a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47

Analysis

max time kernel
152s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
30/10/2022, 07:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe
Size

11KB
MD5

93a99069eb6bccb1357b64e1dea21ac0
SHA1

4602fc1f2d60da9776a73d214a93c07b1ba5aab7
SHA256

a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47
SHA512

fd706a7676c37723cf117265f67f3eb0aa2d2fd01f59e53cb89f62c268a984f2c55fa4ec02922a9a4762e91d1125f0173e6c20e71d798afbd523d4d649efc091
SSDEEP

192:/S78nn9HXDCDdCbU1IQigMrvKuB8j/QF9CbznJ3FKuoC5b3HNAcmg:a7e3WaUOziSFPC3nHo2Ig

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1588	jolinosk.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000022de7-136.dat	upx
behavioral2/files/0x0003000000022de7-137.dat	upx
behavioral2/memory/1968-138-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1588-139-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/1588-140-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jolinos.dll	a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe
File created	C:\Windows\SysWOW64\jolinosk.exe	a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe
File opened for modification	C:\Windows\SysWOW64\jolinosk.exe	a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 1588	1968	a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe	82
PID 1968 wrote to memory of 1588	1968	a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe	82
PID 1968 wrote to memory of 1588	1968	a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe	82
PID 1968 wrote to memory of 4892	1968	a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe	92
PID 1968 wrote to memory of 4892	1968	a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe	92
PID 1968 wrote to memory of 4892	1968	a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe	92

C:\Users\Admin\AppData\Local\Temp\a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe
"C:\Users\Admin\AppData\Local\Temp\a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Windows\SysWOW64\jolinosk.exe
  C:\Windows\system32\jolinosk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1588
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe.bat
  2⤵
  PID:4892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47.exe.bat

Filesize
246B

MD5
3bf5a3f5e555f94e1e485877d7b6ed48

SHA1
c66ef5e3a8037ae14570aca65b54cbeed2d9e08f

SHA256
f9c2ac3d1d244541a79e28ee83064fe466f813dfe8cc0106917c971335e9d40f

SHA512
ed1f034b9a7d5ca9e2c62c57f2f3f358af1720dfff535b270e86ee600c4f07df48f85c8a146f100c80c51e4c2b8aab375212445f2106f8b8f5be5c0696194718

Download Submit
C:\Windows\SysWOW64\jolinosk.exe

Filesize
11KB

MD5
93a99069eb6bccb1357b64e1dea21ac0

SHA1
4602fc1f2d60da9776a73d214a93c07b1ba5aab7

SHA256
a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47

SHA512
fd706a7676c37723cf117265f67f3eb0aa2d2fd01f59e53cb89f62c268a984f2c55fa4ec02922a9a4762e91d1125f0173e6c20e71d798afbd523d4d649efc091

Download Submit
C:\Windows\SysWOW64\jolinosk.exe

Filesize
11KB

MD5
93a99069eb6bccb1357b64e1dea21ac0

SHA1
4602fc1f2d60da9776a73d214a93c07b1ba5aab7

SHA256
a09d3b9379c5c36179d2b05ec036a08e124bddd0ce60c8315fd13001185a7e47

SHA512
fd706a7676c37723cf117265f67f3eb0aa2d2fd01f59e53cb89f62c268a984f2c55fa4ec02922a9a4762e91d1125f0173e6c20e71d798afbd523d4d649efc091

Download Submit
memory/1588-139-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1588-140-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1968-138-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download