742b5e4db1e251cb36c811d551d18e88de805e012f75b1fed70801b0b152ffc5

Analysis

max time kernel
127s
max time network
33s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01/12/2022, 03:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

742b5e4db1e251cb36c811d551d18e88de805e012f75b1fed70801b0b152ffc5.exe
Size

215KB
MD5

f2839e301135eecd3c07ca85f4851d50
SHA1

4cee4eac5f65336ca1d3094a65a1788983b99633
SHA256

742b5e4db1e251cb36c811d551d18e88de805e012f75b1fed70801b0b152ffc5
SHA512

323fe7552312de7a84baf98ac9e3ab749cc9961779c2d2aae9e92851581091f4a02048821cd1af83ad05f852f2f868431c68f99a5c447c7728b564bc67611273
SSDEEP

6144:CDJVazMKV31FdaQvXluxqU+A/0y+nt75voqQEnHJ:CDJM/bXntAh+nhZoqQEHJ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1056	jydekdj.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jydekdj.exe	742b5e4db1e251cb36c811d551d18e88de805e012f75b1fed70801b0b152ffc5.exe
File created	C:\PROGRA~3\Mozilla\xdldjol.dll	jydekdj.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 560 wrote to memory of 1056	560	taskeng.exe	29
PID 560 wrote to memory of 1056	560	taskeng.exe	29
PID 560 wrote to memory of 1056	560	taskeng.exe	29
PID 560 wrote to memory of 1056	560	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\742b5e4db1e251cb36c811d551d18e88de805e012f75b1fed70801b0b152ffc5.exe
"C:\Users\Admin\AppData\Local\Temp\742b5e4db1e251cb36c811d551d18e88de805e012f75b1fed70801b0b152ffc5.exe"
1⤵
- Drops file in Program Files directory
PID:976

C:\Windows\system32\taskeng.exe
taskeng.exe {397BCD4F-3EA2-4021-977A-CD3943BEE41E} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:560
- C:\PROGRA~3\Mozilla\jydekdj.exe
  C:\PROGRA~3\Mozilla\jydekdj.exe -vamlaul
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jydekdj.exe

Filesize
215KB

MD5
6a90a5feb0258284a5119d4a20a089e6

SHA1
51ed4f9d6af1806e4b02782c8095c01a17b161b3

SHA256
5f6974df73c7dc8051a88214a986bedcd0af6db64299a8c888c8f415230d40f9

SHA512
9548bb7bc4261e04f6f3a79221edb5b745364292b40025873a76940761d1bbb60847390dad5500b757368325367d3d489cd319b8f34531d6447b0d8909b812aa

Download Submit
C:\PROGRA~3\Mozilla\jydekdj.exe

Filesize
215KB

MD5
6a90a5feb0258284a5119d4a20a089e6

SHA1
51ed4f9d6af1806e4b02782c8095c01a17b161b3

SHA256
5f6974df73c7dc8051a88214a986bedcd0af6db64299a8c888c8f415230d40f9

SHA512
9548bb7bc4261e04f6f3a79221edb5b745364292b40025873a76940761d1bbb60847390dad5500b757368325367d3d489cd319b8f34531d6447b0d8909b812aa

Download Submit
memory/976-54-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/976-55-0x0000000075761000-0x0000000075763000-memory.dmp

Filesize
8KB

Download
memory/976-56-0x00000000003A0000-0x00000000003FB000-memory.dmp

Filesize
364KB

Download
memory/1056-64-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1056-66-0x00000000004F0000-0x000000000054B000-memory.dmp

Filesize
364KB

Download