e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206

Analysis

max time kernel
149s
max time network
148s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04-12-2022 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
Size

332KB
MD5

8010d3c1f3b1270dce0f1bdaf9b12801
SHA1

42352ce553b5def9499da33a761bb4aa58b3071a
SHA256

e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206
SHA512

64f2a6f38b06d24cd4485dfd45c5ab0535f69a76e73a560a25a173810baac9d72dbd5e2204b00378b43a14fdb5932a773d8b4318b6ab8ad7c9d0d5f20fedca53
SSDEEP

6144:OQhoJR0IVQyNTRpdwBEKqXs/N1P4FjGRhznYwaLy9I0qfPC3Enph4C4z1fT:OQotQQT/ueKeGAMRhbWywHph4

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 17 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\DefaultIcon	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\start\command	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\open\command	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\start	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\Content Type = "application/x-msdownload"	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\bjm.exe\" -a \"%1\" %*"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\runas\command	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*"	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*"	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\ = "Application"	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\DefaultIcon\ = "%1"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\open	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\runas	bjm.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1932	bjm.exe

Modifies Installed Components in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
1932	bjm.exe

Loads dropped DLL 2 IoCs

pid	Process
1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "C:\\WINDOWS\\system32\\ctfmon.exe"	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\3335501420 = "C:\\Users\\Admin\\AppData\\Local\\bjm.exe"	bjm.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell\open\command	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\start\command	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\DefaultIcon	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell\open\command\IsolatedCommand = "\"%1\" %*"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell\runas\command	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell\runas\command\IsolatedCommand = "\"%1\" %*"	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell\start\command\ = "\"%1\" %*"	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\ = "Application"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\open\command	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\runas\command\IsolatedCommand = "\"%1\" %*"	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\bjm.exe\" -a \"%1\" %*"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell\start\command	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\DefaultIcon\ = "%1"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\start	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\start\command\ = "\"%1\" %*"	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\start\command\IsolatedCommand = "\"%1\" %*"	bjm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\DefaultIcon\ = "%1"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell\open	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\bjm.exe\" -a \"%1\" %*"	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\Content Type = "application/x-msdownload"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell\runas	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\Content Type = "application/x-msdownload"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell\start\command\IsolatedCommand = "\"%1\" %*"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\DefaultIcon	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\open\command\IsolatedCommand = "\"%1\" %*"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\runas	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\runas\command\ = "\"%1\" %*"	bjm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell\runas\command\ = "\"%1\" %*"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\open	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\exefile\shell\runas\command	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell\start	bjm.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\ = "exefile"	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\.exe\shell	bjm.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
1932	bjm.exe
1932	bjm.exe
1932	bjm.exe
1932	bjm.exe
1932	bjm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: 33	1156	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1156	AUDIODG.EXE
Token: 33	1156	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1156	AUDIODG.EXE
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe
Token: SeShutdownPrivilege	1736	explorer.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1932	bjm.exe
1932	bjm.exe
1932	bjm.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1932	bjm.exe
1736	explorer.exe
1736	explorer.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1736	explorer.exe
1932	bjm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1932	bjm.exe
1932	bjm.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 1932	1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe	27
PID 1832 wrote to memory of 1932	1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe	27
PID 1832 wrote to memory of 1932	1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe	27
PID 1832 wrote to memory of 1932	1832	e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe	27

C:\Users\Admin\AppData\Local\Temp\e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
"C:\Users\Admin\AppData\Local\Temp\e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Users\Admin\AppData\Local\bjm.exe
  "C:\Users\Admin\AppData\Local\bjm.exe" -gav C:\Users\Admin\AppData\Local\Temp\e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206.exe
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Deletes itself
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1932

C:\Windows\explorer.exe
explorer.exe
1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1736

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x594
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\bjm.exe

Filesize
332KB

MD5
8010d3c1f3b1270dce0f1bdaf9b12801

SHA1
42352ce553b5def9499da33a761bb4aa58b3071a

SHA256
e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206

SHA512
64f2a6f38b06d24cd4485dfd45c5ab0535f69a76e73a560a25a173810baac9d72dbd5e2204b00378b43a14fdb5932a773d8b4318b6ab8ad7c9d0d5f20fedca53

Download Submit
\Users\Admin\AppData\Local\bjm.exe

Filesize
332KB

MD5
8010d3c1f3b1270dce0f1bdaf9b12801

SHA1
42352ce553b5def9499da33a761bb4aa58b3071a

SHA256
e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206

SHA512
64f2a6f38b06d24cd4485dfd45c5ab0535f69a76e73a560a25a173810baac9d72dbd5e2204b00378b43a14fdb5932a773d8b4318b6ab8ad7c9d0d5f20fedca53

Download Submit
\Users\Admin\AppData\Local\bjm.exe

Filesize
332KB

MD5
8010d3c1f3b1270dce0f1bdaf9b12801

SHA1
42352ce553b5def9499da33a761bb4aa58b3071a

SHA256
e589086d373dc12497f8906e1713a99e7009b52a1dcfa66ab39b38ba420d4206

SHA512
64f2a6f38b06d24cd4485dfd45c5ab0535f69a76e73a560a25a173810baac9d72dbd5e2204b00378b43a14fdb5932a773d8b4318b6ab8ad7c9d0d5f20fedca53

Download Submit
memory/1736-68-0x000007FEFC441000-0x000007FEFC443000-memory.dmp

Filesize
8KB

Download
memory/1832-65-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1832-59-0x0000000001E20000-0x00000000020CB000-memory.dmp

Filesize
2.7MB

Download
memory/1832-58-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1832-54-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download
memory/1832-57-0x0000000000230000-0x000000000024D000-memory.dmp

Filesize
116KB

Download
memory/1832-56-0x0000000000401000-0x00000000005E6000-memory.dmp

Filesize
1.9MB

Download
memory/1832-55-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1932-62-0x0000000000000000-mapping.dmp

Download
memory/1932-69-0x00000000002B0000-0x00000000002CD000-memory.dmp

Filesize
116KB

Download
memory/1932-70-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/1932-71-0x00000000002B0000-0x00000000002CD000-memory.dmp

Filesize
116KB

Download
memory/1932-72-0x0000000073FB1000-0x0000000073FB3000-memory.dmp

Filesize
8KB

Download