c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 03:37

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe
Size

303KB
MD5

a971b0ea4901d6911dfb29971d6d538c
SHA1

ae89f6436049b45975cd72a8be1886e96e7b0f83
SHA256

c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6
SHA512

47c94e784ac99a1904eec928d700780bbed450b6935a01fa0fe99d8289ce5b6a4c783db6e16daab78dfcacbe7060212606c0d47b95bd0ae32376e390b9f547c4
SSDEEP

6144:g+lq917GsN8fU+3mKUT2VCuun4cE4TyLvTtqRK94Z:9q91vQU+3mDTIbU4tq4vT444Z

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
804	joud.exe

Deletes itself 1 IoCs

pid	Process
1900	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe
856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	joud.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\Joud = "C:\\Users\\Admin\\AppData\\Roaming\\Igjep\\joud.exe"	joud.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 856 set thread context of 1900	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	29

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe
804	joud.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 804	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	28
PID 856 wrote to memory of 804	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	28
PID 856 wrote to memory of 804	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	28
PID 856 wrote to memory of 804	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	28
PID 804 wrote to memory of 1116	804	joud.exe	11
PID 804 wrote to memory of 1116	804	joud.exe	11
PID 804 wrote to memory of 1116	804	joud.exe	11
PID 804 wrote to memory of 1116	804	joud.exe	11
PID 804 wrote to memory of 1116	804	joud.exe	11
PID 804 wrote to memory of 1176	804	joud.exe	19
PID 804 wrote to memory of 1176	804	joud.exe	19
PID 804 wrote to memory of 1176	804	joud.exe	19
PID 804 wrote to memory of 1176	804	joud.exe	19
PID 804 wrote to memory of 1176	804	joud.exe	19
PID 804 wrote to memory of 1216	804	joud.exe	18
PID 804 wrote to memory of 1216	804	joud.exe	18
PID 804 wrote to memory of 1216	804	joud.exe	18
PID 804 wrote to memory of 1216	804	joud.exe	18
PID 804 wrote to memory of 1216	804	joud.exe	18
PID 804 wrote to memory of 856	804	joud.exe	25
PID 804 wrote to memory of 856	804	joud.exe	25
PID 804 wrote to memory of 856	804	joud.exe	25
PID 804 wrote to memory of 856	804	joud.exe	25
PID 804 wrote to memory of 856	804	joud.exe	25
PID 856 wrote to memory of 1900	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	29
PID 856 wrote to memory of 1900	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	29
PID 856 wrote to memory of 1900	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	29
PID 856 wrote to memory of 1900	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	29
PID 856 wrote to memory of 1900	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	29
PID 856 wrote to memory of 1900	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	29
PID 856 wrote to memory of 1900	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	29
PID 856 wrote to memory of 1900	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	29
PID 856 wrote to memory of 1900	856	c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe
  "C:\Users\Admin\AppData\Local\Temp\c5b07b4d969b9d6a47e324f93c7970ccccee8090e9983f6ea7c47a7f13ab34d6.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Users\Admin\AppData\Roaming\Igjep\joud.exe
    "C:\Users\Admin\AppData\Roaming\Igjep\joud.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:804
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\SKT2E19.bat"
    3⤵
    - Deletes itself
    PID:1900

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\SKT2E19.bat

Filesize
303B

MD5
2e4e2fc93ac81be40665a5321468caee

SHA1
79522c4f70bce9683c440b3b33b2ce4513176903

SHA256
d8774adf2ca21b895b0fb8eb6fa20a5192a8289f098ff94fe12c4ba254b92232

SHA512
8f57b871bb759b5a88e7432ac9f82aa5bece97b108b4dc3fb9f99b5b14549b5abf049e2f73e4db0dee7801a41dabc7a535a559768d9e3e50368e9a6d7ead333f

Download Submit
C:\Users\Admin\AppData\Roaming\Igjep\joud.exe

Filesize
303KB

MD5
88ffb78a9db1016f47e0e5c1f577b572

SHA1
81ec9035fdd7dd8675326615a7a1e2f695419563

SHA256
94cab13ae92e9311b2a8d090bc2020291e643752e3d20fdfd90391e9779a5d28

SHA512
807d14c319a79c1c8d0ff77811d26489526d398ffeac807d6f7e6483b044e6636c67413413d2e1b38492f2043d998de2509d1362e05a563c5360350ae4134490

Download Submit
C:\Users\Admin\AppData\Roaming\Igjep\joud.exe

Filesize
303KB

MD5
88ffb78a9db1016f47e0e5c1f577b572

SHA1
81ec9035fdd7dd8675326615a7a1e2f695419563

SHA256
94cab13ae92e9311b2a8d090bc2020291e643752e3d20fdfd90391e9779a5d28

SHA512
807d14c319a79c1c8d0ff77811d26489526d398ffeac807d6f7e6483b044e6636c67413413d2e1b38492f2043d998de2509d1362e05a563c5360350ae4134490

Download Submit
\Users\Admin\AppData\Roaming\Igjep\joud.exe

Filesize
303KB

MD5
88ffb78a9db1016f47e0e5c1f577b572

SHA1
81ec9035fdd7dd8675326615a7a1e2f695419563

SHA256
94cab13ae92e9311b2a8d090bc2020291e643752e3d20fdfd90391e9779a5d28

SHA512
807d14c319a79c1c8d0ff77811d26489526d398ffeac807d6f7e6483b044e6636c67413413d2e1b38492f2043d998de2509d1362e05a563c5360350ae4134490

Download Submit
\Users\Admin\AppData\Roaming\Igjep\joud.exe

Filesize
303KB

MD5
88ffb78a9db1016f47e0e5c1f577b572

SHA1
81ec9035fdd7dd8675326615a7a1e2f695419563

SHA256
94cab13ae92e9311b2a8d090bc2020291e643752e3d20fdfd90391e9779a5d28

SHA512
807d14c319a79c1c8d0ff77811d26489526d398ffeac807d6f7e6483b044e6636c67413413d2e1b38492f2043d998de2509d1362e05a563c5360350ae4134490

Download Submit
memory/804-63-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/856-103-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/856-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/856-55-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/856-85-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/856-54-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/856-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/856-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/856-56-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/856-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/856-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/856-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/856-88-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/856-87-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/856-86-0x0000000001EB0000-0x0000000001EF9000-memory.dmp

Filesize
292KB

Download
memory/1116-68-0x0000000001CD0000-0x0000000001D19000-memory.dmp

Filesize
292KB

Download
memory/1116-70-0x0000000001CD0000-0x0000000001D19000-memory.dmp

Filesize
292KB

Download
memory/1116-69-0x0000000001CD0000-0x0000000001D19000-memory.dmp

Filesize
292KB

Download
memory/1116-65-0x0000000001CD0000-0x0000000001D19000-memory.dmp

Filesize
292KB

Download
memory/1116-67-0x0000000001CD0000-0x0000000001D19000-memory.dmp

Filesize
292KB

Download
memory/1176-76-0x0000000001C60000-0x0000000001CA9000-memory.dmp

Filesize
292KB

Download
memory/1176-75-0x0000000001C60000-0x0000000001CA9000-memory.dmp

Filesize
292KB

Download
memory/1176-74-0x0000000001C60000-0x0000000001CA9000-memory.dmp

Filesize
292KB

Download
memory/1176-73-0x0000000001C60000-0x0000000001CA9000-memory.dmp

Filesize
292KB

Download
memory/1216-82-0x0000000002240000-0x0000000002289000-memory.dmp

Filesize
292KB

Download
memory/1216-81-0x0000000002240000-0x0000000002289000-memory.dmp

Filesize
292KB

Download
memory/1216-80-0x0000000002240000-0x0000000002289000-memory.dmp

Filesize
292KB

Download
memory/1216-79-0x0000000002240000-0x0000000002289000-memory.dmp

Filesize
292KB

Download
memory/1900-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1900-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1900-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1900-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1900-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1900-113-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download