4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c

General

Target

4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe
Size

373KB
MD5

81027487e69b469f4137c9041591175d
SHA1

07644c128a3af5132b7a78faa0da563fb3c53f35
SHA256

4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c
SHA512

8b99c6dc8a74aed7313acf1fd16636cb941b2a0697a557bbb66c32a76e021fabe2664c0bc3ef79054f46601497900012ac5e114af92a9e33a0fc7d22bb91f54a
SSDEEP

6144:0AXn55hWv3cPkLCWp+kxLaazQ/rJ6aQ/URbERT2ElYRktprr5H:0AJ5hw3cPkLXp+k5bzQ/V6a/t4eur9

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

jeajd.exe

pid process

1868 jeajd.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1780 cmd.exe

pid	process
1780	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe

pid	process
960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe
960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

jeajd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\Currentversion\Run	jeajd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\{CB118568-7F59-AD4D-CD9C-5E5DE9C17D40} = "C:\\Users\\Admin\\AppData\\Roaming\\Geugka\\jeajd.exe"	jeajd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe

description pid process target process

PID 960 set thread context of 1780 960 4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe cmd.exe

description	pid	process	target process
PID 960 set thread context of 1780	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

jeajd.exe

pid	process
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe
1868	jeajd.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exejeajd.exe

pid process

960 4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe
1868 jeajd.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exejeajd.exe

description	pid	process	target process
PID 960 wrote to memory of 1868	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	jeajd.exe
PID 960 wrote to memory of 1868	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	jeajd.exe
PID 960 wrote to memory of 1868	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	jeajd.exe
PID 960 wrote to memory of 1868	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	jeajd.exe
PID 1868 wrote to memory of 1116	1868	jeajd.exe	taskhost.exe
PID 1868 wrote to memory of 1116	1868	jeajd.exe	taskhost.exe
PID 1868 wrote to memory of 1116	1868	jeajd.exe	taskhost.exe
PID 1868 wrote to memory of 1116	1868	jeajd.exe	taskhost.exe
PID 1868 wrote to memory of 1116	1868	jeajd.exe	taskhost.exe
PID 1868 wrote to memory of 1188	1868	jeajd.exe	Dwm.exe
PID 1868 wrote to memory of 1188	1868	jeajd.exe	Dwm.exe
PID 1868 wrote to memory of 1188	1868	jeajd.exe	Dwm.exe
PID 1868 wrote to memory of 1188	1868	jeajd.exe	Dwm.exe
PID 1868 wrote to memory of 1188	1868	jeajd.exe	Dwm.exe
PID 1868 wrote to memory of 1220	1868	jeajd.exe	Explorer.EXE
PID 1868 wrote to memory of 1220	1868	jeajd.exe	Explorer.EXE
PID 1868 wrote to memory of 1220	1868	jeajd.exe	Explorer.EXE
PID 1868 wrote to memory of 1220	1868	jeajd.exe	Explorer.EXE
PID 1868 wrote to memory of 1220	1868	jeajd.exe	Explorer.EXE
PID 1868 wrote to memory of 960	1868	jeajd.exe	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe
PID 1868 wrote to memory of 960	1868	jeajd.exe	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe
PID 1868 wrote to memory of 960	1868	jeajd.exe	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe
PID 1868 wrote to memory of 960	1868	jeajd.exe	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe
PID 1868 wrote to memory of 960	1868	jeajd.exe	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe
PID 960 wrote to memory of 1780	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	cmd.exe
PID 960 wrote to memory of 1780	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	cmd.exe
PID 960 wrote to memory of 1780	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	cmd.exe
PID 960 wrote to memory of 1780	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	cmd.exe
PID 960 wrote to memory of 1780	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	cmd.exe
PID 960 wrote to memory of 1780	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	cmd.exe
PID 960 wrote to memory of 1780	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	cmd.exe
PID 960 wrote to memory of 1780	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	cmd.exe
PID 960 wrote to memory of 1780	960	4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe	cmd.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220

C:\Users\Admin\AppData\Local\Temp\4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe
"C:\Users\Admin\AppData\Local\Temp\4a9b75d4dc37873b524781213d07ef287b05f103e95441182efbe7a46958e89c.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Roaming\Geugka\jeajd.exe
"C:\Users\Admin\AppData\Roaming\Geugka\jeajd.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpf3500217.bat"
3⤵
- Deletes itself
PID:1780

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpf3500217.bat

Filesize
307B

MD5
765a35df650969bf3e09e77f9bd3cc82

SHA1
e7913066b9a45eb12bd16d418481e19747b476e9

SHA256
3f87484bec8501b5cf2d810a35c4e37e7467be181235b28331107d283c89de98

SHA512
858bfafc7cf8d7f9678fd77d5d7518efea72b5b4b0ed67ec12ae46243c3f7b3f7b4c185b11844eb58f1062357907c9b97bda08e8090f46eedf2c4efa5a823136

