9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b

General

Target

9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
Size

198KB
MD5

47788109a1179cc02b2bdc68ea1ac5fe
SHA1

2031b947693a8a5eedf6da1a01f0a7b99d755533
SHA256

9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b
SHA512

cfc8140afa4dc9011b02d79c1b39004e11a6aaa80d2c8c96f53daadb2a932eec219597e8d9d1aa07479be68595f1efcef2f43503bb1b1f2d91ca3b495a996d39
SSDEEP

1536:WyCrhycxa8EgNyHXSi1bpTfyoRtWbKpeVshd3oTOQQKTN:vCNycxZ5YbkoybpK3oTOQT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1168	odjebiav2.exe
1332	odjebiav2.exe

Loads dropped DLL 2 IoCs

pid	Process
940	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
940	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MS Svasta Pomalo v2 = "C:\\Users\\Admin\\AppData\\Roaming\\odjebiav2.exe"	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\MS Svasta Pomalo v2 = "C:\\Users\\Admin\\AppData\\Roaming\\odjebiav2.exe"	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 944 set thread context of 940	944	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	27
PID 1168 set thread context of 1332	1168	odjebiav2.exe	29

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 944 wrote to memory of 940	944	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	27
PID 944 wrote to memory of 940	944	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	27
PID 944 wrote to memory of 940	944	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	27
PID 944 wrote to memory of 940	944	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	27
PID 944 wrote to memory of 940	944	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	27
PID 944 wrote to memory of 940	944	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	27
PID 944 wrote to memory of 940	944	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	27
PID 944 wrote to memory of 940	944	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	27
PID 944 wrote to memory of 940	944	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	27
PID 940 wrote to memory of 1168	940	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	28
PID 940 wrote to memory of 1168	940	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	28
PID 940 wrote to memory of 1168	940	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	28
PID 940 wrote to memory of 1168	940	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	28
PID 1168 wrote to memory of 1332	1168	odjebiav2.exe	29
PID 1168 wrote to memory of 1332	1168	odjebiav2.exe	29
PID 1168 wrote to memory of 1332	1168	odjebiav2.exe	29
PID 1168 wrote to memory of 1332	1168	odjebiav2.exe	29
PID 1168 wrote to memory of 1332	1168	odjebiav2.exe	29
PID 1168 wrote to memory of 1332	1168	odjebiav2.exe	29
PID 1168 wrote to memory of 1332	1168	odjebiav2.exe	29
PID 1168 wrote to memory of 1332	1168	odjebiav2.exe	29
PID 1168 wrote to memory of 1332	1168	odjebiav2.exe	29

C:\Users\Admin\AppData\Local\Temp\9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
"C:\Users\Admin\AppData\Local\Temp\9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:944
- C:\Users\Admin\AppData\Local\Temp\9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
  "C:\Users\Admin\AppData\Local\Temp\9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Users\Admin\AppData\Roaming\odjebiav2.exe
    "C:\Users\Admin\AppData\Roaming\odjebiav2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Users\Admin\AppData\Roaming\odjebiav2.exe
      "C:\Users\Admin\AppData\Roaming\odjebiav2.exe"
      4⤵
      Executes dropped EXE
      PID:1332

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\odjebiav2.exe

Filesize
198KB

MD5
47788109a1179cc02b2bdc68ea1ac5fe

SHA1
2031b947693a8a5eedf6da1a01f0a7b99d755533

SHA256
9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b

SHA512
cfc8140afa4dc9011b02d79c1b39004e11a6aaa80d2c8c96f53daadb2a932eec219597e8d9d1aa07479be68595f1efcef2f43503bb1b1f2d91ca3b495a996d39

Download Submit
C:\Users\Admin\AppData\Roaming\odjebiav2.exe

Filesize
198KB

MD5
47788109a1179cc02b2bdc68ea1ac5fe

SHA1
2031b947693a8a5eedf6da1a01f0a7b99d755533

SHA256
9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b

SHA512
cfc8140afa4dc9011b02d79c1b39004e11a6aaa80d2c8c96f53daadb2a932eec219597e8d9d1aa07479be68595f1efcef2f43503bb1b1f2d91ca3b495a996d39

Download Submit
C:\Users\Admin\AppData\Roaming\odjebiav2.exe

Filesize
198KB

MD5
47788109a1179cc02b2bdc68ea1ac5fe

SHA1
2031b947693a8a5eedf6da1a01f0a7b99d755533

SHA256
9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b

SHA512
cfc8140afa4dc9011b02d79c1b39004e11a6aaa80d2c8c96f53daadb2a932eec219597e8d9d1aa07479be68595f1efcef2f43503bb1b1f2d91ca3b495a996d39

Download Submit
\Users\Admin\AppData\Roaming\odjebiav2.exe

Filesize
198KB

MD5
47788109a1179cc02b2bdc68ea1ac5fe

SHA1
2031b947693a8a5eedf6da1a01f0a7b99d755533

SHA256
9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b

SHA512
cfc8140afa4dc9011b02d79c1b39004e11a6aaa80d2c8c96f53daadb2a932eec219597e8d9d1aa07479be68595f1efcef2f43503bb1b1f2d91ca3b495a996d39

Download Submit
\Users\Admin\AppData\Roaming\odjebiav2.exe

Filesize
198KB

MD5
47788109a1179cc02b2bdc68ea1ac5fe

SHA1
2031b947693a8a5eedf6da1a01f0a7b99d755533

SHA256
9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b

SHA512
cfc8140afa4dc9011b02d79c1b39004e11a6aaa80d2c8c96f53daadb2a932eec219597e8d9d1aa07479be68595f1efcef2f43503bb1b1f2d91ca3b495a996d39

Download Submit
memory/940-73-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-71-0x0000000000290000-0x00000000002C6000-memory.dmp

Filesize
216KB

Download
memory/940-60-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-58-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-65-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-66-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-59-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-55-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-56-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/940-64-0x0000000074E41000-0x0000000074E43000-memory.dmp

Filesize
8KB

Download
memory/944-63-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/944-54-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1168-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1168-84-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1332-87-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1332-88-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing