558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58

Analysis

max time kernel
151s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
02/10/2022, 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe
Size

312KB
MD5

6668cd8454b35daf11bd9dba69f532e0
SHA1

5bc997203a0cb719002f12db7cf596ab2bf774ce
SHA256

558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58
SHA512

031a1530bd56799d0eea3aaf4041ba22f3f009eb0bb72c884e01de9a5c8ffed141b333044e5ad67e2d5bf0c5d24021714a348c32e43503b9c114323b02dbfc83
SSDEEP

6144:hRhcv7xKa31tFUDjsknZRr3DWA6rCMV7hcj0gyFmbUGcAUsZg:XhcDEa37FUDjs6brzWA6uidcIgmmbUGs

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
916	ijahwo.exe

Deletes itself 1 IoCs

pid	Process
1900	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe
2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\Ijahwo = "C:\\Users\\Admin\\AppData\\Roaming\\Leogy\\ijahwo.exe"	ijahwo.exe
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run	ijahwo.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2004 set thread context of 1900	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	29

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe
916	ijahwo.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 916	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	28
PID 2004 wrote to memory of 916	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	28
PID 2004 wrote to memory of 916	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	28
PID 2004 wrote to memory of 916	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	28
PID 916 wrote to memory of 1192	916	ijahwo.exe	17
PID 916 wrote to memory of 1192	916	ijahwo.exe	17
PID 916 wrote to memory of 1192	916	ijahwo.exe	17
PID 916 wrote to memory of 1192	916	ijahwo.exe	17
PID 916 wrote to memory of 1192	916	ijahwo.exe	17
PID 916 wrote to memory of 1220	916	ijahwo.exe	16
PID 916 wrote to memory of 1220	916	ijahwo.exe	16
PID 916 wrote to memory of 1220	916	ijahwo.exe	16
PID 916 wrote to memory of 1220	916	ijahwo.exe	16
PID 916 wrote to memory of 1220	916	ijahwo.exe	16
PID 916 wrote to memory of 1284	916	ijahwo.exe	15
PID 916 wrote to memory of 1284	916	ijahwo.exe	15
PID 916 wrote to memory of 1284	916	ijahwo.exe	15
PID 916 wrote to memory of 1284	916	ijahwo.exe	15
PID 916 wrote to memory of 1284	916	ijahwo.exe	15
PID 916 wrote to memory of 2004	916	ijahwo.exe	24
PID 916 wrote to memory of 2004	916	ijahwo.exe	24
PID 916 wrote to memory of 2004	916	ijahwo.exe	24
PID 916 wrote to memory of 2004	916	ijahwo.exe	24
PID 916 wrote to memory of 2004	916	ijahwo.exe	24
PID 2004 wrote to memory of 1900	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	29
PID 2004 wrote to memory of 1900	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	29
PID 2004 wrote to memory of 1900	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	29
PID 2004 wrote to memory of 1900	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	29
PID 2004 wrote to memory of 1900	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	29
PID 2004 wrote to memory of 1900	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	29
PID 2004 wrote to memory of 1900	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	29
PID 2004 wrote to memory of 1900	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	29
PID 2004 wrote to memory of 1900	2004	558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe
  "C:\Users\Admin\AppData\Local\Temp\558215656731cfb9b5b289ecc355087f311cc362907854fa4e30bf24e5885d58.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\AppData\Roaming\Leogy\ijahwo.exe
    "C:\Users\Admin\AppData\Roaming\Leogy\ijahwo.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:916
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp4bb81199.bat"
    3⤵
    - Deletes itself
    PID:1900

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1220

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4bb81199.bat

Filesize
307B

MD5
947296ef5defe1331bb544e21ed5c725

SHA1
e97dfdc46a2881d0fc2b53c734c1f16c3bb8b434

SHA256
4c3a3251cf2bbfcf31b3740d19f2d5a487dbcd303d88695058258a7bb5e7b693

SHA512
7b86286b5cd974b44ac0aa71943dd2cfffff37a936931a20fff5df1e9aabfccb3da1cdc96bf0098cece60c2b503ea8331e0c351d5bb2dc997bef0e833ae6488c

Download Submit
C:\Users\Admin\AppData\Roaming\Leogy\ijahwo.exe

Filesize
312KB

MD5
d5ce4f1d9a98aa07d30dee969f8700fd

SHA1
2779c5b470a15a0b72bc40fd150da34a5016fe3d

SHA256
6f9ec9a4d1a7741f5d0554b6c3f32178f16a168e6e0073bf18e1376b3bbeb3d7

SHA512
eb4d5a5e314672f0c32169cef6d8e72cec7d8c9132810ac1d661082188d284243dbdd17405630ee1635f80770c936d493be9b7cb9fd47be9ff1fffae62028097

