75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e

Analysis

max time kernel
232s
max time network
265s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe
Size

264KB
MD5

94341251c899fcbebb190ba272eafd9c
SHA1

d9f9efcb62aa7a663569ccef3043cc9e1c4535dc
SHA256

75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e
SHA512

7d3fd8ec580132ec4afe50d2858227eca18fbc773c9fefbe10afe441feee1718f57750d48eb3d08cf7c9f95bc022ae83d930dc861243246d5962559a46c07bc1
SSDEEP

3072:HwwQcqsOeDf2IDyG2pfr4GNLzECcKIvMBSYWunCvPQiwhjXH1WkaBx5/lvnjLYar:QwQ3sOeb9Ic6OLynWunzXH1W9r

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	joaje.exe

Executes dropped EXE 1 IoCs

pid	Process
1696	joaje.exe

Loads dropped DLL 2 IoCs

pid	Process
560	75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe
560	75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe

Adds Run key to start application 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /B"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /I"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /H"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /K"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /b"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /r"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /x"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /l"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /o"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /V"	joaje.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /u"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /i"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /W"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /t"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /T"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /c"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /Z"	joaje.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /Y"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /d"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /s"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /v"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /N"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /X"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /C"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /m"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /a"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /G"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /j"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /U"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /L"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /q"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /f"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /h"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /P"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /n"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /Q"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /A"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /D"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /E"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /S"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /J"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /k"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /y"	joaje.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /G"	75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /g"	joaje.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
560	75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe
1696	joaje.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
560	75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe
1696	joaje.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1696	560	75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe	28
PID 560 wrote to memory of 1696	560	75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe	28
PID 560 wrote to memory of 1696	560	75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe	28
PID 560 wrote to memory of 1696	560	75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe	28

C:\Users\Admin\AppData\Local\Temp\75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe
"C:\Users\Admin\AppData\Local\Temp\75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560
- C:\Users\Admin\joaje.exe
  "C:\Users\Admin\joaje.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\joaje.exe

Filesize
264KB

MD5
4ea863c988e3ce4d9fd3aa4503854cd3

SHA1
efa8aa37981e12bf31d2ff959a0da19c084ff107

SHA256
80fe430720d27019d40d5e0c827890cb94e196dd49bb138928683f6f0622c7ec

SHA512
cfdc46ca807521ef0561044fec05c5860152554e7914f9c633dfd5eea947962da18f7ebe795c05405b7502ea4de6a91673c8781bab8f2dea8eed9c1342b16bf0

Download Submit
C:\Users\Admin\joaje.exe

Filesize
264KB

MD5
4ea863c988e3ce4d9fd3aa4503854cd3

SHA1
efa8aa37981e12bf31d2ff959a0da19c084ff107

SHA256
80fe430720d27019d40d5e0c827890cb94e196dd49bb138928683f6f0622c7ec

SHA512
cfdc46ca807521ef0561044fec05c5860152554e7914f9c633dfd5eea947962da18f7ebe795c05405b7502ea4de6a91673c8781bab8f2dea8eed9c1342b16bf0

Download Submit
\Users\Admin\joaje.exe

Filesize
264KB

MD5
4ea863c988e3ce4d9fd3aa4503854cd3

SHA1
efa8aa37981e12bf31d2ff959a0da19c084ff107

SHA256
80fe430720d27019d40d5e0c827890cb94e196dd49bb138928683f6f0622c7ec

SHA512
cfdc46ca807521ef0561044fec05c5860152554e7914f9c633dfd5eea947962da18f7ebe795c05405b7502ea4de6a91673c8781bab8f2dea8eed9c1342b16bf0

Download Submit
\Users\Admin\joaje.exe

Filesize
264KB

MD5
4ea863c988e3ce4d9fd3aa4503854cd3

SHA1
efa8aa37981e12bf31d2ff959a0da19c084ff107

SHA256
80fe430720d27019d40d5e0c827890cb94e196dd49bb138928683f6f0622c7ec

SHA512
cfdc46ca807521ef0561044fec05c5860152554e7914f9c633dfd5eea947962da18f7ebe795c05405b7502ea4de6a91673c8781bab8f2dea8eed9c1342b16bf0

Download Submit
memory/560-56-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download