Analysis
-
max time kernel
190s -
max time network
192s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
07/11/2022, 17:28
Static task
static1
Behavioral task
behavioral1
Sample
ae6107ae766f4a3813f3746f3769084dbeed7106335d99532b0b171574fb3fe8.exe
Resource
win7-20220901-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
ae6107ae766f4a3813f3746f3769084dbeed7106335d99532b0b171574fb3fe8.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ae6107ae766f4a3813f3746f3769084dbeed7106335d99532b0b171574fb3fe8.exe
-
Size
80KB
-
MD5
0af6965d6706786312d35046024042f1
-
SHA1
75a98a428daef6387eb617a32d16742d912758bb
-
SHA256
ae6107ae766f4a3813f3746f3769084dbeed7106335d99532b0b171574fb3fe8
-
SHA512
06d4b6aee1c68d50408ea484663820081b2cc00540a45bf7cf764649471ce9b8adbef40e026716785b1fa79372d4886bc9088ee4ea0f0c64f96a1a32c26fb220
-
SSDEEP
768:ev6nMfqgG4sOm0KUc8ebdtF5EmpW/p/hxRSH9NxIkL9v/Q6sWT:evTsTZKmpSFhxRSHdL9bsi
Score
10/10
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" rjmol.exe -
Executes dropped EXE 1 IoCs
pid Process 4560 rjmol.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation ae6107ae766f4a3813f3746f3769084dbeed7106335d99532b0b171574fb3fe8.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ rjmol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rjmol = "C:\\Users\\Admin\\rjmol.exe" rjmol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1968 2132 WerFault.exe 77 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe 4560 rjmol.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2132 ae6107ae766f4a3813f3746f3769084dbeed7106335d99532b0b171574fb3fe8.exe 4560 rjmol.exe -
Suspicious use of WriteProcessMemory 43 IoCs
description pid Process procid_target PID 2132 wrote to memory of 4560 2132 ae6107ae766f4a3813f3746f3769084dbeed7106335d99532b0b171574fb3fe8.exe 78 PID 2132 wrote to memory of 4560 2132 ae6107ae766f4a3813f3746f3769084dbeed7106335d99532b0b171574fb3fe8.exe 78 PID 2132 wrote to memory of 4560 2132 ae6107ae766f4a3813f3746f3769084dbeed7106335d99532b0b171574fb3fe8.exe 78 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 2132 4560 rjmol.exe 77 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81 PID 4560 wrote to memory of 1968 4560 rjmol.exe 81
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae6107ae766f4a3813f3746f3769084dbeed7106335d99532b0b171574fb3fe8.exe"C:\Users\Admin\AppData\Local\Temp\ae6107ae766f4a3813f3746f3769084dbeed7106335d99532b0b171574fb3fe8.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Users\Admin\rjmol.exe"C:\Users\Admin\rjmol.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 14802⤵
- Program crash
PID:1968
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2132 -ip 21321⤵PID:620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
80KB
MD56edc7aa6e7322990ddc4aa9fe8757f0f
SHA1124929b8403ffd8bffcfd6279a96d46add441f28
SHA25676be0fd0734e28955f81d5c92d3f63ad52e347e8b27800b1ddaf81a13685b5d2
SHA5127f09b833db3dd1d2f6fdf1b0b285318640bfa69150778b993baf3dc0ce53e67e29133933959bffc80ecb8d74adc59a6fe09223e58619be59ae08ff53a26066fe
-
Filesize
80KB
MD56edc7aa6e7322990ddc4aa9fe8757f0f
SHA1124929b8403ffd8bffcfd6279a96d46add441f28
SHA25676be0fd0734e28955f81d5c92d3f63ad52e347e8b27800b1ddaf81a13685b5d2
SHA5127f09b833db3dd1d2f6fdf1b0b285318640bfa69150778b993baf3dc0ce53e67e29133933959bffc80ecb8d74adc59a6fe09223e58619be59ae08ff53a26066fe