233af642b3e22613551e087a7cefcf2a530752da6613efc52da7cb957cb8f0f3

General

Target

233af642b3e22613551e087a7cefcf2a530752da6613efc52da7cb957cb8f0f3.dll
Size

63KB
MD5

ab07a13a5f27d85daa3f4636b41c4622
SHA1

d6a919d524356f3ddbf6d8b209bc65cbddf2294d
SHA256

233af642b3e22613551e087a7cefcf2a530752da6613efc52da7cb957cb8f0f3
SHA512

e8459c5988bac2633c7d052f961fc3dc4c1eae64dd2686e74d909ee1a0f338460117031278c886a8e22fd82086be9451fb73e141f54dbd40bd4818814704ec66
SSDEEP

1536:jeYzhn0K1uAiuYUaZabt5Qv7fU1WTD+TUT+1A:KYzhnHcAimEyfSfWkU1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

imejpmig.exe

pid process

1732 imejpmig.exe
Loads dropped DLL 2 IoCs

Processes:

rundll32.exeimejpmig.exe

pid process

1260 rundll32.exe
1732 imejpmig.exe

pid	process
1732	imejpmig.exe

pid	process
1260	rundll32.exe
1732	imejpmig.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

imejpmig.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\imejp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IMJP8_1\\imejpmig.exe"	imejpmig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

920 ipconfig.exe
1936 ipconfig.exe
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

624 systeminfo.exe
1600 systeminfo.exe
Runs net.exe

pid	process
920	ipconfig.exe
1936	ipconfig.exe

pid	process
624	systeminfo.exe
1600	systeminfo.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

rundll32.exerundll32.exeimejpmig.execmd.execmd.exenet.execmd.execmd.execmd.exenet.exe

description	pid	process	target process
PID 1632 wrote to memory of 1260	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1260	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1260	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1260	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1260	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1260	1632	rundll32.exe	rundll32.exe
PID 1632 wrote to memory of 1260	1632	rundll32.exe	rundll32.exe
PID 1260 wrote to memory of 1732	1260	rundll32.exe	imejpmig.exe
PID 1260 wrote to memory of 1732	1260	rundll32.exe	imejpmig.exe
PID 1260 wrote to memory of 1732	1260	rundll32.exe	imejpmig.exe
PID 1260 wrote to memory of 1732	1260	rundll32.exe	imejpmig.exe
PID 1732 wrote to memory of 824	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 824	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 824	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 824	1732	imejpmig.exe	cmd.exe
PID 824 wrote to memory of 920	824	cmd.exe	ipconfig.exe
PID 824 wrote to memory of 920	824	cmd.exe	ipconfig.exe
PID 824 wrote to memory of 920	824	cmd.exe	ipconfig.exe
PID 824 wrote to memory of 920	824	cmd.exe	ipconfig.exe
PID 1732 wrote to memory of 900	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 900	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 900	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 900	1732	imejpmig.exe	cmd.exe
PID 900 wrote to memory of 1576	900	cmd.exe	net.exe
PID 900 wrote to memory of 1576	900	cmd.exe	net.exe
PID 900 wrote to memory of 1576	900	cmd.exe	net.exe
PID 900 wrote to memory of 1576	900	cmd.exe	net.exe
PID 1576 wrote to memory of 392	1576	net.exe	net1.exe
PID 1576 wrote to memory of 392	1576	net.exe	net1.exe
PID 1576 wrote to memory of 392	1576	net.exe	net1.exe
PID 1576 wrote to memory of 392	1576	net.exe	net1.exe
PID 1732 wrote to memory of 284	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 284	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 284	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 284	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 1756	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 1756	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 1756	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 1756	1732	imejpmig.exe	cmd.exe
PID 1756 wrote to memory of 624	1756	cmd.exe	systeminfo.exe
PID 1756 wrote to memory of 624	1756	cmd.exe	systeminfo.exe
PID 1756 wrote to memory of 624	1756	cmd.exe	systeminfo.exe
PID 1756 wrote to memory of 624	1756	cmd.exe	systeminfo.exe
PID 1732 wrote to memory of 1564	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 1564	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 1564	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 1564	1732	imejpmig.exe	cmd.exe
PID 1564 wrote to memory of 1936	1564	cmd.exe	ipconfig.exe
PID 1564 wrote to memory of 1936	1564	cmd.exe	ipconfig.exe
PID 1564 wrote to memory of 1936	1564	cmd.exe	ipconfig.exe
PID 1564 wrote to memory of 1936	1564	cmd.exe	ipconfig.exe
PID 1732 wrote to memory of 1912	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 1912	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 1912	1732	imejpmig.exe	cmd.exe
PID 1732 wrote to memory of 1912	1732	imejpmig.exe	cmd.exe
PID 1912 wrote to memory of 572	1912	cmd.exe	net.exe
PID 1912 wrote to memory of 572	1912	cmd.exe	net.exe
PID 1912 wrote to memory of 572	1912	cmd.exe	net.exe
PID 1912 wrote to memory of 572	1912	cmd.exe	net.exe
PID 572 wrote to memory of 1524	572	net.exe	net1.exe
PID 572 wrote to memory of 1524	572	net.exe	net1.exe
PID 572 wrote to memory of 1524	572	net.exe	net1.exe
PID 572 wrote to memory of 1524	572	net.exe	net1.exe
PID 1732 wrote to memory of 1064	1732	imejpmig.exe	cmd.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\233af642b3e22613551e087a7cefcf2a530752da6613efc52da7cb957cb8f0f3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\233af642b3e22613551e087a7cefcf2a530752da6613efc52da7cb957cb8f0f3.dll,#1
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260

