Analysis
-
max time kernel
232s -
max time network
265s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
29/11/2022, 03:16
Static task
static1
Behavioral task
behavioral1
Sample
75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe
Resource
win10v2004-20221111-en
General
-
Target
75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe
-
Size
264KB
-
MD5
94341251c899fcbebb190ba272eafd9c
-
SHA1
d9f9efcb62aa7a663569ccef3043cc9e1c4535dc
-
SHA256
75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e
-
SHA512
7d3fd8ec580132ec4afe50d2858227eca18fbc773c9fefbe10afe441feee1718f57750d48eb3d08cf7c9f95bc022ae83d930dc861243246d5962559a46c07bc1
-
SSDEEP
3072:HwwQcqsOeDf2IDyG2pfr4GNLzECcKIvMBSYWunCvPQiwhjXH1WkaBx5/lvnjLYar:QwQ3sOeb9Ic6OLynWunzXH1W9r
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe Set value (int) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" joaje.exe -
Executes dropped EXE 1 IoCs
pid Process 1696 joaje.exe -
Loads dropped DLL 2 IoCs
pid Process 560 75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe 560 75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe -
Adds Run key to start application 2 TTPs 47 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /B" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /I" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /H" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /K" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /b" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /r" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /x" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /l" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /o" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /V" joaje.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /u" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /i" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /W" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /t" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /T" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /c" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /Z" joaje.exe Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /Y" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /d" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /s" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /v" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /N" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /X" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /C" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /m" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /a" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /G" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /j" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /U" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /L" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /q" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /f" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /h" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /P" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /n" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /Q" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /A" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /D" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /E" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /S" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /J" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /k" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /y" joaje.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /G" 75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe Set value (str) \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\joaje = "C:\\Users\\Admin\\joaje.exe /g" joaje.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 560 75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe 1696 joaje.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 560 75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe 1696 joaje.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 560 wrote to memory of 1696 560 75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe 28 PID 560 wrote to memory of 1696 560 75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe 28 PID 560 wrote to memory of 1696 560 75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe 28 PID 560 wrote to memory of 1696 560 75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe"C:\Users\Admin\AppData\Local\Temp\75fc524129c3025014c06b1f3475d2e6d9ea9cd326f653760f75f0ad71d84f1e.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\joaje.exe"C:\Users\Admin\joaje.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1696
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
MD54ea863c988e3ce4d9fd3aa4503854cd3
SHA1efa8aa37981e12bf31d2ff959a0da19c084ff107
SHA25680fe430720d27019d40d5e0c827890cb94e196dd49bb138928683f6f0622c7ec
SHA512cfdc46ca807521ef0561044fec05c5860152554e7914f9c633dfd5eea947962da18f7ebe795c05405b7502ea4de6a91673c8781bab8f2dea8eed9c1342b16bf0
-
Filesize
264KB
MD54ea863c988e3ce4d9fd3aa4503854cd3
SHA1efa8aa37981e12bf31d2ff959a0da19c084ff107
SHA25680fe430720d27019d40d5e0c827890cb94e196dd49bb138928683f6f0622c7ec
SHA512cfdc46ca807521ef0561044fec05c5860152554e7914f9c633dfd5eea947962da18f7ebe795c05405b7502ea4de6a91673c8781bab8f2dea8eed9c1342b16bf0
-
Filesize
264KB
MD54ea863c988e3ce4d9fd3aa4503854cd3
SHA1efa8aa37981e12bf31d2ff959a0da19c084ff107
SHA25680fe430720d27019d40d5e0c827890cb94e196dd49bb138928683f6f0622c7ec
SHA512cfdc46ca807521ef0561044fec05c5860152554e7914f9c633dfd5eea947962da18f7ebe795c05405b7502ea4de6a91673c8781bab8f2dea8eed9c1342b16bf0
-
Filesize
264KB
MD54ea863c988e3ce4d9fd3aa4503854cd3
SHA1efa8aa37981e12bf31d2ff959a0da19c084ff107
SHA25680fe430720d27019d40d5e0c827890cb94e196dd49bb138928683f6f0622c7ec
SHA512cfdc46ca807521ef0561044fec05c5860152554e7914f9c633dfd5eea947962da18f7ebe795c05405b7502ea4de6a91673c8781bab8f2dea8eed9c1342b16bf0