3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15

Analysis

max time kernel
88s
max time network
156s
platform
windows7_x64
resource
win7-20220414-en
submitted
01-07-2022 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe
Size

470KB
MD5

6a5a9f569c4636b51bd64355b7969b16
SHA1

bb366442fb89833c9a5e0446f23d2cb27e740613
SHA256

3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15
SHA512

3c04c8eb6f5c30bdddb43afb2b7a98d1bfd15c849319999a90c23fdd6ff5cc1222920d3956071650ddc62c2a5f9bd8aeeb5f5edd256546e9643d432cd69a7382

Score

9^/10

evasion persistence ransomware

Malware Config

Signatures

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
588	bcdedit.exe
1420	bcdedit.exe
1780	bcdedit.exe
1844	bcdedit.exe
2028	bcdedit.exe
1288	bcdedit.exe
1792	bcdedit.exe
532	bcdedit.exe
1772	bcdedit.exe
1648	bcdedit.exe

Drops file in Drivers directory 1 IoCs

Processes:

jodie.exe

description	ioc	Process
File created	C:\Windows\system32\drivers\6c0188.sys	jodie.exe

Executes dropped EXE 1 IoCs

Processes:

jodie.exe

pid	Process
1480	jodie.exe

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
964	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe

pid	Process
1764	3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe
1764	3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jodie.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run	jodie.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jodie = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Ytoba\\jodie.exe"	jodie.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe

description	pid	Process	procid_target
PID 1764 set thread context of 964	1764	3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe	49

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exejodie.exe

pid	Process
1764	3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe
1480	jodie.exe
1480	jodie.exe
1480	jodie.exe
1480	jodie.exe
1480	jodie.exe
1480	jodie.exe
1480	jodie.exe
1480	jodie.exe
1480	jodie.exe
1480	jodie.exe
1480	jodie.exe
1480	jodie.exe
1480	jodie.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid	Process
464

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

jodie.exe

description	pid	Process
Token: SeShutdownPrivilege	1480	jodie.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exejodie.exe

description	pid	Process	procid_target
PID 1764 wrote to memory of 1480	1764	3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe	28
PID 1764 wrote to memory of 1480	1764	3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe	28
PID 1764 wrote to memory of 1480	1764	3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe	28
PID 1764 wrote to memory of 1480	1764	3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe	28
PID 1480 wrote to memory of 588	1480	jodie.exe	29
PID 1480 wrote to memory of 588	1480	jodie.exe	29
PID 1480 wrote to memory of 588	1480	jodie.exe	29
PID 1480 wrote to memory of 588	1480	jodie.exe	29
PID 1480 wrote to memory of 1420	1480	jodie.exe	30
PID 1480 wrote to memory of 1420	1480	jodie.exe	30
PID 1480 wrote to memory of 1420	1480	jodie.exe	30
PID 1480 wrote to memory of 1420	1480	jodie.exe	30
PID 1480 wrote to memory of 1288	1480	jodie.exe	38
PID 1480 wrote to memory of 1288	1480	jodie.exe	38
PID 1480 wrote to memory of 1288	1480	jodie.exe	38
PID 1480 wrote to memory of 1288	1480	jodie.exe	38
PID 1480 wrote to memory of 2028	1480	jodie.exe	36
PID 1480 wrote to memory of 2028	1480	jodie.exe	36
PID 1480 wrote to memory of 2028	1480	jodie.exe	36
PID 1480 wrote to memory of 2028	1480	jodie.exe	36
PID 1480 wrote to memory of 1844	1480	jodie.exe	35
PID 1480 wrote to memory of 1844	1480	jodie.exe	35
PID 1480 wrote to memory of 1844	1480	jodie.exe	35
PID 1480 wrote to memory of 1844	1480	jodie.exe	35
PID 1480 wrote to memory of 1780	1480	jodie.exe	33
PID 1480 wrote to memory of 1780	1480	jodie.exe	33
PID 1480 wrote to memory of 1780	1480	jodie.exe	33
PID 1480 wrote to memory of 1780	1480	jodie.exe	33
PID 1480 wrote to memory of 1792	1480	jodie.exe	39
PID 1480 wrote to memory of 1792	1480	jodie.exe	39
PID 1480 wrote to memory of 1792	1480	jodie.exe	39
PID 1480 wrote to memory of 1792	1480	jodie.exe	39
PID 1480 wrote to memory of 1772	1480	jodie.exe	44
PID 1480 wrote to memory of 1772	1480	jodie.exe	44
PID 1480 wrote to memory of 1772	1480	jodie.exe	44
PID 1480 wrote to memory of 1772	1480	jodie.exe	44
PID 1480 wrote to memory of 532	1480	jodie.exe	41
PID 1480 wrote to memory of 532	1480	jodie.exe	41
PID 1480 wrote to memory of 532	1480	jodie.exe	41
PID 1480 wrote to memory of 532	1480	jodie.exe	41
PID 1480 wrote to memory of 1648	1480	jodie.exe	46
PID 1480 wrote to memory of 1648	1480	jodie.exe	46
PID 1480 wrote to memory of 1648	1480	jodie.exe	46
PID 1480 wrote to memory of 1648	1480	jodie.exe	46
PID 1480 wrote to memory of 1144	1480	jodie.exe	15
PID 1480 wrote to memory of 1144	1480	jodie.exe	15
PID 1480 wrote to memory of 1144	1480	jodie.exe	15
PID 1480 wrote to memory of 1144	1480	jodie.exe	15
PID 1480 wrote to memory of 1144	1480	jodie.exe	15
PID 1480 wrote to memory of 1208	1480	jodie.exe	14
PID 1480 wrote to memory of 1208	1480	jodie.exe	14
PID 1480 wrote to memory of 1208	1480	jodie.exe	14
PID 1480 wrote to memory of 1208	1480	jodie.exe	14
PID 1480 wrote to memory of 1208	1480	jodie.exe	14
PID 1480 wrote to memory of 1264	1480	jodie.exe	13
PID 1480 wrote to memory of 1264	1480	jodie.exe	13
PID 1480 wrote to memory of 1264	1480	jodie.exe	13
PID 1480 wrote to memory of 1264	1480	jodie.exe	13
PID 1480 wrote to memory of 1264	1480	jodie.exe	13
PID 1480 wrote to memory of 1764	1480	jodie.exe	11
PID 1480 wrote to memory of 1764	1480	jodie.exe	11
PID 1480 wrote to memory of 1764	1480	jodie.exe	11
PID 1480 wrote to memory of 1764	1480	jodie.exe	11
PID 1480 wrote to memory of 1764	1480	jodie.exe	11

C:\Users\Admin\AppData\Local\Temp\3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe
"C:\Users\Admin\AppData\Local\Temp\3e02aacab65bb5f72daf6590d702077e564302eb47ea89e618274068a471ee15.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Local\Temp\Ytoba\jodie.exe
  "C:\Users\Admin\AppData\Local\Temp\Ytoba\jodie.exe"
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:588
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1420
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1780
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1844
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2028
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1288
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1792
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:532
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1772
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe -set TESTSIGNING ON
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1648
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CFL1167.bat"
  2⤵
  - Deletes itself
  PID:964

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1208

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1144

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1608

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:1844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CFL1167.bat

Filesize
276B

MD5
a60d7bec063d60ac114835f3275673e3

SHA1
0aa62dc536ee2121c13ac8e3a7de2ba2c6dab50f

SHA256
361cd60240b91241807dd17cdc100dd1fe28c834de68c0831dbe3cb061fb8b3c

SHA512
d573261f763e211c97438debe64e90e12f3858a9edc1ffad297599d67a7e2c50599c9e4cefc09569fc7de48677e7e98a43a6b55fc6b9840499d6b86f90da86c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ytoba\jodie.exe

Filesize
470KB

MD5
f9df5abe5594ac31d5ff7608ea4f6191

SHA1
39d8f440dbf7c13d21f5b27f8fc6b9fc0e6c779d

SHA256
baced09992d39d9b964b83101a995a719276910892e8b5680724d9252528f78b

SHA512
2a0337f0aa98825b35be3ad818a606a7407e24f4ce539e73acbeed72b5260cd46feb663ed81c712b49d2faaa856bfcad76c44c4b6a41ea05d46d187e2626b6bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ytoba\jodie.exe

Filesize
470KB

MD5
f9df5abe5594ac31d5ff7608ea4f6191

SHA1
39d8f440dbf7c13d21f5b27f8fc6b9fc0e6c779d

SHA256
baced09992d39d9b964b83101a995a719276910892e8b5680724d9252528f78b

SHA512
2a0337f0aa98825b35be3ad818a606a7407e24f4ce539e73acbeed72b5260cd46feb663ed81c712b49d2faaa856bfcad76c44c4b6a41ea05d46d187e2626b6bb

Download Submit
\Users\Admin\AppData\Local\Temp\Ytoba\jodie.exe

Filesize
470KB

MD5
f9df5abe5594ac31d5ff7608ea4f6191

SHA1
39d8f440dbf7c13d21f5b27f8fc6b9fc0e6c779d

SHA256
baced09992d39d9b964b83101a995a719276910892e8b5680724d9252528f78b

SHA512
2a0337f0aa98825b35be3ad818a606a7407e24f4ce539e73acbeed72b5260cd46feb663ed81c712b49d2faaa856bfcad76c44c4b6a41ea05d46d187e2626b6bb