C:\Users\Admin\AppData\Roaming\Microsoft\IMJP8_1\imejpmig.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IMJP8_1\imejpmig.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c IpConFig /All
4⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\ipconfig.exe
IpConFig /All
5⤵
- Gathers network information
PID:920

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Net STarT
4⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\SysWOW64\net.exe
Net STarT
5⤵
- Suspicious use of WriteProcessMemory
PID:1576

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STarT
6⤵
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Dir C:\ProGra~1\
4⤵
PID:284

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sYsTEmINFo
4⤵
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\systeminfo.exe
sYsTEmINFo
5⤵
- Gathers system information
PID:624

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c IpConFig /All
4⤵
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\ipconfig.exe
IpConFig /All
5⤵
- Gathers network information
PID:1936

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Net STarT
4⤵
- Suspicious use of WriteProcessMemory
PID:1912

C:\Windows\SysWOW64\net.exe
Net STarT
5⤵
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STarT
6⤵
PID:1524

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Dir C:\ProGra~1\
4⤵
PID:1064

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sYsTEmINFo
4⤵
PID:1692

C:\Windows\SysWOW64\systeminfo.exe
sYsTEmINFo
5⤵
- Gathers system information
PID:1600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\IMJP8_1\imejpcic.dll

Filesize
78KB

MD5
9aed87892caa891097ccfe6b77a25639

SHA1
506e9b55918b931ac6950b607dd30ec71a969daa

SHA256
840d18698ff0b114ee587f57231001d046fbd1eb22603e0f951cbb8c290804ed

SHA512
cf0f8bf27b896c3ca007ec010f064e5a3fa5bc789511adb24ac58b8262684acdb9fca8d0db83c1e9bca6c2c0cc8b75c0c29ae7aef7c12b3bab1938ed4682cc13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IMJP8_1\imejpmig.exe

Filesize
41KB

MD5
2df1878ca93c40188ea6e9e56da921eb

SHA1
96ea489a56803d29aa73fa05bad0b14734aff6bd

SHA256
9d6f7a444c6700fbf9526445a35c07d509b58afa7430abf690ebfd09d9138525

SHA512
14b3eb4503901b0097fc16e5a45183e6c4afae24e4c0aa82fb7d2b71406ef0163f0a19485aecc980e5676a3156d9b68afb98893bd9570199cffde31c66de635e

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\IMJP8_1\imejpcic.dll

Filesize
78KB

MD5
9aed87892caa891097ccfe6b77a25639

SHA1
506e9b55918b931ac6950b607dd30ec71a969daa

SHA256
840d18698ff0b114ee587f57231001d046fbd1eb22603e0f951cbb8c290804ed

SHA512
cf0f8bf27b896c3ca007ec010f064e5a3fa5bc789511adb24ac58b8262684acdb9fca8d0db83c1e9bca6c2c0cc8b75c0c29ae7aef7c12b3bab1938ed4682cc13

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\IMJP8_1\imejpmig.exe

Filesize
41KB

MD5
2df1878ca93c40188ea6e9e56da921eb

SHA1
96ea489a56803d29aa73fa05bad0b14734aff6bd

SHA256
9d6f7a444c6700fbf9526445a35c07d509b58afa7430abf690ebfd09d9138525

SHA512
14b3eb4503901b0097fc16e5a45183e6c4afae24e4c0aa82fb7d2b71406ef0163f0a19485aecc980e5676a3156d9b68afb98893bd9570199cffde31c66de635e

Download Submit
memory/284-68-0x0000000000000000-mapping.dmp

Download
memory/392-67-0x0000000000000000-mapping.dmp

Download
memory/572-75-0x0000000000000000-mapping.dmp

Download
memory/624-70-0x0000000000000000-mapping.dmp

Download
memory/824-62-0x0000000000000000-mapping.dmp

Download
memory/900-65-0x0000000000000000-mapping.dmp

Download
memory/920-63-0x0000000000000000-mapping.dmp

Download
memory/1064-77-0x0000000000000000-mapping.dmp

Download
memory/1260-54-0x0000000000000000-mapping.dmp

Download
memory/1260-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/1524-76-0x0000000000000000-mapping.dmp

Download
memory/1564-71-0x0000000000000000-mapping.dmp

Download
memory/1576-66-0x0000000000000000-mapping.dmp

Download
memory/1600-79-0x0000000000000000-mapping.dmp

Download
memory/1692-78-0x0000000000000000-mapping.dmp

Download
memory/1732-57-0x0000000000000000-mapping.dmp

Download
memory/1756-69-0x0000000000000000-mapping.dmp

Download
memory/1912-74-0x0000000000000000-mapping.dmp

Download
memory/1936-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing