Analysis
-
max time kernel
88s -
max time network
200s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
25-11-2022 09:30
Behavioral task
behavioral1
Sample
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe
Resource
win10v2004-20221111-en
General
-
Target
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe
-
Size
4.1MB
-
MD5
dbbb4cfc6d9cd1356d53c122cb97fd97
-
SHA1
5ce4ef9531612019dbf309436c8c55d290323fe6
-
SHA256
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995
-
SHA512
8b147e79651f517d66be6e31b09bca95571ee69da5ba1f6639a08a66419ba5d50ab02051fadb7858b39cb68acd4d28029ef7c3ec48ce05da52718f1efbbf7580
-
SSDEEP
98304:wdBaZn29qwS9m51SXt1T8GTH8gS4TyF0ES5:kgY9AwKtV8GTcgHGF0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
Jnyw.exepid process 636 Jnyw.exe -
Processes:
resource yara_rule behavioral1/memory/820-54-0x0000000000400000-0x0000000000C57000-memory.dmp vmprotect behavioral1/memory/820-56-0x0000000000400000-0x0000000000C57000-memory.dmp vmprotect behavioral1/memory/820-57-0x0000000000400000-0x0000000000C57000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\Jnyw.exe vmprotect behavioral1/memory/820-60-0x0000000000400000-0x0000000000C57000-memory.dmp vmprotect C:\Users\Admin\AppData\Local\Temp\Jnyw.exe vmprotect behavioral1/memory/636-62-0x0000000000400000-0x0000000000DC7000-memory.dmp vmprotect behavioral1/memory/636-63-0x0000000000400000-0x0000000000DC7000-memory.dmp vmprotect behavioral1/memory/636-64-0x0000000000400000-0x0000000000DC7000-memory.dmp vmprotect -
Drops file in System32 directory 6 IoCs
Processes:
Jnyw.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A053CFB63FC8E6507871752236B5CCD5_2F4F3507C6BA2561814680240A0BCD85 Jnyw.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\appInit[1].htm Jnyw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat Jnyw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C Jnyw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C Jnyw.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A053CFB63FC8E6507871752236B5CCD5_2F4F3507C6BA2561814680240A0BCD85 Jnyw.exe -
Drops file in Windows directory 2 IoCs
Processes:
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exeJnyw.exedescription ioc process File opened for modification C:\Windows\Sy.ini 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe File opened for modification C:\Windows\Sy.ini Jnyw.exe -
Processes:
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\TypedURLs 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
Jnyw.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections Jnyw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Jnyw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs Jnyw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-3e-3e-d0-0f-44\WpadDecisionReason = "1" Jnyw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates Jnyw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Jnyw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad Jnyw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f004b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Jnyw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs Jnyw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" Jnyw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6ECFCAC3-D841-49AF-AC7D-5BE7CB93B33F}\WpadDecisionReason = "1" Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-3e-3e-d0-0f-44 Jnyw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-3e-3e-d0-0f-44\WpadDecisionTime = 802a8e3cb900d901 Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople Jnyw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" Jnyw.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6ECFCAC3-D841-49AF-AC7D-5BE7CB93B33F}\WpadNetworkName = "Network 2" Jnyw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\8a-3e-3e-d0-0f-44\WpadDecision = "0" Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6ECFCAC3-D841-49AF-AC7D-5BE7CB93B33F} Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6ECFCAC3-D841-49AF-AC7D-5BE7CB93B33F}\8a-3e-3e-d0-0f-44 Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs Jnyw.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{6ECFCAC3-D841-49AF-AC7D-5BE7CB93B33F}\WpadDecision = "0" Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs Jnyw.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 Jnyw.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My Jnyw.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exeJnyw.exepid process 820 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe 820 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe 636 Jnyw.exe 636 Jnyw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exedescription pid process Token: SeDebugPrivilege 820 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exeJnyw.exepid process 820 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe 820 7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe 636 Jnyw.exe 636 Jnyw.exe 636 Jnyw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe"C:\Users\Admin\AppData\Local\Temp\7391cf197a10165c746646b8a767316371d62d86bf4367fe546762276bbe5995.exe"1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\Jnyw.exe"C:\Users\Admin\AppData\Local\Temp\Jnyw.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Jnyw.exeFilesize
2.8MB
MD583bfee62a205080de8355e4601dc463f
SHA170e60ba0644266ef8937181120d8a16428081bb2
SHA25675d5cb1a618b997d3fc5e2030df44b596847d2cee1cb4fe055400197feff64d3
SHA512555ca560983ef29b27fa5c240f0da1ae9d04969297ea1833c753ec1c0e65875e6ff67c4dfca193d962e3c80148a5c2d837d0b78d611b0e3f59950ac0a9f9f3e8
-
C:\Users\Admin\AppData\Local\Temp\Jnyw.exeFilesize
2.8MB
MD583bfee62a205080de8355e4601dc463f
SHA170e60ba0644266ef8937181120d8a16428081bb2
SHA25675d5cb1a618b997d3fc5e2030df44b596847d2cee1cb4fe055400197feff64d3
SHA512555ca560983ef29b27fa5c240f0da1ae9d04969297ea1833c753ec1c0e65875e6ff67c4dfca193d962e3c80148a5c2d837d0b78d611b0e3f59950ac0a9f9f3e8
-
C:\Windows\Sy.iniFilesize
169B
MD59b96634bcea19a9a554e8fd35510f92d
SHA1d6f3d6cda170f439ba7b6b2f798d50ac9373d07f
SHA256710c32e33dfcb77e8e39701ddefa1619a4c892b92b7a0ff1c2b88bb115ea98b9
SHA512ba655b4673b34b7b79ed112a2f21263a351195f2b55e7c857df88f1f550b90ea73ff1b000e133bf2b65447e54a3d051efa92b53177f10e1f72746e7b85b1c076
-
memory/636-62-0x0000000000400000-0x0000000000DC7000-memory.dmpFilesize
9.8MB
-
memory/636-63-0x0000000000400000-0x0000000000DC7000-memory.dmpFilesize
9.8MB
-
memory/636-64-0x0000000000400000-0x0000000000DC7000-memory.dmpFilesize
9.8MB
-
memory/820-54-0x0000000000400000-0x0000000000C57000-memory.dmpFilesize
8.3MB
-
memory/820-55-0x0000000075591000-0x0000000075593000-memory.dmpFilesize
8KB
-
memory/820-56-0x0000000000400000-0x0000000000C57000-memory.dmpFilesize
8.3MB
-
memory/820-57-0x0000000000400000-0x0000000000C57000-memory.dmpFilesize
8.3MB
-
memory/820-60-0x0000000000400000-0x0000000000C57000-memory.dmpFilesize
8.3MB