ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e

Analysis

max time kernel
189s
max time network
223s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 03:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe
Size

307KB
MD5

b4b8da1e7dc36ef2c99c300db2a65bd0
SHA1

cb22398bce74743b86a99cb2cc58cc52fc801ade
SHA256

ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e
SHA512

95cb8864ea954e83f72b54f03e432b1bc6c9820ae3345446ac1942113a84b6e70158f6dcc655469c16678253a7fa7f78c0bf71e5cb129265ea3b023511ffef71
SSDEEP

6144:IyGxr7rLrLrLrbrrrxB0pY4VE/RHn6OoGt+yKoUV7u6YhVdG+AbQuTsZR7i8ipxF:5Gxr7rLrLrLrbrrrxB0S4gn6iH0s7Pzb

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1152	joxu.exe

Deletes itself 1 IoCs

pid	Process
756	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe
1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run\Joxu = "C:\\Users\\Admin\\AppData\\Roaming\\Wixyzu\\joxu.exe"	joxu.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	joxu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1092 set thread context of 756	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	29

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe
1152	joxu.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1092 wrote to memory of 1152	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	28
PID 1092 wrote to memory of 1152	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	28
PID 1092 wrote to memory of 1152	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	28
PID 1092 wrote to memory of 1152	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	28
PID 1152 wrote to memory of 1112	1152	joxu.exe	20
PID 1152 wrote to memory of 1112	1152	joxu.exe	20
PID 1152 wrote to memory of 1112	1152	joxu.exe	20
PID 1152 wrote to memory of 1112	1152	joxu.exe	20
PID 1152 wrote to memory of 1112	1152	joxu.exe	20
PID 1152 wrote to memory of 1156	1152	joxu.exe	19
PID 1152 wrote to memory of 1156	1152	joxu.exe	19
PID 1152 wrote to memory of 1156	1152	joxu.exe	19
PID 1152 wrote to memory of 1156	1152	joxu.exe	19
PID 1152 wrote to memory of 1156	1152	joxu.exe	19
PID 1152 wrote to memory of 1188	1152	joxu.exe	11
PID 1152 wrote to memory of 1188	1152	joxu.exe	11
PID 1152 wrote to memory of 1188	1152	joxu.exe	11
PID 1152 wrote to memory of 1188	1152	joxu.exe	11
PID 1152 wrote to memory of 1188	1152	joxu.exe	11
PID 1152 wrote to memory of 1092	1152	joxu.exe	14
PID 1152 wrote to memory of 1092	1152	joxu.exe	14
PID 1152 wrote to memory of 1092	1152	joxu.exe	14
PID 1152 wrote to memory of 1092	1152	joxu.exe	14
PID 1152 wrote to memory of 1092	1152	joxu.exe	14
PID 1092 wrote to memory of 756	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	29
PID 1092 wrote to memory of 756	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	29
PID 1092 wrote to memory of 756	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	29
PID 1092 wrote to memory of 756	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	29
PID 1092 wrote to memory of 756	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	29
PID 1092 wrote to memory of 756	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	29
PID 1092 wrote to memory of 756	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	29
PID 1092 wrote to memory of 756	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	29
PID 1092 wrote to memory of 756	1092	ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe
  "C:\Users\Admin\AppData\Local\Temp\ef9fb782de436f82adb1abb81451f6f936a758a443ecd56aee527beb675d4a3e.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Users\Admin\AppData\Roaming\Wixyzu\joxu.exe
    "C:\Users\Admin\AppData\Roaming\Wixyzu\joxu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1152
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\IKJ81EE.bat"
    3⤵
    - Deletes itself
    PID:756

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1156

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IKJ81EE.bat

Filesize
303B

MD5
ab781a2f3eb635152415eae9591e1cb1

SHA1
5b917df5bb212bcad4cc69f3cacd41e35ea65852

SHA256
47d6d90800902b5843cc041c4c7a445aecd03bdab550ba036e1faa6eee0aa257

SHA512
982a5ec4e543165c40c1556e41500f6309b1786335ff3c3acbfe3287d85dfd167ccb4861ec3912729eb6c7c738ee34367c49a09fa16f26df2e98220feba218c0

Download Submit
C:\Users\Admin\AppData\Roaming\Wixyzu\joxu.exe

Filesize
307KB

MD5
43ab00d8fe10a718a32e60614afed529

SHA1
2183e912ff59154caaafc0146df4146d5f05eea7

SHA256
fa411ae9bec9b0c74877e46896851fa46c3566d18656719aeacf188e38e7ea1f

SHA512
11ee48a92feb20474abdd45b468d9dabb0ab7a6eb5e46c9a10be4d153c5ec8da582ee46ab33c4c015c732f687b21f8c755e677c7f3643fec3d10edcec85c7889

