B4B0E0FE-9332-491E-97DD-92D5619300E7} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\PROGRA~3\Mozilla\qrggcen.exe
  C:\PROGRA~3\Mozilla\qrggcen.exe -cochpwl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\qrggcen.exe

Filesize
129KB

MD5
e37fe2bad23583ebf346251e3e5008a8

SHA1
82b70c22d0dd072bffe97b86279235075ee49021

SHA256
5d63611010d3a0c458961f9a26293aec87cd9d61501cb3d5b050d0c34083e3d4

SHA512
c320f1d29dda258cb73201446e48635e8d96dd812bd53db08344f6438c5172c5ef913ba46ec533b72d980798d6fa094398d65648afb68c962496a5ce256d2a70

Download Submit
memory/2008-11-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2008-12-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2304-0-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2304-1-0x0000000000401000-0x0000000000403000-memory.dmp

Filesize
8KB

Download
memory/2304-2-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/2304-8-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download