c262e243b99902ee2c601d0d623c777c65781e7211a166035bd31d03ba5b7c1a

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
24/12/2023, 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e4debc81b24e42696b6246a0f5ab21.exe
Size

10KB
MD5

05e4debc81b24e42696b6246a0f5ab21
SHA1

5273ca90291090b1ef20e0b615299427545e076c
SHA256

c262e243b99902ee2c601d0d623c777c65781e7211a166035bd31d03ba5b7c1a
SHA512

20c527cc35d79cb0a25bd80a2ae5344c31b10f2d12754ab7fc3afb06baaaaccb93de564dba4e6b5d80bdb9a14b6e21a767654d0c88281cbbd61908f1bdf4b8ac
SSDEEP

192:f1rTjAbiNTYQGrv3g7OGmQp1rbX1VCf31AdLQ:fJ1DGDQ7OGHPnCd

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Deletes itself 1 IoCs

pid	Process
2788	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1672	jolenmk.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	05e4debc81b24e42696b6246a0f5ab21.exe
1960	05e4debc81b24e42696b6246a0f5ab21.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1960-1-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/files/0x000c000000013a83-3.dat	upx
behavioral1/memory/1960-4-0x00000000002B0000-0x00000000002BF000-memory.dmp	upx
behavioral1/memory/1672-11-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral1/memory/1960-12-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jolenm.dll	05e4debc81b24e42696b6246a0f5ab21.exe
File created	C:\Windows\SysWOW64\jolenmk.exe	05e4debc81b24e42696b6246a0f5ab21.exe
File opened for modification	C:\Windows\SysWOW64\jolenmk.exe	05e4debc81b24e42696b6246a0f5ab21.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 1672	1960	05e4debc81b24e42696b6246a0f5ab21.exe	28
PID 1960 wrote to memory of 1672	1960	05e4debc81b24e42696b6246a0f5ab21.exe	28
PID 1960 wrote to memory of 1672	1960	05e4debc81b24e42696b6246a0f5ab21.exe	28
PID 1960 wrote to memory of 1672	1960	05e4debc81b24e42696b6246a0f5ab21.exe	28
PID 1960 wrote to memory of 2788	1960	05e4debc81b24e42696b6246a0f5ab21.exe	30
PID 1960 wrote to memory of 2788	1960	05e4debc81b24e42696b6246a0f5ab21.exe	30
PID 1960 wrote to memory of 2788	1960	05e4debc81b24e42696b6246a0f5ab21.exe	30
PID 1960 wrote to memory of 2788	1960	05e4debc81b24e42696b6246a0f5ab21.exe	30

C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe
"C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\jolenmk.exe
  C:\Windows\system32\jolenmk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe.bat
  2⤵
  - Deletes itself
  PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe.bat

Filesize
182B

MD5
3f224fabf8c1f7fe5200cb59317bdfa2

SHA1
9b1154c0662f9a9eed3ab68acc8d6d47337fd371

SHA256
6b07e1eaebb90aa111fb7987395cad5bcb338828baa1ea09f9eebc1bb23a7de2

SHA512
5d1416c63a871f1d640673ea8a4b98993ae818a7f1e613f3723168f5cdb176fbf6923d8da8e5ad43641a3fbab909109f2724813ed46f3a1076656efa370c757c

Download Submit
\Windows\SysWOW64\jolenmk.exe

Filesize
10KB

MD5
05e4debc81b24e42696b6246a0f5ab21

SHA1
5273ca90291090b1ef20e0b615299427545e076c

SHA256
c262e243b99902ee2c601d0d623c777c65781e7211a166035bd31d03ba5b7c1a

SHA512
20c527cc35d79cb0a25bd80a2ae5344c31b10f2d12754ab7fc3afb06baaaaccb93de564dba4e6b5d80bdb9a14b6e21a767654d0c88281cbbd61908f1bdf4b8ac

Download Submit
memory/1672-11-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1960-1-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1960-4-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download
memory/1960-12-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1960-16-0x00000000002B0000-0x00000000002BF000-memory.dmp

Filesize
60KB

Download