Download Submit
\Users\Admin\AppData\Local\Temp\Ytoba\jodie.exe

Filesize
470KB

MD5
f9df5abe5594ac31d5ff7608ea4f6191

SHA1
39d8f440dbf7c13d21f5b27f8fc6b9fc0e6c779d

SHA256
baced09992d39d9b964b83101a995a719276910892e8b5680724d9252528f78b

SHA512
2a0337f0aa98825b35be3ad818a606a7407e24f4ce539e73acbeed72b5260cd46feb663ed81c712b49d2faaa856bfcad76c44c4b6a41ea05d46d187e2626b6bb

Download Submit
memory/532-73-0x0000000000000000-mapping.dmp

Download
memory/588-65-0x0000000000000000-mapping.dmp

Download
memory/964-117-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/964-125-0x0000000000050000-0x00000000000BE000-memory.dmp

Filesize
440KB

Download
memory/964-122-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/964-121-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/964-120-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/964-119-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/964-118-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/964-108-0x0000000000050000-0x00000000000BE000-memory.dmp

Filesize
440KB

Download
memory/964-113-0x00000000000A1666-mapping.dmp

Download
memory/964-112-0x0000000000050000-0x00000000000BE000-memory.dmp

Filesize
440KB

Download
memory/964-111-0x0000000000050000-0x00000000000BE000-memory.dmp

Filesize
440KB

Download
memory/964-123-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/964-110-0x0000000000050000-0x00000000000BE000-memory.dmp

Filesize
440KB

Download
memory/1144-75-0x0000000001E70000-0x0000000001EDE000-memory.dmp

Filesize
440KB

Download
memory/1144-77-0x0000000001E70000-0x0000000001EDE000-memory.dmp

Filesize
440KB

Download
memory/1144-78-0x0000000001E70000-0x0000000001EDE000-memory.dmp

Filesize
440KB

Download
memory/1144-79-0x0000000001E70000-0x0000000001EDE000-memory.dmp

Filesize
440KB

Download
memory/1144-80-0x0000000001E70000-0x0000000001EDE000-memory.dmp

Filesize
440KB

Download
memory/1208-83-0x0000000001B70000-0x0000000001BDE000-memory.dmp

Filesize
440KB

Download
memory/1208-85-0x0000000001B70000-0x0000000001BDE000-memory.dmp

Filesize
440KB

Download
memory/1208-84-0x0000000001B70000-0x0000000001BDE000-memory.dmp

Filesize
440KB

Download
memory/1208-86-0x0000000001B70000-0x0000000001BDE000-memory.dmp

Filesize
440KB

Download
memory/1264-92-0x00000000029D0000-0x0000000002A3E000-memory.dmp

Filesize
440KB

Download
memory/1264-90-0x00000000029D0000-0x0000000002A3E000-memory.dmp

Filesize
440KB

Download
memory/1264-91-0x00000000029D0000-0x0000000002A3E000-memory.dmp

Filesize
440KB

Download
memory/1264-89-0x00000000029D0000-0x0000000002A3E000-memory.dmp

Filesize
440KB

Download
memory/1288-67-0x0000000000000000-mapping.dmp

Download
memory/1420-66-0x0000000000000000-mapping.dmp

Download
memory/1480-64-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1480-57-0x0000000000000000-mapping.dmp

Download
memory/1480-63-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1480-126-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1480-127-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1480-128-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1608-129-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmp

Filesize
8KB

Download
memory/1648-74-0x0000000000000000-mapping.dmp

Download
memory/1764-99-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1764-103-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1764-101-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1764-54-0x0000000074F91000-0x0000000074F93000-memory.dmp

Filesize
8KB

Download
memory/1764-95-0x00000000023B0000-0x000000000241E000-memory.dmp

Filesize
440KB

Download
memory/1764-96-0x00000000023B0000-0x000000000241E000-memory.dmp

Filesize
440KB

Download
memory/1764-114-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1764-115-0x00000000023B0000-0x000000000241E000-memory.dmp

Filesize
440KB

Download
memory/1764-97-0x00000000023B0000-0x000000000241E000-memory.dmp

Filesize
440KB

Download
memory/1764-98-0x00000000023B0000-0x000000000241E000-memory.dmp

Filesize
440KB

Download
memory/1764-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1764-105-0x00000000023B0000-0x0000000002427000-memory.dmp

Filesize
476KB

Download
memory/1764-102-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1764-100-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1764-62-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1764-61-0x0000000000260000-0x00000000002A4000-memory.dmp

Filesize
272KB

Download
memory/1772-72-0x0000000000000000-mapping.dmp

Download
memory/1780-70-0x0000000000000000-mapping.dmp

Download
memory/1792-71-0x0000000000000000-mapping.dmp

Download
memory/1844-69-0x0000000000000000-mapping.dmp

Download
memory/2028-68-0x0000000000000000-mapping.dmp

Download