c262e243b99902ee2c601d0d623c777c65781e7211a166035bd31d03ba5b7c1a

Analysis

max time kernel
9s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2023 16:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05e4debc81b24e42696b6246a0f5ab21.exe
Size

10KB
MD5

05e4debc81b24e42696b6246a0f5ab21
SHA1

5273ca90291090b1ef20e0b615299427545e076c
SHA256

c262e243b99902ee2c601d0d623c777c65781e7211a166035bd31d03ba5b7c1a
SHA512

20c527cc35d79cb0a25bd80a2ae5344c31b10f2d12754ab7fc3afb06baaaaccb93de564dba4e6b5d80bdb9a14b6e21a767654d0c88281cbbd61908f1bdf4b8ac
SSDEEP

192:f1rTjAbiNTYQGrv3g7OGmQp1rbX1VCf31AdLQ:fJ1DGDQ7OGHPnCd

Score

8^/10

persistence upx

Malware Config

Signatures

Modifies AppInit DLL entries 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Executes dropped EXE 1 IoCs

pid	Process
1532	jolenmk.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2760-0-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/files/0x00070000000231fa-5.dat	upx
behavioral2/files/0x00070000000231fa-4.dat	upx
behavioral2/memory/1532-7-0x0000000000400000-0x000000000040F000-memory.dmp	upx
behavioral2/memory/2760-6-0x0000000000400000-0x000000000040F000-memory.dmp	upx

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\jolenm.dll	05e4debc81b24e42696b6246a0f5ab21.exe
File created	C:\Windows\SysWOW64\jolenmk.exe	05e4debc81b24e42696b6246a0f5ab21.exe
File opened for modification	C:\Windows\SysWOW64\jolenmk.exe	05e4debc81b24e42696b6246a0f5ab21.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2760 wrote to memory of 1532	2760	05e4debc81b24e42696b6246a0f5ab21.exe	21
PID 2760 wrote to memory of 1532	2760	05e4debc81b24e42696b6246a0f5ab21.exe	21
PID 2760 wrote to memory of 1532	2760	05e4debc81b24e42696b6246a0f5ab21.exe	21

C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe
"C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\SysWOW64\jolenmk.exe
  C:\Windows\system32\jolenmk.exe ˜‰
  2⤵
  - Executes dropped EXE
  PID:1532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe.bat
  2⤵
  PID:4604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\05e4debc81b24e42696b6246a0f5ab21.exe.bat

Filesize
182B

MD5
3f224fabf8c1f7fe5200cb59317bdfa2

SHA1
9b1154c0662f9a9eed3ab68acc8d6d47337fd371

SHA256
6b07e1eaebb90aa111fb7987395cad5bcb338828baa1ea09f9eebc1bb23a7de2

SHA512
5d1416c63a871f1d640673ea8a4b98993ae818a7f1e613f3723168f5cdb176fbf6923d8da8e5ad43641a3fbab909109f2724813ed46f3a1076656efa370c757c

Download Submit
C:\Windows\SysWOW64\jolenmk.exe

Filesize
5KB

MD5
73f6ebb2a6ed2bf1b7cca3201641a341

SHA1
835ec7bfe3317ed98543df9d3f28a2751fa682f2

SHA256
c05be54f6bb2bd975ff2dc322f8c6f40167cde1555bbeee52d438a12e266b11b

SHA512
7bb6fadddd5ee9d9ea8e46863ae10d7021aece44c983393c2a3c50bf3f2de13d660bd6cf1771bf6520523d6e66a4920f237fe3199ccaee0e17395331b4459606

Download Submit
C:\Windows\SysWOW64\jolenmk.exe

Filesize
1KB

MD5
43efd2fe6812bd75e6c4f8cebe880794

SHA1
52dc5995124da2287cd79afd0b8a4c2cb7d99eec

SHA256
2d7adcf334787fe98e15e75aeba5ec683a8541157de6eec1fbfd0882a4de9bfd

SHA512
6be02549d49ae2e99a2693d08a6779765b26cd8f50e9d040869773f04359b80b6e156219d8dd8c60c3fc2931481caf83ec67d9068c36351fc963990d9cbafaac

Download Submit
memory/1532-7-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2760-0-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2760-6-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download