9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839

Analysis

max time kernel
241s
max time network
337s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 11:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
Size

239KB
MD5

2f76a9f80d9ff4d19798974fdc632718
SHA1

04c805d6f9ca9f9980ababd37cb94d12ff2d7bdd
SHA256

9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839
SHA512

1d775bd1a50ebb9a3818b071887a3e775071fd9be24d4d9f1abde7de321ebbd389127a11e5545ed3c9941cf8b618261de37cf7e97829fd930cda5141f73b943b
SSDEEP

3072:kXu/MVID9mJCQnj3WCW2EW5W656N38Mxis5A26BNNXOng:kjCVKhMPaRV

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1480	wnenvideocap.exe
1836	japlut.exe

Loads dropped DLL 10 IoCs

pid	Process
516	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
516	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
1480	wnenvideocap.exe
1480	wnenvideocap.exe
1480	wnenvideocap.exe
1480	wnenvideocap.exe
1480	wnenvideocap.exe
1836	japlut.exe
1836	japlut.exe
1836	japlut.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\Codepage = "65001"	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\DisplayName = "°Ù¶È"	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\{24588FA4-10F1-41D7-B19D-6E22361E47FA}\URL = "http://www.baidu.com/s?wd={searchTerms}&tn=site888_1_pg&cl=3&ie=utf-8"	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{24588FA4-10F1-41D7-B19D-6E22361E47FA}"	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1836	japlut.exe
1836	japlut.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 516 wrote to memory of 1480	516	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe	28
PID 516 wrote to memory of 1480	516	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe	28
PID 516 wrote to memory of 1480	516	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe	28
PID 516 wrote to memory of 1480	516	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe	28
PID 516 wrote to memory of 1480	516	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe	28
PID 516 wrote to memory of 1480	516	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe	28
PID 516 wrote to memory of 1480	516	9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe	28
PID 1480 wrote to memory of 1836	1480	wnenvideocap.exe	29
PID 1480 wrote to memory of 1836	1480	wnenvideocap.exe	29
PID 1480 wrote to memory of 1836	1480	wnenvideocap.exe	29
PID 1480 wrote to memory of 1836	1480	wnenvideocap.exe	29
PID 1480 wrote to memory of 1836	1480	wnenvideocap.exe	29
PID 1480 wrote to memory of 1836	1480	wnenvideocap.exe	29
PID 1480 wrote to memory of 1836	1480	wnenvideocap.exe	29

C:\Users\Admin\AppData\Local\Temp\9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe
"C:\Users\Admin\AppData\Local\Temp\9d94d21c6c0d6bb81f9cfebf3973419a189fd00533d97d1d983b96d71cc8f839.exe"
1⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:516
- C:\Users\Admin\AppData\Local\Temp\nsk30C3.tmp\wnenvideocap.exe
  C:\Users\Admin\AppData\Local\Temp\nsk30C3.tmp\wnenvideocap.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Users\Admin\AppData\Local\Temp\japlut.exe
    "C:\Users\Admin\AppData\Local\Temp\japlut.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\japlut.exe

Filesize
28KB

MD5
23b6d9d77810faaa05a955016d4cb0fd

SHA1
cbe0dbbbaa7857ff22fd3ccdb8a2694f3c5715ad

SHA256
af02c225cf3336b6639cb1050c7b2abc92f18949bfa8f75eadbfeabdfbf02546

SHA512
4533128296f30715bfcb8060f76e71874aa8f47bb2484d870645bde5f276aa6b18cb401e3c697a34546aa4170ac0ebb739c395dbdb4ac2125810f461a343d100

Download Submit
C:\Users\Admin\AppData\Local\Temp\japlut.exe

Filesize
28KB

MD5
23b6d9d77810faaa05a955016d4cb0fd

SHA1
cbe0dbbbaa7857ff22fd3ccdb8a2694f3c5715ad

SHA256
af02c225cf3336b6639cb1050c7b2abc92f18949bfa8f75eadbfeabdfbf02546

SHA512
4533128296f30715bfcb8060f76e71874aa8f47bb2484d870645bde5f276aa6b18cb401e3c697a34546aa4170ac0ebb739c395dbdb4ac2125810f461a343d100

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk30C3.tmp\wnenvideocap.exe

Filesize
76KB

MD5
81ea9132c56734bf3a5a1f32fbff64df

SHA1
031244d43c3fd0397bb59ecf21e1796f794a0f20

SHA256
11620b8923b8659774912223bd2d5e3ce1285c673de98c97a959abab9dc4069e

SHA512
47507015b398af964a076c545bb784f660351cdf0d3836d36098d7f1148bece8b59c5c7d95d5ef49d5d9cf20106f1875480e13b8761190dd614c006e37b472df

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk30C3.tmp\wnenvideocap.exe

Filesize
76KB

MD5
81ea9132c56734bf3a5a1f32fbff64df

SHA1
031244d43c3fd0397bb59ecf21e1796f794a0f20

SHA256
11620b8923b8659774912223bd2d5e3ce1285c673de98c97a959abab9dc4069e

SHA512
47507015b398af964a076c545bb784f660351cdf0d3836d36098d7f1148bece8b59c5c7d95d5ef49d5d9cf20106f1875480e13b8761190dd614c006e37b472df

Download Submit
\Users\Admin\AppData\Local\Temp\japlut.exe

Filesize
28KB

MD5
23b6d9d77810faaa05a955016d4cb0fd

SHA1
cbe0dbbbaa7857ff22fd3ccdb8a2694f3c5715ad

SHA256
af02c225cf3336b6639cb1050c7b2abc92f18949bfa8f75eadbfeabdfbf02546

SHA512
4533128296f30715bfcb8060f76e71874aa8f47bb2484d870645bde5f276aa6b18cb401e3c697a34546aa4170ac0ebb739c395dbdb4ac2125810f461a343d100

Download Submit
\Users\Admin\AppData\Local\Temp\japlut.exe

Filesize
28KB

MD5
23b6d9d77810faaa05a955016d4cb0fd

SHA1
cbe0dbbbaa7857ff22fd3ccdb8a2694f3c5715ad

SHA256
af02c225cf3336b6639cb1050c7b2abc92f18949bfa8f75eadbfeabdfbf02546

SHA512
4533128296f30715bfcb8060f76e71874aa8f47bb2484d870645bde5f276aa6b18cb401e3c697a34546aa4170ac0ebb739c395dbdb4ac2125810f461a343d100

Download Submit
\Users\Admin\AppData\Local\Temp\japlut.exe

Filesize
28KB

MD5
23b6d9d77810faaa05a955016d4cb0fd

SHA1
cbe0dbbbaa7857ff22fd3ccdb8a2694f3c5715ad

SHA256
af02c225cf3336b6639cb1050c7b2abc92f18949bfa8f75eadbfeabdfbf02546

SHA512
4533128296f30715bfcb8060f76e71874aa8f47bb2484d870645bde5f276aa6b18cb401e3c697a34546aa4170ac0ebb739c395dbdb4ac2125810f461a343d100

Download Submit
\Users\Admin\AppData\Local\Temp\japlut.exe

Filesize
28KB

MD5
23b6d9d77810faaa05a955016d4cb0fd

SHA1
cbe0dbbbaa7857ff22fd3ccdb8a2694f3c5715ad

SHA256
af02c225cf3336b6639cb1050c7b2abc92f18949bfa8f75eadbfeabdfbf02546

SHA512
4533128296f30715bfcb8060f76e71874aa8f47bb2484d870645bde5f276aa6b18cb401e3c697a34546aa4170ac0ebb739c395dbdb4ac2125810f461a343d100

Download Submit
\Users\Admin\AppData\Local\Temp\japlut.exe

Filesize
28KB

MD5
23b6d9d77810faaa05a955016d4cb0fd

SHA1
cbe0dbbbaa7857ff22fd3ccdb8a2694f3c5715ad

SHA256
af02c225cf3336b6639cb1050c7b2abc92f18949bfa8f75eadbfeabdfbf02546

SHA512
4533128296f30715bfcb8060f76e71874aa8f47bb2484d870645bde5f276aa6b18cb401e3c697a34546aa4170ac0ebb739c395dbdb4ac2125810f461a343d100

Download Submit
\Users\Admin\AppData\Local\Temp\nsk30C3.tmp\wnenvideocap.exe

Filesize
76KB

MD5
81ea9132c56734bf3a5a1f32fbff64df

SHA1
031244d43c3fd0397bb59ecf21e1796f794a0f20

SHA256
11620b8923b8659774912223bd2d5e3ce1285c673de98c97a959abab9dc4069e

SHA512
47507015b398af964a076c545bb784f660351cdf0d3836d36098d7f1148bece8b59c5c7d95d5ef49d5d9cf20106f1875480e13b8761190dd614c006e37b472df

Download Submit
\Users\Admin\AppData\Local\Temp\nsk30C3.tmp\wnenvideocap.exe

Filesize
76KB

MD5
81ea9132c56734bf3a5a1f32fbff64df

SHA1
031244d43c3fd0397bb59ecf21e1796f794a0f20

SHA256
11620b8923b8659774912223bd2d5e3ce1285c673de98c97a959abab9dc4069e

SHA512
47507015b398af964a076c545bb784f660351cdf0d3836d36098d7f1148bece8b59c5c7d95d5ef49d5d9cf20106f1875480e13b8761190dd614c006e37b472df

Download Submit
\Users\Admin\AppData\Local\Temp\nsk30C3.tmp\wnenvideocap.exe

Filesize
76KB

MD5
81ea9132c56734bf3a5a1f32fbff64df

SHA1
031244d43c3fd0397bb59ecf21e1796f794a0f20

SHA256
11620b8923b8659774912223bd2d5e3ce1285c673de98c97a959abab9dc4069e

SHA512
47507015b398af964a076c545bb784f660351cdf0d3836d36098d7f1148bece8b59c5c7d95d5ef49d5d9cf20106f1875480e13b8761190dd614c006e37b472df

Download Submit
\Users\Admin\AppData\Local\Temp\nsk30C3.tmp\wnenvideocap.exe

Filesize
76KB

MD5
81ea9132c56734bf3a5a1f32fbff64df

SHA1
031244d43c3fd0397bb59ecf21e1796f794a0f20

SHA256
11620b8923b8659774912223bd2d5e3ce1285c673de98c97a959abab9dc4069e

SHA512
47507015b398af964a076c545bb784f660351cdf0d3836d36098d7f1148bece8b59c5c7d95d5ef49d5d9cf20106f1875480e13b8761190dd614c006e37b472df

Download Submit
\Users\Admin\AppData\Local\Temp\nsk30C3.tmp\wnenvideocap.exe

Filesize
76KB

MD5
81ea9132c56734bf3a5a1f32fbff64df

SHA1
031244d43c3fd0397bb59ecf21e1796f794a0f20

SHA256
11620b8923b8659774912223bd2d5e3ce1285c673de98c97a959abab9dc4069e

SHA512
47507015b398af964a076c545bb784f660351cdf0d3836d36098d7f1148bece8b59c5c7d95d5ef49d5d9cf20106f1875480e13b8761190dd614c006e37b472df

Download Submit
memory/516-54-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1480-57-0x0000000000000000-mapping.dmp

Download
memory/1836-66-0x0000000000000000-mapping.dmp

Download