ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/11/2022, 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe
Size

351KB
MD5

0881b6b804dc273e3db47068fc2c50df
SHA1

4a720c0d101da6f5c9511a236b6ac55bbdb33655
SHA256

ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97
SHA512

09956f7deed4ef84725f786a6e06853b381261af9820a0039a90f1e0ddc310c8bffcaab5c7ffe65271b99e00e425818364420e71f1c938044201d1abddf38693
SSDEEP

6144:5j6xvRw4yWlSIB+qSHuMK+Uu8J8RCf6GVAn69y/TNj6h3Jo/Yf:xC5SsfMK+UhJ3f60XkTN5w

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1972	jafu.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\Currentversion\Run	jafu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{32C81FC9-556D-BCA0-B82C-F77E75D9ED7C} = "C:\\Users\\Admin\\AppData\\Roaming\\Okesoz\\jafu.exe"	jafu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1444 set thread context of 4124	1444	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	84

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe
1972	jafu.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1444 wrote to memory of 1972	1444	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	83
PID 1444 wrote to memory of 1972	1444	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	83
PID 1444 wrote to memory of 1972	1444	ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe	83
PID 1972 wrote to memory of 2332	1972	jafu.exe	47
PID 1972 wrote to memory of 2332	1972	jafu.exe	47
PID 1972 wrote to memory of 2332	1972	jafu.exe	47
PID 1972 wrote to memory of 2332	1972	jafu.exe	47
PID 1972 wrote to memory of 2332	1972	jafu.exe	47
PID 1972 wrote to memory of 2368	1972	jafu.exe	46
PID 1972 wrote to memory of 2368	1972	jafu.exe	46
PID 1972 wrote to memory of 2368	1972	jafu.exe	46
PID 1972 wrote to memory of 2368	1972	jafu.exe	46
PID 1972 wrote to memory of 2368	1972	jafu.exe	46
PID 1972 wrote to memory of 2464	1972	jafu.exe	43
PID 1972 wrote to memory of 2464	1972	jafu.exe	43
PID 1972 wrote to memory of 2464	1972	jafu.exe	43
PID 1972 wrote to memory of 2464	1972	jafu.exe	43
PID 1972 wrote to memory of 2464	1972	jafu.exe	43
PID 1972 wrote to memory of 2756	1972	jafu.exe	13
PID 1972 wrote to memory of 2756	1972	jafu.exe	13
PID 1972 wrote to memory of 2756	1972	jafu.exe	13
PID 1972 wrote to memory of 2756	1972	jafu.exe	13
PID 1972 wrote to memory of 2756	1972	jafu.exe	13
PID 1972 wrote to memory of 2752	1972	jafu.exe	12
PID 1972 wrote to memory of 2752	1972	jafu.exe	12
PID 1972 wrote to memory of 2752	1972	jafu.exe	12
PID 1972 wrote to memory of 2752	1972	jafu.exe	12
PID 1972 wrote to memory of 2752	1972	jafu.exe	12
PID 1972 wrote to memory of 3256	1972	jafu.exe	11
PID 1972 wrote to memory of 3256	1972	jafu.exe	11
PID 1972 wrote to memory of 3256	1972	jafu.exe	11
PID 1972 wrote to memory of 3256	1972	jafu.exe	11
PID 1972 wrote to memory of 3256	1972	jafu.exe	11
PID 1972 wrote to memory of 3356	1972	jafu.exe	10
PID 1972 wrote to memory of 3356	1972	jafu.exe	10
PID 1972 wrote to memory of 3356	1972	jafu.exe	10
PID 1972 wrote to memory of 3356	1972	jafu.exe	10
PID 1972 wrote to memory of 3356	1972	jafu.exe	10
PID 1972 wrote to memory of 3420	1972	jafu.exe	9
PID 1972 wrote to memory of 3420	1972	jafu.exe	9
PID 1972 wrote to memory of 3420	1972	jafu.exe	9
PID 1972 wrote to memory of 3420	1972	jafu.exe	9
PID 1972 wrote to memory of 3420	1972	jafu.exe	9
PID 1972 wrote to memory of 3516	1972	jafu.exe	38
PID 1972 wrote to memory of 3516	1972	jafu.exe	38
PID 1972 wrote to memory of 3516	1972	jafu.exe	38
PID 1972 wrote to memory of 3516	1972	jafu.exe	38
PID 1972 wrote to memory of 3516	1972	jafu.exe	38
PID 1972 wrote to memory of 3808	1972	jafu.exe	37
PID 1972 wrote to memory of 3808	1972	jafu.exe	37
PID 1972 wrote to memory of 3808	1972	jafu.exe	37
PID 1972 wrote to memory of 3808	1972	jafu.exe	37
PID 1972 wrote to memory of 3808	1972	jafu.exe	37
PID 1972 wrote to memory of 4720	1972	jafu.exe	34
PID 1972 wrote to memory of 4720	1972	jafu.exe	34
PID 1972 wrote to memory of 4720	1972	jafu.exe	34
PID 1972 wrote to memory of 4720	1972	jafu.exe	34
PID 1972 wrote to memory of 4720	1972	jafu.exe	34
PID 1972 wrote to memory of 3444	1972	jafu.exe	24
PID 1972 wrote to memory of 3444	1972	jafu.exe	24
PID 1972 wrote to memory of 3444	1972	jafu.exe	24
PID 1972 wrote to memory of 3444	1972	jafu.exe	24
PID 1972 wrote to memory of 3444	1972	jafu.exe	24
PID 1972 wrote to memory of 2380	1972	jafu.exe	21

