8790f44becd20cc8c802469e1eada27d8697f8c572c488a8e38ccdd932c51b2f

Analysis

max time kernel
35s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 06:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0ad35885356beb5f38b93d80742bcaac.exe
Size

156KB
MD5

0ad35885356beb5f38b93d80742bcaac
SHA1

2ba83bd0b25f777ec79c2151f6e8f104cf37422d
SHA256

8790f44becd20cc8c802469e1eada27d8697f8c572c488a8e38ccdd932c51b2f
SHA512

7b178e97e348b434afb781249ccf3dc81d91d8673d699a0c8ff896be21077bca31996a1ed06422ca8ac50ee0455349917847fb21fb1f53f1f268eedc006f07bc
SSDEEP

3072:DpJb4FgyqTRlU3NhCBvu9pjZEwDxdr8Jree:9J9Rl+NhwWrjuwDQN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	0ad35885356beb5f38b93d80742bcaac.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	wtjuil.exe

Executes dropped EXE 1 IoCs

pid	Process
1252	wtjuil.exe

Loads dropped DLL 2 IoCs

pid	Process
1716	0ad35885356beb5f38b93d80742bcaac.exe
1716	0ad35885356beb5f38b93d80742bcaac.exe

Adds Run key to start application 2 TTPs 32 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /m"	0ad35885356beb5f38b93d80742bcaac.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /N"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /o"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /b"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /Y"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /O"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /X"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /r"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /w"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /S"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /T"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /q"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /s"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /c"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /x"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /g"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /A"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /W"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /I"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /p"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /J"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /u"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /a"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /M"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /K"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /Q"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /H"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /Z"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /V"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /E"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /e"	wtjuil.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\wtjuil = "C:\\Users\\Admin\\wtjuil.exe /t"	wtjuil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
1716	0ad35885356beb5f38b93d80742bcaac.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe
1252	wtjuil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1716	0ad35885356beb5f38b93d80742bcaac.exe
1252	wtjuil.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1252	1716	0ad35885356beb5f38b93d80742bcaac.exe	28
PID 1716 wrote to memory of 1252	1716	0ad35885356beb5f38b93d80742bcaac.exe	28
PID 1716 wrote to memory of 1252	1716	0ad35885356beb5f38b93d80742bcaac.exe	28
PID 1716 wrote to memory of 1252	1716	0ad35885356beb5f38b93d80742bcaac.exe	28

C:\Users\Admin\AppData\Local\Temp\0ad35885356beb5f38b93d80742bcaac.exe
"C:\Users\Admin\AppData\Local\Temp\0ad35885356beb5f38b93d80742bcaac.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Users\Admin\wtjuil.exe
  "C:\Users\Admin\wtjuil.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\wtjuil.exe

Filesize
2KB

MD5
05e0fb80e7325028ac52393830a26c0c

SHA1
cc3544eb0df561b44fca8573e4c533550395796c

SHA256
56443baf8cf3dde38903585298753da15ba4c072595335e497214636396b0ad3

SHA512
6905de6d6c6955ad65bdabc28edeadfccc7592e807326c9c1d275d7edac67aeb75e025544519a8b352f3691d42078c7082e23551c44717ebf9ce0c6a6e6a874c

Download Submit
C:\Users\Admin\wtjuil.exe

Filesize
103KB

MD5
fa19fdb9def11b2c562fd3a5a3494807

SHA1
18d348669d1ce72afc1b9d015b0dab4e896754e1

SHA256
98424fa644a5a627ae2396f3d1afc31eab76fe2bfd9448c74e6fd77289ae8446

SHA512
96ee80aee5063a57df41e4c1d0b5275e06120b6ae7afd7af276a0c5e6f7598513767397b6d8f5b81eaa8528825ee09111d709ee91105f991abd3802e50848d3c

Download Submit
C:\Users\Admin\wtjuil.exe

Filesize
1KB

MD5
f68d97cbed932f925a0ea09ab3ea0285

SHA1
636310b060aed9aba11a0c81fb6e3eeb8344a8df

SHA256
94919f9ca73c25ca1ccc2e83379d8983339776e781449d4d7664ea56e7d30a0d

SHA512
ffeac9731f289a18725214ffe9b795fc2909dee277d59d7667f0b79ea0681e38032ad94d25cbd4ada279df2f9e6c9782bc06bb97a1504a7dbf9198f6bbb10a81

Download Submit
\Users\Admin\wtjuil.exe

Filesize
29KB

MD5
1502f2ab2d970757c312150a8d3309ff

SHA1
a9d8c81d34f1eb64fcf1a0f436aa9830a5313c5e

SHA256
bd727ea4ce80997f0bcd167130c293991816b8e7680a2ba7bf29f56ab9cb2ff9

SHA512
7137316936ea33956b58cde61a2d013c4f461410c3529c02031314e01b525a984406f4736582e5f4ece6659141201e21e8afffc70f758651ff229669ad8725de

Download Submit
\Users\Admin\wtjuil.exe

Filesize
61KB

MD5
a0fa68c3e16e915481b1b86c2ed3e9a5

SHA1
35ba57b0e7e3d691915f7684e6545bbcfeb47932

SHA256
78c08e90a01c0b625f350597892691b9e203770eed1f06721fa156016ff0d311

SHA512
d876a4a4b0abd8955dc5fa5cda161a8e8e234890020d65419342e9b035427c44a70290de0943309a3fbca3b0b23118b827ad7c0bdb9a8b28d9a9b0a8ef3a9e33

Download Submit