Download Submit
C:\Users\Admin\AppData\Roaming\Leogy\ijahwo.exe

Filesize
312KB

MD5
d5ce4f1d9a98aa07d30dee969f8700fd

SHA1
2779c5b470a15a0b72bc40fd150da34a5016fe3d

SHA256
6f9ec9a4d1a7741f5d0554b6c3f32178f16a168e6e0073bf18e1376b3bbeb3d7

SHA512
eb4d5a5e314672f0c32169cef6d8e72cec7d8c9132810ac1d661082188d284243dbdd17405630ee1635f80770c936d493be9b7cb9fd47be9ff1fffae62028097

Download Submit
\Users\Admin\AppData\Roaming\Leogy\ijahwo.exe

Filesize
312KB

MD5
d5ce4f1d9a98aa07d30dee969f8700fd

SHA1
2779c5b470a15a0b72bc40fd150da34a5016fe3d

SHA256
6f9ec9a4d1a7741f5d0554b6c3f32178f16a168e6e0073bf18e1376b3bbeb3d7

SHA512
eb4d5a5e314672f0c32169cef6d8e72cec7d8c9132810ac1d661082188d284243dbdd17405630ee1635f80770c936d493be9b7cb9fd47be9ff1fffae62028097

Download Submit
\Users\Admin\AppData\Roaming\Leogy\ijahwo.exe

Filesize
312KB

MD5
d5ce4f1d9a98aa07d30dee969f8700fd

SHA1
2779c5b470a15a0b72bc40fd150da34a5016fe3d

SHA256
6f9ec9a4d1a7741f5d0554b6c3f32178f16a168e6e0073bf18e1376b3bbeb3d7

SHA512
eb4d5a5e314672f0c32169cef6d8e72cec7d8c9132810ac1d661082188d284243dbdd17405630ee1635f80770c936d493be9b7cb9fd47be9ff1fffae62028097

Download Submit
memory/916-63-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/1192-67-0x0000000001C60000-0x0000000001CA8000-memory.dmp

Filesize
288KB

Download
memory/1192-65-0x0000000001C60000-0x0000000001CA8000-memory.dmp

Filesize
288KB

Download
memory/1192-68-0x0000000001C60000-0x0000000001CA8000-memory.dmp

Filesize
288KB

Download
memory/1192-69-0x0000000001C60000-0x0000000001CA8000-memory.dmp

Filesize
288KB

Download
memory/1192-70-0x0000000001C60000-0x0000000001CA8000-memory.dmp

Filesize
288KB

Download
memory/1220-73-0x00000000001D0000-0x0000000000218000-memory.dmp

Filesize
288KB

Download
memory/1220-74-0x00000000001D0000-0x0000000000218000-memory.dmp

Filesize
288KB

Download
memory/1220-75-0x00000000001D0000-0x0000000000218000-memory.dmp

Filesize
288KB

Download
memory/1220-76-0x00000000001D0000-0x0000000000218000-memory.dmp

Filesize
288KB

Download
memory/1284-82-0x0000000002A00000-0x0000000002A48000-memory.dmp

Filesize
288KB

Download
memory/1284-81-0x0000000002A00000-0x0000000002A48000-memory.dmp

Filesize
288KB

Download
memory/1284-79-0x0000000002A00000-0x0000000002A48000-memory.dmp

Filesize
288KB

Download
memory/1284-80-0x0000000002A00000-0x0000000002A48000-memory.dmp

Filesize
288KB

Download
memory/1900-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1900-99-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1900-113-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1900-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/1900-97-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/2004-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2004-55-0x0000000000400000-0x0000000000455000-memory.dmp

Filesize
340KB

Download
memory/2004-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2004-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2004-103-0x0000000000850000-0x0000000000898000-memory.dmp

Filesize
288KB

Download
memory/2004-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2004-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2004-54-0x0000000075831000-0x0000000075833000-memory.dmp

Filesize
8KB

Download
memory/2004-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2004-88-0x0000000000850000-0x0000000000898000-memory.dmp

Filesize
288KB

Download
memory/2004-87-0x0000000000850000-0x0000000000898000-memory.dmp

Filesize
288KB

Download
memory/2004-86-0x0000000000850000-0x0000000000898000-memory.dmp

Filesize
288KB

Download
memory/2004-56-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/2004-85-0x0000000000850000-0x0000000000898000-memory.dmp

Filesize
288KB

Download