b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d

Analysis

max time kernel
151s
max time network
150s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
23/11/2022, 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe
Size

296KB
MD5

4bc4eeeada11c489e88c4d7cc6291400
SHA1

0b5d4b0ad6b9c73bca5684f0dff9650d89656f85
SHA256

b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d
SHA512

3803f870a58eaf939e7e877912fbe56230532146d56ff17e70b393d4fe55a014d872145bd60fad9f01eac89eb584ba6fff8b917da57d08c4c8594da537a5fea7
SSDEEP

6144:oVsTXF+yaNRUGjcbVkNUS5TEV2XnUfX501kCAgcw3t/EGQhbQaDOlXG7T:zTXF+dRUJGHxEVOr1kCAgcwF1gKo7T

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1664	jaiwyc.exe

Deletes itself 1 IoCs

pid	Process
2032	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe
1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	jaiwyc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Jaiwyc = "C:\\Users\\Admin\\AppData\\Roaming\\Ohdu\\jaiwyc.exe"	jaiwyc.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1392 set thread context of 2032	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	28

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe
1664	jaiwyc.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 1664	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	27
PID 1392 wrote to memory of 1664	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	27
PID 1392 wrote to memory of 1664	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	27
PID 1392 wrote to memory of 1664	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	27
PID 1664 wrote to memory of 1112	1664	jaiwyc.exe	16
PID 1664 wrote to memory of 1112	1664	jaiwyc.exe	16
PID 1664 wrote to memory of 1112	1664	jaiwyc.exe	16
PID 1664 wrote to memory of 1112	1664	jaiwyc.exe	16
PID 1664 wrote to memory of 1112	1664	jaiwyc.exe	16
PID 1664 wrote to memory of 1172	1664	jaiwyc.exe	15
PID 1664 wrote to memory of 1172	1664	jaiwyc.exe	15
PID 1664 wrote to memory of 1172	1664	jaiwyc.exe	15
PID 1664 wrote to memory of 1172	1664	jaiwyc.exe	15
PID 1664 wrote to memory of 1172	1664	jaiwyc.exe	15
PID 1664 wrote to memory of 1212	1664	jaiwyc.exe	14
PID 1664 wrote to memory of 1212	1664	jaiwyc.exe	14
PID 1664 wrote to memory of 1212	1664	jaiwyc.exe	14
PID 1664 wrote to memory of 1212	1664	jaiwyc.exe	14
PID 1664 wrote to memory of 1212	1664	jaiwyc.exe	14
PID 1664 wrote to memory of 1392	1664	jaiwyc.exe	26
PID 1664 wrote to memory of 1392	1664	jaiwyc.exe	26
PID 1664 wrote to memory of 1392	1664	jaiwyc.exe	26
PID 1664 wrote to memory of 1392	1664	jaiwyc.exe	26
PID 1664 wrote to memory of 1392	1664	jaiwyc.exe	26
PID 1392 wrote to memory of 2032	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	28
PID 1392 wrote to memory of 2032	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	28
PID 1392 wrote to memory of 2032	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	28
PID 1392 wrote to memory of 2032	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	28
PID 1392 wrote to memory of 2032	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	28
PID 1392 wrote to memory of 2032	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	28
PID 1392 wrote to memory of 2032	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	28
PID 1392 wrote to memory of 2032	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	28
PID 1392 wrote to memory of 2032	1392	b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe	28
PID 1664 wrote to memory of 1412	1664	jaiwyc.exe	29
PID 1664 wrote to memory of 1412	1664	jaiwyc.exe	29
PID 1664 wrote to memory of 1412	1664	jaiwyc.exe	29
PID 1664 wrote to memory of 1412	1664	jaiwyc.exe	29
PID 1664 wrote to memory of 1412	1664	jaiwyc.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe
  "C:\Users\Admin\AppData\Local\Temp\b5118f38b44f76f25a0476c094ab7ade97a150c6df811fd5762542729c216c8d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1392
- - C:\Users\Admin\AppData\Roaming\Ohdu\jaiwyc.exe
    "C:\Users\Admin\AppData\Roaming\Ohdu\jaiwyc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\GKAC99D.bat"
    3⤵
    - Deletes itself
    PID:2032

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "3119493771438832212742793866-1665390612-63225239512350814825179880341409239703"
1⤵
PID:1412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GKAC99D.bat

Filesize
303B

MD5
2a64b6233b6f4de2b2403f7bde670ef3

SHA1
91ffaddbf80d815fdabe6adc965554aba001ffc5

SHA256
6470df1c6a84effe0a75606155adce51d2d52d6ca3bfaf9b14c2d221961b0efb

SHA512
293565c030c0defd6c03887a920223d57cf7253fb8be3cbe7672ae3a38fa2dcfc99c9075913335b231f5e8e96f05c18b63438f0be6bced92de686254b8e64d31

Download Submit
C:\Users\Admin\AppData\Roaming\Ohdu\jaiwyc.exe

Filesize
296KB

MD5
bace63e64a3988b9772522b691f28800

SHA1
a17ad5660383b66f57cdfe9bb44fcc01bb2f25d1

SHA256
e02d2bcb90b32986f53bda6dab4cb38c8e93a7cd3042bb877ac939b6863cf217

SHA512
087f90f7e7c0e2e207369f61b75276b96632fba0477ff45a9090fd931addd4d9cc2b9b53851d3df6ecfafcbff01cf00bf513711f4ddbd2f91a86d94ae498ab5c