Download Submit
C:\Users\Admin\AppData\Roaming\Wixyzu\joxu.exe

Filesize
307KB

MD5
43ab00d8fe10a718a32e60614afed529

SHA1
2183e912ff59154caaafc0146df4146d5f05eea7

SHA256
fa411ae9bec9b0c74877e46896851fa46c3566d18656719aeacf188e38e7ea1f

SHA512
11ee48a92feb20474abdd45b468d9dabb0ab7a6eb5e46c9a10be4d153c5ec8da582ee46ab33c4c015c732f687b21f8c755e677c7f3643fec3d10edcec85c7889

Download Submit
\Users\Admin\AppData\Roaming\Wixyzu\joxu.exe

Filesize
307KB

MD5
43ab00d8fe10a718a32e60614afed529

SHA1
2183e912ff59154caaafc0146df4146d5f05eea7

SHA256
fa411ae9bec9b0c74877e46896851fa46c3566d18656719aeacf188e38e7ea1f

SHA512
11ee48a92feb20474abdd45b468d9dabb0ab7a6eb5e46c9a10be4d153c5ec8da582ee46ab33c4c015c732f687b21f8c755e677c7f3643fec3d10edcec85c7889

Download Submit
\Users\Admin\AppData\Roaming\Wixyzu\joxu.exe

Filesize
307KB

MD5
43ab00d8fe10a718a32e60614afed529

SHA1
2183e912ff59154caaafc0146df4146d5f05eea7

SHA256
fa411ae9bec9b0c74877e46896851fa46c3566d18656719aeacf188e38e7ea1f

SHA512
11ee48a92feb20474abdd45b468d9dabb0ab7a6eb5e46c9a10be4d153c5ec8da582ee46ab33c4c015c732f687b21f8c755e677c7f3643fec3d10edcec85c7889

Download Submit
memory/756-110-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/756-111-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/756-112-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/756-97-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/756-109-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/756-108-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/756-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/756-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/756-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/756-101-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/756-100-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/756-99-0x0000000000050000-0x0000000000099000-memory.dmp

Filesize
292KB

Download
memory/1092-86-0x0000000001FF0000-0x0000000002039000-memory.dmp

Filesize
292KB

Download
memory/1092-102-0x0000000001FF0000-0x0000000002039000-memory.dmp

Filesize
292KB

Download
memory/1092-55-0x0000000000401000-0x0000000000442000-memory.dmp

Filesize
260KB

Download
memory/1092-56-0x0000000075291000-0x0000000075293000-memory.dmp

Filesize
8KB

Download
memory/1092-54-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1092-85-0x0000000001FF0000-0x0000000002039000-memory.dmp

Filesize
292KB

Download
memory/1092-88-0x0000000001FF0000-0x0000000002039000-memory.dmp

Filesize
292KB

Download
memory/1092-87-0x0000000001FF0000-0x0000000002039000-memory.dmp

Filesize
292KB

Download
memory/1092-89-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1092-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1092-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1092-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1092-94-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1092-93-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1112-68-0x0000000001C80000-0x0000000001CC9000-memory.dmp

Filesize
292KB

Download
memory/1112-65-0x0000000001C80000-0x0000000001CC9000-memory.dmp

Filesize
292KB

Download
memory/1112-67-0x0000000001C80000-0x0000000001CC9000-memory.dmp

Filesize
292KB

Download
memory/1112-70-0x0000000001C80000-0x0000000001CC9000-memory.dmp

Filesize
292KB

Download
memory/1112-69-0x0000000001C80000-0x0000000001CC9000-memory.dmp

Filesize
292KB

Download
memory/1152-62-0x0000000000400000-0x000000000044F000-memory.dmp

Filesize
316KB

Download
memory/1156-73-0x00000000001D0000-0x0000000000219000-memory.dmp

Filesize
292KB

Download
memory/1156-75-0x00000000001D0000-0x0000000000219000-memory.dmp

Filesize
292KB

Download
memory/1156-76-0x00000000001D0000-0x0000000000219000-memory.dmp

Filesize
292KB

Download
memory/1156-74-0x00000000001D0000-0x0000000000219000-memory.dmp

Filesize
292KB

Download
memory/1188-79-0x0000000002AC0000-0x0000000002B09000-memory.dmp

Filesize
292KB

Download
memory/1188-80-0x0000000002AC0000-0x0000000002B09000-memory.dmp

Filesize
292KB

Download
memory/1188-82-0x0000000002AC0000-0x0000000002B09000-memory.dmp

Filesize
292KB

Download
memory/1188-81-0x0000000002AC0000-0x0000000002B09000-memory.dmp

Filesize
292KB

Download