3e87c72220ae2b4d3e86aeed4bf88d57e7e73816e7a59a589aa6542f371d2564

Analysis

max time kernel
97s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 14:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e87c72220ae2b4d3e86aeed4bf88d57e7e73816e7a59a589aa6542f371d2564.exe
Size

155KB
MD5

046ebefa506e475dce874204974b5a80
SHA1

1548682a3858d70980294cd669967ccc13a64958
SHA256

3e87c72220ae2b4d3e86aeed4bf88d57e7e73816e7a59a589aa6542f371d2564
SHA512

83e84d50e150ad15094c6d3bfc55c123dcde2a42079a7a9bc355457cab161b27a299fa8af37350f87b63b219fdce1df98032ea299235d3c9e9022b0532219906
SSDEEP

3072:zHtMhQHEceR8XSP7LGsOXgXGL0M2ZEpQDtKydIvvExXRZ8PEH387atmjQNZA4mzd:zNoHRY27g0/ZEpQDQyWvEXfpHMOjALzd

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1164	jydekdj.exe

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~3\Mozilla\jydekdj.exe	3e87c72220ae2b4d3e86aeed4bf88d57e7e73816e7a59a589aa6542f371d2564.exe
File created	C:\PROGRA~3\Mozilla\xdldjol.dll	jydekdj.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1248 wrote to memory of 1164	1248	taskeng.exe	29
PID 1248 wrote to memory of 1164	1248	taskeng.exe	29
PID 1248 wrote to memory of 1164	1248	taskeng.exe	29
PID 1248 wrote to memory of 1164	1248	taskeng.exe	29

C:\Users\Admin\AppData\Local\Temp\3e87c72220ae2b4d3e86aeed4bf88d57e7e73816e7a59a589aa6542f371d2564.exe
"C:\Users\Admin\AppData\Local\Temp\3e87c72220ae2b4d3e86aeed4bf88d57e7e73816e7a59a589aa6542f371d2564.exe"
1⤵
- Drops file in Program Files directory
PID:1992

C:\Windows\system32\taskeng.exe
taskeng.exe {56A94EBE-384C-43F8-812A-0A0897B82EDA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1248
- C:\PROGRA~3\Mozilla\jydekdj.exe
  C:\PROGRA~3\Mozilla\jydekdj.exe -vamlaul
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:1164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~3\Mozilla\jydekdj.exe

Filesize
155KB

MD5
801f6a961017ab30cf78d0bc668c2555

SHA1
e03a826837713b76575fe305ad59c07e6a9c6044

SHA256
7b171fadb20f05658e0615b1d7168520872c74004b1cc65eaf1a43396c7c92bb

SHA512
f420b7ce332c10316c7061c581147e2abf39da031ec2b86430e2a4b6644c68d94d4b9ee066433455c81ac085112e41dd3d6731903e942444ce78854f53ca5eb7

Download Submit
C:\PROGRA~3\Mozilla\jydekdj.exe

Filesize
155KB

MD5
801f6a961017ab30cf78d0bc668c2555

SHA1
e03a826837713b76575fe305ad59c07e6a9c6044

SHA256
7b171fadb20f05658e0615b1d7168520872c74004b1cc65eaf1a43396c7c92bb

SHA512
f420b7ce332c10316c7061c581147e2abf39da031ec2b86430e2a4b6644c68d94d4b9ee066433455c81ac085112e41dd3d6731903e942444ce78854f53ca5eb7

Download Submit
memory/1164-62-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1164-64-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1992-54-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download
memory/1992-55-0x0000000076651000-0x0000000076653000-memory.dmp

Filesize
8KB

Download
memory/1992-56-0x0000000000400000-0x0000000000464000-memory.dmp

Filesize
400KB

Download