c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb

Analysis

max time kernel
150s
max time network
160s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe
Size

410KB
MD5

5cc9d252e73c82d8715007c86835fd40
SHA1

583231e28af5fe4e7a99ca8445d6700ec24e463b
SHA256

c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb
SHA512

cd096141e20a46ff5eeb29a512a2c8e526f9d3ca2dfc33e4eb7b5cf34374ed696aa25cded4d9dcd0c5fbd3cb1b9083e83797a31cc9bdb6230afb9f9da6f6cc17
SSDEEP

12288:s7SO7qLdsGPAm5KzTIwisHiUeWnUjbsloBaL:s7LqLiaCDHfejaoUL

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2036	jaygsu.exe

Deletes itself 1 IoCs

pid	Process
2020	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\CurrentVersion\Run\{7B2FDFC8-3774-AD4D-C411-AE4FF0968D52} = "C:\\Users\\Admin\\AppData\\Roaming\\Azxod\\jaygsu.exe"	jaygsu.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Windows\Currentversion\Run	jaygsu.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1708 set thread context of 2020	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	29

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe
2036	jaygsu.exe

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe
2036	jaygsu.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 2036	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	28
PID 1708 wrote to memory of 2036	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	28
PID 1708 wrote to memory of 2036	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	28
PID 1708 wrote to memory of 2036	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	28
PID 2036 wrote to memory of 1176	2036	jaygsu.exe	18
PID 2036 wrote to memory of 1176	2036	jaygsu.exe	18
PID 2036 wrote to memory of 1176	2036	jaygsu.exe	18
PID 2036 wrote to memory of 1176	2036	jaygsu.exe	18
PID 2036 wrote to memory of 1176	2036	jaygsu.exe	18
PID 2036 wrote to memory of 1276	2036	jaygsu.exe	17
PID 2036 wrote to memory of 1276	2036	jaygsu.exe	17
PID 2036 wrote to memory of 1276	2036	jaygsu.exe	17
PID 2036 wrote to memory of 1276	2036	jaygsu.exe	17
PID 2036 wrote to memory of 1276	2036	jaygsu.exe	17
PID 2036 wrote to memory of 1312	2036	jaygsu.exe	16
PID 2036 wrote to memory of 1312	2036	jaygsu.exe	16
PID 2036 wrote to memory of 1312	2036	jaygsu.exe	16
PID 2036 wrote to memory of 1312	2036	jaygsu.exe	16
PID 2036 wrote to memory of 1312	2036	jaygsu.exe	16
PID 2036 wrote to memory of 1708	2036	jaygsu.exe	22
PID 2036 wrote to memory of 1708	2036	jaygsu.exe	22
PID 2036 wrote to memory of 1708	2036	jaygsu.exe	22
PID 2036 wrote to memory of 1708	2036	jaygsu.exe	22
PID 2036 wrote to memory of 1708	2036	jaygsu.exe	22
PID 1708 wrote to memory of 2020	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	29
PID 1708 wrote to memory of 2020	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	29
PID 1708 wrote to memory of 2020	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	29
PID 1708 wrote to memory of 2020	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	29
PID 1708 wrote to memory of 2020	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	29
PID 1708 wrote to memory of 2020	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	29
PID 1708 wrote to memory of 2020	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	29
PID 1708 wrote to memory of 2020	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	29
PID 1708 wrote to memory of 2020	1708	c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1312
- C:\Users\Admin\AppData\Local\Temp\c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe
  "C:\Users\Admin\AppData\Local\Temp\c7f288f638cb297c90711d808d5213776d2f125a0b7c4779fd59002201eeb7eb.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1708
- - C:\Users\Admin\AppData\Roaming\Azxod\jaygsu.exe
    "C:\Users\Admin\AppData\Roaming\Azxod\jaygsu.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2036
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpd3d8471f.bat"
    3⤵
    - Deletes itself
    PID:2020

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1276

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1176

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpd3d8471f.bat

Filesize
307B

MD5
4030e903b3cc4c097d3d1171a3098794

SHA1
707acdc73fcc4929067c7f629fb3f69786de7fc8

SHA256
029083131debcf9970852f3674ae9678369e7ec46a747b20f2aa82de283c0fec

SHA512
73c157a0fd81b18645f5c302d447149db93e4e2ff044a4f9286111accdee281f57a6897e589f50b327f2ea54d705a596a40c6eb85c5a2105e797c290076f260b

Download Submit
C:\Users\Admin\AppData\Roaming\Azxod\jaygsu.exe

Filesize
410KB

MD5
38f00b29d495385172ebfa79c8f74f15

SHA1
cd2753dc1210d99a3bd8bbbe1ef3ffab4fbb44e3

SHA256
d6471bc60e63456551e22f1d58201eec50c40bc1d238d2d1add43c5624dd8e72

SHA512
30feb9f889381d6afd4905d480538759486c1b59bae6d837aac5624d8dd674a879244bde242c4ddc7bf3c246cc5047b417f2480b7fdc5b21308a0df15dd551fb

Download Submit
C:\Users\Admin\AppData\Roaming\Azxod\jaygsu.exe

Filesize
410KB

MD5
38f00b29d495385172ebfa79c8f74f15

SHA1
cd2753dc1210d99a3bd8bbbe1ef3ffab4fbb44e3

SHA256
d6471bc60e63456551e22f1d58201eec50c40bc1d238d2d1add43c5624dd8e72

SHA512
30feb9f889381d6afd4905d480538759486c1b59bae6d837aac5624d8dd674a879244bde242c4ddc7bf3c246cc5047b417f2480b7fdc5b21308a0df15dd551fb

Download Submit
\Users\Admin\AppData\Roaming\Azxod\jaygsu.exe

Filesize
410KB

MD5
38f00b29d495385172ebfa79c8f74f15

SHA1
cd2753dc1210d99a3bd8bbbe1ef3ffab4fbb44e3

SHA256
d6471bc60e63456551e22f1d58201eec50c40bc1d238d2d1add43c5624dd8e72

SHA512
30feb9f889381d6afd4905d480538759486c1b59bae6d837aac5624d8dd674a879244bde242c4ddc7bf3c246cc5047b417f2480b7fdc5b21308a0df15dd551fb

Download Submit
memory/1176-65-0x0000000001CB0000-0x0000000001CFD000-memory.dmp

Filesize
308KB

Download
memory/1176-67-0x0000000001CB0000-0x0000000001CFD000-memory.dmp

Filesize
308KB

Download
memory/1176-66-0x0000000001CB0000-0x0000000001CFD000-memory.dmp

Filesize
308KB

Download
memory/1176-62-0x0000000001CB0000-0x0000000001CFD000-memory.dmp

Filesize
308KB

Download
memory/1176-64-0x0000000001CB0000-0x0000000001CFD000-memory.dmp

Filesize
308KB

Download
memory/1276-72-0x0000000001E40000-0x0000000001E8D000-memory.dmp

Filesize
308KB

Download
memory/1276-70-0x0000000001E40000-0x0000000001E8D000-memory.dmp

Filesize
308KB

Download
memory/1276-71-0x0000000001E40000-0x0000000001E8D000-memory.dmp

Filesize
308KB

Download
memory/1276-73-0x0000000001E40000-0x0000000001E8D000-memory.dmp

Filesize
308KB

Download
memory/1312-77-0x0000000002570000-0x00000000025BD000-memory.dmp

Filesize
308KB

Download
memory/1312-79-0x0000000002570000-0x00000000025BD000-memory.dmp

Filesize
308KB

Download
memory/1312-78-0x0000000002570000-0x00000000025BD000-memory.dmp

Filesize
308KB

Download
memory/1312-76-0x0000000002570000-0x00000000025BD000-memory.dmp

Filesize
308KB

Download
memory/1708-82-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/1708-86-0x00000000004C0000-0x000000000050D000-memory.dmp

Filesize
308KB

Download
memory/1708-56-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-55-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-84-0x00000000004C0000-0x000000000050D000-memory.dmp

Filesize
308KB

Download
memory/1708-102-0x00000000004C0000-0x000000000050D000-memory.dmp

Filesize
308KB

Download
memory/1708-101-0x0000000000400000-0x000000000044D000-memory.dmp

Filesize
308KB

Download
memory/1708-54-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1708-80-0x0000000000390000-0x00000000003DD000-memory.dmp

Filesize
308KB

Download
memory/1708-88-0x00000000004C0000-0x000000000050D000-memory.dmp

Filesize
308KB

Download
memory/1708-89-0x00000000004C0000-0x000000000050D000-memory.dmp

Filesize
308KB

Download
memory/1708-90-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-91-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/1708-92-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2020-98-0x0000000000090000-0x00000000000DD000-memory.dmp

Filesize
308KB

Download
memory/2020-97-0x0000000000090000-0x00000000000DD000-memory.dmp

Filesize
308KB

Download
memory/2020-95-0x0000000000090000-0x00000000000DD000-memory.dmp

Filesize
308KB

Download
memory/2020-99-0x0000000000090000-0x00000000000DD000-memory.dmp

Filesize
308KB

Download
memory/2020-104-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2020-105-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2020-106-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2020-107-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/2020-109-0x0000000000090000-0x00000000000DD000-memory.dmp

Filesize
308KB

Download
memory/2036-87-0x0000000000400000-0x0000000000469000-memory.dmp

Filesize
420KB

Download
memory/2036-85-0x0000000000300000-0x000000000034D000-memory.dmp

Filesize
308KB

Download