82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a

Analysis

max time kernel
151s
max time network
158s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 02:12

Target

82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a.exe
Size

170KB
MD5

ebd8315ea0a02034a2acb0851a71ed4f
SHA1

5cf9b5ab0545597a33c68c6b4b367a80cd2a62d8
SHA256

82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a
SHA512

9e3d8c5610b96397fd68d77cbbd50f702cd5f9ec9f3a013e927b938ceb5460bdaaa2005f86d22e91c699d7a11ea3f3c80c40f7dd8a2611227b5e31854b9380dd
SSDEEP

3072:QewMD9Dfi4V/nTfrq3yFvPR1S7lextRqzgITqn2LQ9:Qmq0/nTrAf7lYRqzg+O

Score

8^/10

Executes dropped EXE 1 IoCs

pid	Process
892	Ndajea.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a.exe
File created	C:\Windows\Ndajea.exe	82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a.exe
File opened for modification	C:\Windows\Ndajea.exe	82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a.exe
File created	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Ndajea.exe
File opened for modification	C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job	Ndajea.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	Ndajea.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\International	Ndajea.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1528	82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a.exe
892	Ndajea.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 892	1528	82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a.exe	28
PID 1528 wrote to memory of 892	1528	82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a.exe	28
PID 1528 wrote to memory of 892	1528	82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a.exe	28
PID 1528 wrote to memory of 892	1528	82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a.exe	28

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Windows\Ndajea.exe

Filesize
170KB

MD5
ebd8315ea0a02034a2acb0851a71ed4f

SHA1
5cf9b5ab0545597a33c68c6b4b367a80cd2a62d8

SHA256
82a8a4a3267a52788e61f9a0ff723c2b3dc28d98ce73af00a576fa1f3ed3e02a

SHA512
9e3d8c5610b96397fd68d77cbbd50f702cd5f9ec9f3a013e927b938ceb5460bdaaa2005f86d22e91c699d7a11ea3f3c80c40f7dd8a2611227b5e31854b9380dd

Download Submit
C:\Windows\Tasks\{810401E2-DDE0-454e-B0E2-AA89C9E5967C}.job

Filesize
408B

MD5
a7a03f65d915343ca621979dfac21cf6

SHA1
105d892627f060bca3e99005802c8abe94c70727

SHA256
2655f9a81a7858a35953b2f5f677ad349994c7c2094fb2d1e52d84abd1c83916

SHA512
c3b06f5faab69564e5a6acbd44eb3f5afc35cbea2f19a9b6e670282c574b8102c847438e69b9dc320de61901df21d1dedfcc996947e16e81d38befe2341e0e31

Download Submit
memory/892-61-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1528-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1528-55-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1528-56-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1528-62-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download