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3256

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2752

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2756
- C:\Users\Admin\AppData\Local\Temp\ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe
  "C:\Users\Admin\AppData\Local\Temp\ef6491c53d7c8ef9fe2128d839084899379047a5a9d0d464a525c6c0ed70be97.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Users\Admin\AppData\Roaming\Okesoz\jafu.exe
    "C:\Users\Admin\AppData\Roaming\Okesoz\jafu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1972
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmp9ff4b4c5.bat"
    3⤵
    PID:4124

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2380

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
1⤵
PID:3444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4720

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3516

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2368

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9ff4b4c5.bat

Filesize
307B

MD5
5603ed71a2503e6b638c46505cbfc905

SHA1
0a6129bf03d444d97449ef627b6dfa7aa604f416

SHA256
8c8bcbe7d16c52946b32db886f6cb69fb17aa160e638321b3c8b87285e9e8525

SHA512
3a6fef3ff1a00c2ea2a332aeae3735c3fc7cf8b96d604c7b53087a62b80bb071a39366e21cec2e8f136561d9f65c0d8b065daadf59f33f5e8428fe4905dbbfa5

Download Submit
C:\Users\Admin\AppData\Roaming\Okesoz\jafu.exe

Filesize
351KB

MD5
543244e8ee08efde99a07330f110f113

SHA1
6c261f1b9d04a721961590148f208f38a2d2f065

SHA256
46fc8a7901f711608f9eb276276622e5edf0dbeaaf7b6b87908d57902f4101e4

SHA512
4f224feead34197c901d1d669d6eaa410509c45f4db94eadbf708aaff58b0a39e6f72a3c45da8e3c99e10f780dbecb68690f060768049151500cc320e8de707b

Download Submit
C:\Users\Admin\AppData\Roaming\Okesoz\jafu.exe

Filesize
351KB

MD5
543244e8ee08efde99a07330f110f113

SHA1
6c261f1b9d04a721961590148f208f38a2d2f065

SHA256
46fc8a7901f711608f9eb276276622e5edf0dbeaaf7b6b87908d57902f4101e4

SHA512
4f224feead34197c901d1d669d6eaa410509c45f4db94eadbf708aaff58b0a39e6f72a3c45da8e3c99e10f780dbecb68690f060768049151500cc320e8de707b

Download Submit
memory/1444-146-0x0000000002200000-0x0000000002247000-memory.dmp

Filesize
284KB

Download
memory/1444-148-0x00000000022B0000-0x00000000022F7000-memory.dmp

Filesize
284KB

Download
memory/1444-133-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1444-138-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1444-139-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1444-140-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1444-141-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1444-142-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1444-143-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1444-134-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1444-147-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1444-132-0x0000000002200000-0x0000000002247000-memory.dmp

Filesize
284KB

Download
memory/1972-158-0x00000000020C0000-0x0000000002107000-memory.dmp

Filesize
284KB

Download
memory/1972-160-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/1972-159-0x0000000000400000-0x000000000045A000-memory.dmp

Filesize
360KB

Download
memory/4124-153-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4124-152-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4124-145-0x0000000000730000-0x0000000000777000-memory.dmp

Filesize
284KB

Download
memory/4124-154-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4124-155-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4124-157-0x0000000000730000-0x0000000000777000-memory.dmp

Filesize
284KB

Download
memory/4124-151-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4124-150-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/4124-149-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download