a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103

Analysis

max time kernel
152s
max time network
196s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05-12-2022 22:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
Size

370KB
MD5

36d6199771ef328bfdba63f3dc307f09
SHA1

13d35a38526ca31b7b1e0a1d590e498af36bc86c
SHA256

a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103
SHA512

5a3d199e02395e074eb3f01210ae6b0a688b51f47c828b3c28eef8f7f74b76404db3d6bdd985435eef72ada2d1261c34999350f006f7b5e2faf65cae8c9252ed
SSDEEP

6144:w35Cy9Pbw1qXQoAnZ+nNIqe9mJda6JTIvG6UJp/43hqTuFmEY4VjL4vO7HODh9Uh:whKG5AnsnjRIbUJpA3SETHKOTODQa

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1628	nJiPaFp01804.exe

Loads dropped DLL 2 IoCs

pid	Process
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nJiPaFp01804 = "C:\\ProgramData\\nJiPaFp01804\\nJiPaFp01804.exe"	nJiPaFp01804.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	nJiPaFp01804.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
1628	nJiPaFp01804.exe
1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
Token: SeDebugPrivilege	1628	nJiPaFp01804.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1628	nJiPaFp01804.exe
1628	nJiPaFp01804.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1628	nJiPaFp01804.exe
1628	nJiPaFp01804.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1628	nJiPaFp01804.exe
1628	nJiPaFp01804.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 1628	1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe	28
PID 1484 wrote to memory of 1628	1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe	28
PID 1484 wrote to memory of 1628	1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe	28
PID 1484 wrote to memory of 1628	1484	a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe	28

C:\Users\Admin\AppData\Local\Temp\a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe
"C:\Users\Admin\AppData\Local\Temp\a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1484
- C:\ProgramData\nJiPaFp01804\nJiPaFp01804.exe
  "C:\ProgramData\nJiPaFp01804\nJiPaFp01804.exe" "C:\Users\Admin\AppData\Local\Temp\a19cf7bc0fba114990b8f2ba0cb650a797914fe6c3697ea7b81fb81f3480b103.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\nJiPaFp01804\nJiPaFp01804.exe

Filesize
370KB

MD5
cc8991ee2951c77ec55af2c86123c893

SHA1
da5af2777880377b2d62f70a261c0be3630209f0

SHA256
6c045d26d3aacba2cc2d512967fad1fae468270e5afbae3be908f565a87bc57a

SHA512
44e6ace3096f6175415453ddbb417681f4017999638b92ea5fe284d7016e2a88bdea913da4f775e41738e428bf85f34c73a298a1c16a5d236d4758813991c855

Download Submit
C:\ProgramData\nJiPaFp01804\nJiPaFp01804.exe

Filesize
370KB

MD5
cc8991ee2951c77ec55af2c86123c893

SHA1
da5af2777880377b2d62f70a261c0be3630209f0

SHA256
6c045d26d3aacba2cc2d512967fad1fae468270e5afbae3be908f565a87bc57a

SHA512
44e6ace3096f6175415453ddbb417681f4017999638b92ea5fe284d7016e2a88bdea913da4f775e41738e428bf85f34c73a298a1c16a5d236d4758813991c855

Download Submit
\ProgramData\nJiPaFp01804\nJiPaFp01804.exe

Filesize
370KB

MD5
cc8991ee2951c77ec55af2c86123c893

SHA1
da5af2777880377b2d62f70a261c0be3630209f0

SHA256
6c045d26d3aacba2cc2d512967fad1fae468270e5afbae3be908f565a87bc57a

SHA512
44e6ace3096f6175415453ddbb417681f4017999638b92ea5fe284d7016e2a88bdea913da4f775e41738e428bf85f34c73a298a1c16a5d236d4758813991c855

Download Submit
\ProgramData\nJiPaFp01804\nJiPaFp01804.exe

Filesize
370KB

MD5
cc8991ee2951c77ec55af2c86123c893

SHA1
da5af2777880377b2d62f70a261c0be3630209f0

SHA256
6c045d26d3aacba2cc2d512967fad1fae468270e5afbae3be908f565a87bc57a

SHA512
44e6ace3096f6175415453ddbb417681f4017999638b92ea5fe284d7016e2a88bdea913da4f775e41738e428bf85f34c73a298a1c16a5d236d4758813991c855

Download Submit
memory/1484-54-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1484-55-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1484-61-0x00000000022E0000-0x00000000023A9000-memory.dmp

Filesize
804KB

Download
memory/1484-64-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1628-58-0x0000000000000000-mapping.dmp

Download
memory/1628-62-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download
memory/1628-65-0x0000000000400000-0x00000000004C9000-memory.dmp

Filesize
804KB

Download