4ac4e9138a81bf30b9d3d349087f4cdf41ed317b920394754b6731fbbe731efd

Analysis

max time kernel
101s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29/11/2022, 09:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4ac4e9138a81bf30b9d3d349087f4cdf41ed317b920394754b6731fbbe731efd.exe
Size

141KB
MD5

0db525a1cfe94ece29e8e1bede9a0c90
SHA1

f1ec85a5dad13180403848e8db7bc006b57465b4
SHA256

4ac4e9138a81bf30b9d3d349087f4cdf41ed317b920394754b6731fbbe731efd
SHA512

2f22481cc2098104fb41e239c84d5d737ea2c83337ea0687c7d7b98bf461c6852e0a62e0ff9c1f32a4088c1610ccd8602037c9b928f6979f81bfdb4e81427870
SSDEEP

3072:ixHEI6rvvMV0nE17B+TnFnvcwHdtTQ3lNvuCLeEPbUXHrx0:ixkHMV0nE1l+LtvcwHbo/aSUXLx0

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
380	jydekdj.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jydekdj.exe	4ac4e9138a81bf30b9d3d349087f4cdf41ed317b920394754b6731fbbe731efd.exe
File created	C:\PROGRA~3\Mozilla\xdldjol.dll	jydekdj.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 864 wrote to memory of 380	864	taskeng.exe	29
PID 864 wrote to memory of 380	864	taskeng.exe	29
PID 864 wrote to memory of 380	864	taskeng.exe	29
PID 864 wrote to memory of 380	864	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\4ac4e9138a81bf30b9d3d349087f4cdf41ed317b920394754b6731fbbe731efd.exe
"C:\Users\Admin\AppData\Local\Temp\4ac4e9138a81bf30b9d3d349087f4cdf41ed317b920394754b6731fbbe731efd.exe"
1⤵
- Drops file in Program Files directory
PID:2024

C:\Windows\system32\taskeng.exe
taskeng.exe {09C16B13-35C8-49F4-A943-4CC7FE4B969C} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:864
- C:\PROGRA~3\Mozilla\jydekdj.exe
  C:\PROGRA~3\Mozilla\jydekdj.exe -vamlaul
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jydekdj.exe

Filesize
141KB

MD5
ca249227714989c2e6432bc22a013fd3

SHA1
3589328db1433761403d1acfbebdd7b48985eb5f

SHA256
65ec59a82812010c076129df67e7212811488f63cf119caeacfffd431dc83b91

SHA512
59f57d822b3eb4a184088b9ef4b4ad3cfaf97c85dacd6af914342f0340236a6f19eac5af9772374dc434822c115f7dc00919836c3abfa9193e5cf1d9b9875aed

Download Submit
C:\PROGRA~3\Mozilla\jydekdj.exe

Filesize
141KB

MD5
ca249227714989c2e6432bc22a013fd3

SHA1
3589328db1433761403d1acfbebdd7b48985eb5f

SHA256
65ec59a82812010c076129df67e7212811488f63cf119caeacfffd431dc83b91

SHA512
59f57d822b3eb4a184088b9ef4b4ad3cfaf97c85dacd6af914342f0340236a6f19eac5af9772374dc434822c115f7dc00919836c3abfa9193e5cf1d9b9875aed

Download Submit
memory/380-64-0x0000000000370000-0x00000000003CB000-memory.dmp

Filesize
364KB

Download
memory/2024-54-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/2024-55-0x0000000000230000-0x000000000028B000-memory.dmp

Filesize
364KB

Download