Download Submit
C:\Users\Admin\AppData\Roaming\Geugka\jeajd.exe

Filesize
373KB

MD5
421aa16d86762f5f4427c1a1f9085c8f

SHA1
b017debeb7bb9b9a425c7f00ca4a2ab7ac984ac0

SHA256
6c6837cb1e2aea1613925c856415fbb6ae1237743211a934f30215940c5f5dc4

SHA512
84bfcb653709b028d98cf504549a0ddb486db9bd152a33b0f2890a475f019e48f39a4e676f4d71912162d72f31164ebae7d6fa4cbadeb6fc79a6b29548d08acf

Download Submit
C:\Users\Admin\AppData\Roaming\Geugka\jeajd.exe

Filesize
373KB

MD5
421aa16d86762f5f4427c1a1f9085c8f

SHA1
b017debeb7bb9b9a425c7f00ca4a2ab7ac984ac0

SHA256
6c6837cb1e2aea1613925c856415fbb6ae1237743211a934f30215940c5f5dc4

SHA512
84bfcb653709b028d98cf504549a0ddb486db9bd152a33b0f2890a475f019e48f39a4e676f4d71912162d72f31164ebae7d6fa4cbadeb6fc79a6b29548d08acf

Download Submit
\Users\Admin\AppData\Roaming\Geugka\jeajd.exe

Filesize
373KB

MD5
421aa16d86762f5f4427c1a1f9085c8f

SHA1
b017debeb7bb9b9a425c7f00ca4a2ab7ac984ac0

SHA256
6c6837cb1e2aea1613925c856415fbb6ae1237743211a934f30215940c5f5dc4

SHA512
84bfcb653709b028d98cf504549a0ddb486db9bd152a33b0f2890a475f019e48f39a4e676f4d71912162d72f31164ebae7d6fa4cbadeb6fc79a6b29548d08acf

Download Submit
\Users\Admin\AppData\Roaming\Geugka\jeajd.exe

Filesize
373KB

MD5
421aa16d86762f5f4427c1a1f9085c8f

SHA1
b017debeb7bb9b9a425c7f00ca4a2ab7ac984ac0

SHA256
6c6837cb1e2aea1613925c856415fbb6ae1237743211a934f30215940c5f5dc4

SHA512
84bfcb653709b028d98cf504549a0ddb486db9bd152a33b0f2890a475f019e48f39a4e676f4d71912162d72f31164ebae7d6fa4cbadeb6fc79a6b29548d08acf

Download Submit
memory/960-55-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/960-59-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/960-54-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/960-56-0x0000000000320000-0x0000000000364000-memory.dmp

Filesize
272KB

Download
memory/960-58-0x0000000000370000-0x00000000003D3000-memory.dmp

Filesize
396KB

Download
memory/960-57-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/960-87-0x0000000000500000-0x0000000000544000-memory.dmp

Filesize
272KB

Download
memory/960-88-0x0000000000500000-0x0000000000544000-memory.dmp

Filesize
272KB

Download
memory/960-86-0x0000000000500000-0x0000000000544000-memory.dmp

Filesize
272KB

Download
memory/960-89-0x0000000000500000-0x0000000000544000-memory.dmp

Filesize
272KB

Download
memory/960-93-0x0000000000500000-0x0000000000544000-memory.dmp

Filesize
272KB

Download
memory/960-102-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1116-68-0x0000000001D70000-0x0000000001DB4000-memory.dmp

Filesize
272KB

Download
memory/1116-71-0x0000000001D70000-0x0000000001DB4000-memory.dmp

Filesize
272KB

Download
memory/1116-70-0x0000000001D70000-0x0000000001DB4000-memory.dmp

Filesize
272KB

Download
memory/1116-69-0x0000000001D70000-0x0000000001DB4000-memory.dmp

Filesize
272KB

Download
memory/1116-66-0x0000000001D70000-0x0000000001DB4000-memory.dmp

Filesize
272KB

Download
memory/1188-76-0x00000000019D0000-0x0000000001A14000-memory.dmp

Filesize
272KB

Download
memory/1188-77-0x00000000019D0000-0x0000000001A14000-memory.dmp

Filesize
272KB

Download
memory/1188-75-0x00000000019D0000-0x0000000001A14000-memory.dmp

Filesize
272KB

Download
memory/1188-74-0x00000000019D0000-0x0000000001A14000-memory.dmp

Filesize
272KB

Download
memory/1220-80-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1220-82-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1220-81-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1220-83-0x00000000029C0000-0x0000000002A04000-memory.dmp

Filesize
272KB

Download
memory/1780-101-0x00000000001671E6-mapping.dmp

Download
memory/1780-96-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1780-98-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1780-99-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1780-100-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1780-105-0x0000000000150000-0x0000000000194000-memory.dmp

Filesize
272KB

Download
memory/1868-92-0x0000000000400000-0x0000000000463000-memory.dmp

Filesize
396KB

Download
memory/1868-91-0x0000000000510000-0x0000000000573000-memory.dmp

Filesize
396KB

Download
memory/1868-90-0x00000000004C0000-0x0000000000504000-memory.dmp

Filesize
272KB

Download
memory/1868-62-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads