1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219

General

Target

1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe
Size

270KB
MD5

68520a109913da2f93eb51fb095540ca
SHA1

0f4228f4cdb236d451f71d5cd0f3963c9a1bf467
SHA256

1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219
SHA512

eae9e95c8d491a533920164a3dfd145a7b2bfdd014567cd8a18c734cd0c04bd47152edb26de12e852dbfa4e98962d5ff913886827b87b2f9b40543dfa3e9d3ad
SSDEEP

6144:GtjpspqvoArlO+BeiJ2/pWTxq/fnx7GDrRcJIcxyCq0hzfob:e5vo8HVq/PERcHxywC

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

tojufi.exe

pid process

844 tojufi.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1960 cmd.exe

pid	process
1960	cmd.exe

Loads dropped DLL 2 IoCs

Processes:

1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe

pid	process
1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe
1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tojufi.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\Currentversion\Run	tojufi.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B4F18C8-4FEF-AD4D-3A07-B8B71A0C9BAA} = "C:\\Users\\Admin\\AppData\\Roaming\\Moer\\tojufi.exe"	tojufi.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe

description	pid	process	target process
PID 1780 set thread context of 1960	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	cmd.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0"	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

tojufi.exe

pid	process
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe
844	tojufi.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exetojufi.exe

pid process

1780 1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe
844 tojufi.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exetojufi.exe

description	pid	process	target process
PID 1780 wrote to memory of 844	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	tojufi.exe
PID 1780 wrote to memory of 844	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	tojufi.exe
PID 1780 wrote to memory of 844	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	tojufi.exe
PID 1780 wrote to memory of 844	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	tojufi.exe
PID 844 wrote to memory of 1120	844	tojufi.exe	taskhost.exe
PID 844 wrote to memory of 1120	844	tojufi.exe	taskhost.exe
PID 844 wrote to memory of 1120	844	tojufi.exe	taskhost.exe
PID 844 wrote to memory of 1120	844	tojufi.exe	taskhost.exe
PID 844 wrote to memory of 1120	844	tojufi.exe	taskhost.exe
PID 844 wrote to memory of 1164	844	tojufi.exe	Dwm.exe
PID 844 wrote to memory of 1164	844	tojufi.exe	Dwm.exe
PID 844 wrote to memory of 1164	844	tojufi.exe	Dwm.exe
PID 844 wrote to memory of 1164	844	tojufi.exe	Dwm.exe
PID 844 wrote to memory of 1164	844	tojufi.exe	Dwm.exe
PID 844 wrote to memory of 1196	844	tojufi.exe	Explorer.EXE
PID 844 wrote to memory of 1196	844	tojufi.exe	Explorer.EXE
PID 844 wrote to memory of 1196	844	tojufi.exe	Explorer.EXE
PID 844 wrote to memory of 1196	844	tojufi.exe	Explorer.EXE
PID 844 wrote to memory of 1196	844	tojufi.exe	Explorer.EXE
PID 844 wrote to memory of 1780	844	tojufi.exe	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe
PID 844 wrote to memory of 1780	844	tojufi.exe	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe
PID 844 wrote to memory of 1780	844	tojufi.exe	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe
PID 844 wrote to memory of 1780	844	tojufi.exe	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe
PID 844 wrote to memory of 1780	844	tojufi.exe	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe
PID 1780 wrote to memory of 1960	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	cmd.exe
PID 1780 wrote to memory of 1960	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	cmd.exe
PID 1780 wrote to memory of 1960	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	cmd.exe
PID 1780 wrote to memory of 1960	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	cmd.exe
PID 1780 wrote to memory of 1960	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	cmd.exe
PID 1780 wrote to memory of 1960	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	cmd.exe
PID 1780 wrote to memory of 1960	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	cmd.exe
PID 1780 wrote to memory of 1960	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	cmd.exe
PID 1780 wrote to memory of 1960	1780	1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1196

C:\Users\Admin\AppData\Local\Temp\1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe
"C:\Users\Admin\AppData\Local\Temp\1db8f9fb5c6629c7b7708c889e4b3ffe4ae8df53b6632ad8fa588970d7a47219.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1780

C:\Users\Admin\AppData\Roaming\Moer\tojufi.exe
"C:\Users\Admin\AppData\Roaming\Moer\tojufi.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpe497cc05.bat"
3⤵
- Deletes itself
PID:1960

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpe497cc05.bat

Filesize
307B

MD5
168352ef240c6c2daac54060be0a01e0

SHA1
f351bdb4b0fb4d960e1c5e7967b4ee1b1ebe605e

SHA256
71298e2c94106a01416d6545a24232b5b21423b93f54bfb6ce220e0627081ac4

SHA512
7d9c462c5a25b0cc31138a49a06ac5a2f85d37312923b7ca8f4ed9ddb183eae4429687d9941f0e5b0fdc9c0c1ab1e5f9c44b492f74dacd6cd3ef71b0c826c808

Download Submit
C:\Users\Admin\AppData\Roaming\Moer\tojufi.exe

Filesize
270KB

MD5
4e57c3943a50aeb5df733f531465dc28

SHA1
0102468a832582b73d99b52cedd67911ddd21708

SHA256
15140b75d9e72a977b3b7040c01e9cf32739a55bd28fc1400756ce8fb740d670

SHA512
4e1730d7ab4b66aea6d2fb4b8481bfeedbb8bf7d9fc8ea15ad502355673e9420a52a73f84e09ad61ed9b748dfe92646dacffd7515459886658df70119abfdb97

Download Submit
C:\Users\Admin\AppData\Roaming\Moer\tojufi.exe

Filesize
270KB

MD5
4e57c3943a50aeb5df733f531465dc28

SHA1
0102468a832582b73d99b52cedd67911ddd21708

SHA256
15140b75d9e72a977b3b7040c01e9cf32739a55bd28fc1400756ce8fb740d670

SHA512
4e1730d7ab4b66aea6d2fb4b8481bfeedbb8bf7d9fc8ea15ad502355673e9420a52a73f84e09ad61ed9b748dfe92646dacffd7515459886658df70119abfdb97

Download Submit
\Users\Admin\AppData\Roaming\Moer\tojufi.exe

Filesize
270KB

MD5
4e57c3943a50aeb5df733f531465dc28

SHA1
0102468a832582b73d99b52cedd67911ddd21708

SHA256
15140b75d9e72a977b3b7040c01e9cf32739a55bd28fc1400756ce8fb740d670

SHA512
4e1730d7ab4b66aea6d2fb4b8481bfeedbb8bf7d9fc8ea15ad502355673e9420a52a73f84e09ad61ed9b748dfe92646dacffd7515459886658df70119abfdb97

Download Submit
\Users\Admin\AppData\Roaming\Moer\tojufi.exe

Filesize
270KB

MD5
4e57c3943a50aeb5df733f531465dc28

SHA1
0102468a832582b73d99b52cedd67911ddd21708

SHA256
15140b75d9e72a977b3b7040c01e9cf32739a55bd28fc1400756ce8fb740d670

SHA512
4e1730d7ab4b66aea6d2fb4b8481bfeedbb8bf7d9fc8ea15ad502355673e9420a52a73f84e09ad61ed9b748dfe92646dacffd7515459886658df70119abfdb97

Download Submit
memory/844-94-0x0000000000390000-0x00000000003D6000-memory.dmp

Filesize
280KB

Download
memory/844-108-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/844-59-0x0000000000000000-mapping.dmp

Download
memory/844-91-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/844-93-0x0000000000340000-0x0000000000382000-memory.dmp

Filesize
264KB

Download
memory/1120-63-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1120-67-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1120-68-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1120-66-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1120-65-0x0000000001DE0000-0x0000000001E22000-memory.dmp

Filesize
264KB

Download
memory/1164-72-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1164-73-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1164-74-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1164-71-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1196-80-0x0000000002200000-0x0000000002242000-memory.dmp

Filesize
264KB

Download
memory/1196-77-0x0000000002200000-0x0000000002242000-memory.dmp

Filesize
264KB

Download
memory/1196-78-0x0000000002200000-0x0000000002242000-memory.dmp

Filesize
264KB

Download
memory/1196-79-0x0000000002200000-0x0000000002242000-memory.dmp

Filesize
264KB

Download
memory/1780-85-0x00000000004F0000-0x0000000000536000-memory.dmp

Filesize
280KB

Download
memory/1780-87-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-89-0x0000000001CB0000-0x0000000001CF6000-memory.dmp

Filesize
280KB

Download
memory/1780-83-0x0000000000450000-0x0000000000492000-memory.dmp

Filesize
264KB

Download
memory/1780-92-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1780-82-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1780-103-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1780-54-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1780-55-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1780-56-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1780-104-0x0000000001CB0000-0x0000000001CF2000-memory.dmp

Filesize
264KB

Download
memory/1960-97-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1960-102-0x000000000005E4C8-mapping.dmp

Download
memory/1960-101-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1960-100-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1960-107-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download
memory/1960-99-0x0000000000050000-0x0000000000092000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads