9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b

General

Target

9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
Size

198KB
MD5

47788109a1179cc02b2bdc68ea1ac5fe
SHA1

2031b947693a8a5eedf6da1a01f0a7b99d755533
SHA256

9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b
SHA512

cfc8140afa4dc9011b02d79c1b39004e11a6aaa80d2c8c96f53daadb2a932eec219597e8d9d1aa07479be68595f1efcef2f43503bb1b1f2d91ca3b495a996d39
SSDEEP

1536:WyCrhycxa8EgNyHXSi1bpTfyoRtWbKpeVshd3oTOQQKTN:vCNycxZ5YbkoybpK3oTOQT

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4396	odjebiav2.exe
32	odjebiav2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MS Svasta Pomalo v2 = "C:\\Users\\Admin\\AppData\\Roaming\\odjebiav2.exe"	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MS Svasta Pomalo v2 = "C:\\Users\\Admin\\AppData\\Roaming\\odjebiav2.exe"	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4892 set thread context of 3108	4892	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	80
PID 4396 set thread context of 32	4396	odjebiav2.exe	84

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 4892 wrote to memory of 3108	4892	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	80
PID 4892 wrote to memory of 3108	4892	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	80
PID 4892 wrote to memory of 3108	4892	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	80
PID 4892 wrote to memory of 3108	4892	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	80
PID 4892 wrote to memory of 3108	4892	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	80
PID 4892 wrote to memory of 3108	4892	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	80
PID 4892 wrote to memory of 3108	4892	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	80
PID 4892 wrote to memory of 3108	4892	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	80
PID 3108 wrote to memory of 4396	3108	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	83
PID 3108 wrote to memory of 4396	3108	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	83
PID 3108 wrote to memory of 4396	3108	9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe	83
PID 4396 wrote to memory of 32	4396	odjebiav2.exe	84
PID 4396 wrote to memory of 32	4396	odjebiav2.exe	84
PID 4396 wrote to memory of 32	4396	odjebiav2.exe	84
PID 4396 wrote to memory of 32	4396	odjebiav2.exe	84
PID 4396 wrote to memory of 32	4396	odjebiav2.exe	84
PID 4396 wrote to memory of 32	4396	odjebiav2.exe	84
PID 4396 wrote to memory of 32	4396	odjebiav2.exe	84
PID 4396 wrote to memory of 32	4396	odjebiav2.exe	84

C:\Users\Admin\AppData\Local\Temp\9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
"C:\Users\Admin\AppData\Local\Temp\9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Users\Admin\AppData\Local\Temp\9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe
  "C:\Users\Admin\AppData\Local\Temp\9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3108
- - C:\Users\Admin\AppData\Roaming\odjebiav2.exe
    "C:\Users\Admin\AppData\Roaming\odjebiav2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4396
  - - C:\Users\Admin\AppData\Roaming\odjebiav2.exe
      "C:\Users\Admin\AppData\Roaming\odjebiav2.exe"
      4⤵
      Executes dropped EXE
      PID:32

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\odjebiav2.exe

Filesize
198KB

MD5
47788109a1179cc02b2bdc68ea1ac5fe

SHA1
2031b947693a8a5eedf6da1a01f0a7b99d755533

SHA256
9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b

SHA512
cfc8140afa4dc9011b02d79c1b39004e11a6aaa80d2c8c96f53daadb2a932eec219597e8d9d1aa07479be68595f1efcef2f43503bb1b1f2d91ca3b495a996d39

Download Submit
C:\Users\Admin\AppData\Roaming\odjebiav2.exe

Filesize
198KB

MD5
47788109a1179cc02b2bdc68ea1ac5fe

SHA1
2031b947693a8a5eedf6da1a01f0a7b99d755533

SHA256
9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b

SHA512
cfc8140afa4dc9011b02d79c1b39004e11a6aaa80d2c8c96f53daadb2a932eec219597e8d9d1aa07479be68595f1efcef2f43503bb1b1f2d91ca3b495a996d39

Download Submit
C:\Users\Admin\AppData\Roaming\odjebiav2.exe

Filesize
198KB

MD5
47788109a1179cc02b2bdc68ea1ac5fe

SHA1
2031b947693a8a5eedf6da1a01f0a7b99d755533

SHA256
9d890f081ed25bf6669e7d17cc07e10dfb7f8bd63af4e17d4d330329e652fc3b

SHA512
cfc8140afa4dc9011b02d79c1b39004e11a6aaa80d2c8c96f53daadb2a932eec219597e8d9d1aa07479be68595f1efcef2f43503bb1b1f2d91ca3b495a996d39

Download Submit
memory/32-151-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/32-150-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3108-137-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3108-138-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3108-134-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3108-143-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4396-142-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4396-148-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4892-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4892-136-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing