5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115

Analysis

max time kernel
82s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
27/11/2022, 13:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
Size

4.1MB
MD5

bcf2d47e89eae5e561786e67e18944b8
SHA1

8df0dec10fcb6f6ca6127a84f4eb79ee40f77ddd
SHA256

5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115
SHA512

56df6ee44deafb76dd781d1e9261076634aeda0a3a04f175e382f3f4f3c417349e5662fec69401e3b2958209f8db270a7fa8a8f5201b6d61a2dd2fb1ef25aa30
SSDEEP

98304:Qzi78zCdEFvizhzP0jkWnQBCfBr/XG5rMBD:qNCaiNAjYkt/XG5rMh

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1152	RaiMz8Ebd6kFRGvE.exe

Loads dropped DLL 1 IoCs

pid	Process
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\jagax = "C:\\Users\\Admin\\AppData\\Roaming\\jagax\\FU2j02L3nfu2.exe"	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	28
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	28
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	28
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	28
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	28
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	28
PID 992 wrote to memory of 1152	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	28
PID 992 wrote to memory of 1644	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	29
PID 992 wrote to memory of 1644	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	29
PID 992 wrote to memory of 1644	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	29
PID 992 wrote to memory of 1644	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	29
PID 992 wrote to memory of 1904	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	30
PID 992 wrote to memory of 1904	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	30
PID 992 wrote to memory of 1904	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	30
PID 992 wrote to memory of 1904	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	30
PID 992 wrote to memory of 2020	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	34
PID 992 wrote to memory of 2020	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	34
PID 992 wrote to memory of 2020	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	34
PID 992 wrote to memory of 2020	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	34
PID 992 wrote to memory of 1680	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	33
PID 992 wrote to memory of 1680	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	33
PID 992 wrote to memory of 1680	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	33
PID 992 wrote to memory of 1680	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	33
PID 992 wrote to memory of 1792	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	32
PID 992 wrote to memory of 1792	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	32
PID 992 wrote to memory of 1792	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	32
PID 992 wrote to memory of 1792	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	32
PID 992 wrote to memory of 1848	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	31
PID 992 wrote to memory of 1848	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	31
PID 992 wrote to memory of 1848	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	31
PID 992 wrote to memory of 1848	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	31
PID 992 wrote to memory of 1220	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	35
PID 992 wrote to memory of 1220	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	35
PID 992 wrote to memory of 1220	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	35
PID 992 wrote to memory of 1220	992	5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe	35

C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
"C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Local\Temp\RaiMz8Ebd6kFRGvE.exe
  "C:\Users\Admin\AppData\Local\Temp\RaiMz8Ebd6kFRGvE.exe"
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
  "C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
  2⤵
  PID:1644
- C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
  "C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
  2⤵
  PID:1904
- C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
  "C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
  2⤵
  PID:1848
- C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
  "C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
  2⤵
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
  "C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
  2⤵
  PID:1680
- C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe
  "C:\Users\Admin\AppData\Local\Temp\5f3647bb8dcd43051d9c101e8d1b748bc4a85805079faf4f91881e9012946115.exe"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
  dw20.exe -x -s 924
  2⤵
  PID:1220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RaiMz8Ebd6kFRGvE.exe

Filesize
3.4MB

MD5
78c6235c46c14c40f83d1d0514dab9a5

SHA1
8bda9e7585865eee408eb7157dc8b07aaf440c80

SHA256
4691662a75311acfedd1b7d9ca147239c3cd477367633407735bf924bb0ba967

SHA512
6a5038944d2576cfd68f1b7294b00a1b39bba44eb8b378fd2750a43151f2208f3595b8e4900afabce558a40d398e84c342da34b4f9b41b93fb4b7053d1dcc8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaiMz8Ebd6kFRGvE.exe

Filesize
3.4MB

MD5
78c6235c46c14c40f83d1d0514dab9a5

SHA1
8bda9e7585865eee408eb7157dc8b07aaf440c80

SHA256
4691662a75311acfedd1b7d9ca147239c3cd477367633407735bf924bb0ba967

SHA512
6a5038944d2576cfd68f1b7294b00a1b39bba44eb8b378fd2750a43151f2208f3595b8e4900afabce558a40d398e84c342da34b4f9b41b93fb4b7053d1dcc8c7

Download Submit
\Users\Admin\AppData\Local\Temp\RaiMz8Ebd6kFRGvE.exe

Filesize
3.4MB

MD5
78c6235c46c14c40f83d1d0514dab9a5

SHA1
8bda9e7585865eee408eb7157dc8b07aaf440c80

SHA256
4691662a75311acfedd1b7d9ca147239c3cd477367633407735bf924bb0ba967

SHA512
6a5038944d2576cfd68f1b7294b00a1b39bba44eb8b378fd2750a43151f2208f3595b8e4900afabce558a40d398e84c342da34b4f9b41b93fb4b7053d1dcc8c7

Download Submit
memory/992-54-0x00000000767D1000-0x00000000767D3000-memory.dmp

Filesize
8KB

Download
memory/992-55-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download
memory/992-56-0x0000000074F50000-0x00000000754FB000-memory.dmp

Filesize
5.7MB

Download