c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b

General

Target

c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe
Size

180KB
MD5

0085cfa673c43eef918d943fba4ff801
SHA1

2a6d187604b86bad60a52d9fccc2b29b1a20769e
SHA256

c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b
SHA512

acc9828585df59816109e2c2cf3f4ed419f2260c81c1eadd82ecdaf35921f345939e23b3e28ece40aa99ec16ee5047acf44bb9357e1b3261b9422135231d87b3
SSDEEP

3072:yI+GdYRLoeEdRos/eaqFnqWDb+uTyLDC6s5sSYqGlC6YViZj5HQXZmmJ0yCFioxj:dHcKPpm2lC6YViZj5HQXZmmJ0yCF9Bxp

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

joiaba.exec5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	joiaba.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe

Executes dropped EXE 1 IoCs

Processes:

joiaba.exe

pid process

1808 joiaba.exe

pid	process
1808	joiaba.exe

Loads dropped DLL 2 IoCs

Processes:

c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe

pid	process
1488	c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe
1488	c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

joiaba.exec5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /K"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /N"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /W"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /S"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /Q"	joiaba.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /Y"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /P"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /T"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /Z"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /q"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /s"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /c"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /i"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /h"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /J"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /p"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /a"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /A"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /z"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /D"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /l"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /H"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /b"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /w"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /j"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /d"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /t"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /m"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /I"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /e"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /C"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /k"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /u"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /E"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /V"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /M"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /n"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /G"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /U"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /B"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /X"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /r"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /o"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /O"	joiaba.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /N"	c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /f"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /F"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /x"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /v"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /y"	joiaba.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joiaba = "C:\\Users\\Admin\\joiaba.exe /L"	joiaba.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exejoiaba.exe

pid	process
1488	c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe
1808	joiaba.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exejoiaba.exe

pid process

1488 c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe
1808 joiaba.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe

description	pid	process	target process
PID 1488 wrote to memory of 1808	1488	c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe	joiaba.exe
PID 1488 wrote to memory of 1808	1488	c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe	joiaba.exe
PID 1488 wrote to memory of 1808	1488	c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe	joiaba.exe
PID 1488 wrote to memory of 1808	1488	c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe	joiaba.exe

C:\Users\Admin\AppData\Local\Temp\c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe
"C:\Users\Admin\AppData\Local\Temp\c5dba8b872088eda313e76f722e3736c57af8bef1ecf75147e29ef6a175aca5b.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488

C:\Users\Admin\joiaba.exe
"C:\Users\Admin\joiaba.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1808

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\joiaba.exe

Filesize
180KB

MD5
9044e10b5986a3795b85abe195382f2f

SHA1
6ce12b9841b8b75f79d898c6cdcf05b5ed04266b

SHA256
0ec5c2ed49227b4835638976d4b22c410e9a7ac4e3c65395c8003585d983bb0b

SHA512
c7ef1ffc7fd64441eae87c46178aaac229e45a9fcd35d4788ca85bb38e93be3699e66155b1b869e90174f8a040f0f7d4b95ae8c2c6bd0db1ce7ea79a4dc05e22

Download Submit
C:\Users\Admin\joiaba.exe

Filesize
180KB

MD5
9044e10b5986a3795b85abe195382f2f

SHA1
6ce12b9841b8b75f79d898c6cdcf05b5ed04266b

SHA256
0ec5c2ed49227b4835638976d4b22c410e9a7ac4e3c65395c8003585d983bb0b

SHA512
c7ef1ffc7fd64441eae87c46178aaac229e45a9fcd35d4788ca85bb38e93be3699e66155b1b869e90174f8a040f0f7d4b95ae8c2c6bd0db1ce7ea79a4dc05e22

Download Submit
\Users\Admin\joiaba.exe

Filesize
180KB

MD5
9044e10b5986a3795b85abe195382f2f

SHA1
6ce12b9841b8b75f79d898c6cdcf05b5ed04266b

SHA256
0ec5c2ed49227b4835638976d4b22c410e9a7ac4e3c65395c8003585d983bb0b

SHA512
c7ef1ffc7fd64441eae87c46178aaac229e45a9fcd35d4788ca85bb38e93be3699e66155b1b869e90174f8a040f0f7d4b95ae8c2c6bd0db1ce7ea79a4dc05e22

Download Submit
\Users\Admin\joiaba.exe

Filesize
180KB

MD5
9044e10b5986a3795b85abe195382f2f

SHA1
6ce12b9841b8b75f79d898c6cdcf05b5ed04266b

SHA256
0ec5c2ed49227b4835638976d4b22c410e9a7ac4e3c65395c8003585d983bb0b

SHA512
c7ef1ffc7fd64441eae87c46178aaac229e45a9fcd35d4788ca85bb38e93be3699e66155b1b869e90174f8a040f0f7d4b95ae8c2c6bd0db1ce7ea79a4dc05e22

Download Submit
memory/1488-56-0x0000000076771000-0x0000000076773000-memory.dmp

Filesize
8KB

Download
memory/1808-59-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads