819bb81f97d27f729656e8fd0be64a8aaab2a7cdeaedb59eed5ea52a48c16be6

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c43fa4da450d4842afe24a8ac4ab2ae0N.exe
Size

162KB
MD5

c43fa4da450d4842afe24a8ac4ab2ae0
SHA1

0b9fce1fd1dd245569d289aa456bffae1877fd33
SHA256

819bb81f97d27f729656e8fd0be64a8aaab2a7cdeaedb59eed5ea52a48c16be6
SHA512

cd8523b78272498e1b71f24ec9d5bc92f9b6bf4c6687c90b49e57f57977678d87940d480b6dec670054e695f06028bc747b2f04f0d4f855219a6c28213e30a06
SSDEEP

3072:51oVtum4WHvjVGr8kgB9s8p+uRcKVHM0lma3UroAew5ak23n2MgN8Dljt:5mtmCjkU9Wu6uFYwsegak22TQlJ

Score

8^/10

persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Executes dropped EXE 1 IoCs

pid	Process
2484	qrggcen.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\qrggcen.exe	c43fa4da450d4842afe24a8ac4ab2ae0N.exe
File created	C:\PROGRA~3\Mozilla\zwjbghb.dll	qrggcen.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1952	c43fa4da450d4842afe24a8ac4ab2ae0N.exe
2484	qrggcen.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1496 wrote to memory of 2484	1496	taskeng.exe	32
PID 1496 wrote to memory of 2484	1496	taskeng.exe	32
PID 1496 wrote to memory of 2484	1496	taskeng.exe	32
PID 1496 wrote to memory of 2484	1496	taskeng.exe	32

C:\Users\Admin\AppData\Local\Temp\c43fa4da450d4842afe24a8ac4ab2ae0N.exe
"C:\Users\Admin\AppData\Local\Temp\c43fa4da450d4842afe24a8ac4ab2ae0N.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of UnmapMainImage
PID:1952

C:\Windows\system32\taskeng.exe
taskeng.exe {D63957DD-C72B-4B78-AB7E-2C51073D91A9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1496
- C:\PROGRA~3\Mozilla\qrggcen.exe
  C:\PROGRA~3\Mozilla\qrggcen.exe -cochpwl
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Privilege Escalation

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\qrggcen.exe

Filesize
162KB

MD5
19be13993a06cf4dfc2b1732d6d5b5a0

SHA1
32dfde9a2e69c321e21a1934c975eeecdae56997

SHA256
e6dd94eb6e603aa2ba42b3dcd7be4edcd9e7d23a008e3dbc893f62e5b5f01652

SHA512
e122223c16e11b5e5422f42acc77b2d227711240610c5546cfad5d896d6dcb3e268ddedd42be10b49b73c51981c715af5a6509f659573af30713c4f80d4ea6f4

Download Submit
memory/1952-2-0x0000000000270000-0x00000000002CB000-memory.dmp

Filesize
364KB

Download
memory/1952-3-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/1952-1-0x0000000000230000-0x0000000000252000-memory.dmp

Filesize
136KB

Download
memory/1952-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1952-5-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2484-8-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2484-10-0x0000000000340000-0x000000000039B000-memory.dmp

Filesize
364KB

Download
memory/2484-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/2484-14-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download