Download Submit
C:\Users\Admin\AppData\Roaming\Ohdu\jaiwyc.exe

Filesize
296KB

MD5
bace63e64a3988b9772522b691f28800

SHA1
a17ad5660383b66f57cdfe9bb44fcc01bb2f25d1

SHA256
e02d2bcb90b32986f53bda6dab4cb38c8e93a7cd3042bb877ac939b6863cf217

SHA512
087f90f7e7c0e2e207369f61b75276b96632fba0477ff45a9090fd931addd4d9cc2b9b53851d3df6ecfafcbff01cf00bf513711f4ddbd2f91a86d94ae498ab5c

Download Submit
\Users\Admin\AppData\Roaming\Ohdu\jaiwyc.exe

Filesize
296KB

MD5
bace63e64a3988b9772522b691f28800

SHA1
a17ad5660383b66f57cdfe9bb44fcc01bb2f25d1

SHA256
e02d2bcb90b32986f53bda6dab4cb38c8e93a7cd3042bb877ac939b6863cf217

SHA512
087f90f7e7c0e2e207369f61b75276b96632fba0477ff45a9090fd931addd4d9cc2b9b53851d3df6ecfafcbff01cf00bf513711f4ddbd2f91a86d94ae498ab5c

Download Submit
\Users\Admin\AppData\Roaming\Ohdu\jaiwyc.exe

Filesize
296KB

MD5
bace63e64a3988b9772522b691f28800

SHA1
a17ad5660383b66f57cdfe9bb44fcc01bb2f25d1

SHA256
e02d2bcb90b32986f53bda6dab4cb38c8e93a7cd3042bb877ac939b6863cf217

SHA512
087f90f7e7c0e2e207369f61b75276b96632fba0477ff45a9090fd931addd4d9cc2b9b53851d3df6ecfafcbff01cf00bf513711f4ddbd2f91a86d94ae498ab5c

Download Submit
memory/1112-70-0x0000000000360000-0x00000000003A8000-memory.dmp

Filesize
288KB

Download
memory/1112-65-0x0000000000360000-0x00000000003A8000-memory.dmp

Filesize
288KB

Download
memory/1112-67-0x0000000000360000-0x00000000003A8000-memory.dmp

Filesize
288KB

Download
memory/1112-68-0x0000000000360000-0x00000000003A8000-memory.dmp

Filesize
288KB

Download
memory/1112-69-0x0000000000360000-0x00000000003A8000-memory.dmp

Filesize
288KB

Download
memory/1172-73-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1172-74-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1172-76-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1172-75-0x0000000000220000-0x0000000000268000-memory.dmp

Filesize
288KB

Download
memory/1212-82-0x00000000029C0000-0x0000000002A08000-memory.dmp

Filesize
288KB

Download
memory/1212-81-0x00000000029C0000-0x0000000002A08000-memory.dmp

Filesize
288KB

Download
memory/1212-80-0x00000000029C0000-0x0000000002A08000-memory.dmp

Filesize
288KB

Download
memory/1212-79-0x00000000029C0000-0x0000000002A08000-memory.dmp

Filesize
288KB

Download
memory/1392-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1392-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1392-56-0x0000000000401000-0x0000000000441000-memory.dmp

Filesize
256KB

Download
memory/1392-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1392-88-0x0000000002230000-0x0000000002278000-memory.dmp

Filesize
288KB

Download
memory/1392-87-0x0000000002230000-0x0000000002278000-memory.dmp

Filesize
288KB

Download
memory/1392-86-0x0000000002230000-0x0000000002278000-memory.dmp

Filesize
288KB

Download
memory/1392-85-0x0000000002230000-0x0000000002278000-memory.dmp

Filesize
288KB

Download
memory/1392-55-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1392-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1392-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1392-105-0x0000000002230000-0x0000000002278000-memory.dmp

Filesize
288KB

Download
memory/1392-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1392-95-0x0000000002230000-0x000000000227F000-memory.dmp

Filesize
316KB

Download
memory/1392-104-0x0000000002230000-0x000000000227F000-memory.dmp

Filesize
316KB

Download
memory/1392-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download
memory/1412-119-0x0000000000180000-0x00000000001C8000-memory.dmp

Filesize
288KB

Download
memory/1412-118-0x0000000000180000-0x00000000001C8000-memory.dmp

Filesize
288KB

Download
memory/1412-117-0x0000000000180000-0x00000000001C8000-memory.dmp

Filesize
288KB

Download
memory/1412-116-0x0000000000180000-0x00000000001C8000-memory.dmp

Filesize
288KB

Download
memory/1664-63-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/2032-101-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/2032-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2032-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2032-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2032-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2032-112-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2032-113-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2032-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2032-102-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/2032-100-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/2032-120-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download
memory/2032-98-0x0000000000050000-0x0000000000098000-memory.dmp

Filesize
288KB

Download