d67b23ec2e80246fd7f4aaad52d2fb138ce8f06a2ca1ae07e9d61e88260354a7

Analysis

max time kernel
8s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 23:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

4cc8840e78f33f8d4d47a55815ea05dd.exe
Size

52KB
MD5

4cc8840e78f33f8d4d47a55815ea05dd
SHA1

3fb1f568aa231a09b88c4b4edea9c9347182d34d
SHA256

d67b23ec2e80246fd7f4aaad52d2fb138ce8f06a2ca1ae07e9d61e88260354a7
SHA512

17f04d5fde0d325ae85d4de68bd72ee2e64cc05ff6317a6246abf5fb4b735e92e5c8fce77010efe34b3dbea4a2f82141ff491d235223cac474cc71490075872a
SSDEEP

768:yNn1+MQ/j359nR9xUeMfVB1RLaP/v/0CISor5C6Rlwibw5zVzpAH:yyr3f99MfHzLaX30T5C6RlKpAH

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jaekaax.exe

Executes dropped EXE 1 IoCs

pid	Process
2208	jaekaax.exe

Loads dropped DLL 2 IoCs

pid	Process
1684	4cc8840e78f33f8d4d47a55815ea05dd.exe
1684	4cc8840e78f33f8d4d47a55815ea05dd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaekaax = "C:\\Users\\Admin\\jaekaax.exe"	jaekaax.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe
2208	jaekaax.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1684	4cc8840e78f33f8d4d47a55815ea05dd.exe
2208	jaekaax.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2208	1684	4cc8840e78f33f8d4d47a55815ea05dd.exe	28
PID 1684 wrote to memory of 2208	1684	4cc8840e78f33f8d4d47a55815ea05dd.exe	28
PID 1684 wrote to memory of 2208	1684	4cc8840e78f33f8d4d47a55815ea05dd.exe	28
PID 1684 wrote to memory of 2208	1684	4cc8840e78f33f8d4d47a55815ea05dd.exe	28
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14
PID 2208 wrote to memory of 1684	2208	jaekaax.exe	14

C:\Users\Admin\AppData\Local\Temp\4cc8840e78f33f8d4d47a55815ea05dd.exe
"C:\Users\Admin\AppData\Local\Temp\4cc8840e78f33f8d4d47a55815ea05dd.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Users\Admin\jaekaax.exe
  "C:\Users\Admin\jaekaax.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jaekaax.exe

Filesize
13KB

MD5
c6f7ba614ed671c37dbed64f8fecca36

SHA1
20def21a4267683625d350879ca0d47f5bdcfde3

SHA256
b48aa0e1f5d022edb4bdf27092f4e707fce269182a232a16b6de5052f2b95fca

SHA512
1627a68a56f06f3888f3901ee3b5d7df6b6e70a0b4d322ba8f16f93b94ad66c4090af622a70c0930e92cd03f91467f069ed964456f2ac7d9cb5ec5642e212c33

Download Submit
C:\Users\Admin\jaekaax.exe

Filesize
45KB

MD5
acb4a51226f607c504917c9be190b899

SHA1
a6307e0fe8c036f2c1f614e6c55164a27e5911d1

SHA256
df1ecb10b6d390350b9542a05a08d02e7307da6009fdba06574a0df5567eb78f

SHA512
b33e5d1770aec42af26c87fdb7f21795cd455ecc445a4013ca87b6b5103e104aa927944582d906e9c56bcdf77a5fbdcd7b98247f729c37565cb78a4b4e70a1e8

Download Submit
C:\Users\Admin\jaekaax.exe

Filesize
1KB

MD5
78a5a9b22a89edba1edbf5d16b63730b

SHA1
b8b729731f98433aea05cbe061a08c2d75bea0e3

SHA256
f0ff697f5804e970380ef14b1fd7d9b4c84755da8643cc2a55e933746acc3138

SHA512
9f6f23d8992b8a3bc6ed456c84c759fff5a039783acd4239315c48db51220b1bf0c97732159431b02fe3620818a183f66f829d439384faf19d0c3c347a68342c

Download Submit
\Users\Admin\jaekaax.exe

Filesize
17KB

MD5
3dd8e1420e1b740259e795c9f3f0dffa

SHA1
5f9e780a959ab9b82d083ff367511d6666b625c9

SHA256
202747651db4af736581c186e4ebfa2ef331e8db05f0ec20edcd2cdc47d2968d

SHA512
a1a0e439d9896d2ac3663aca2d293108c867d636e60622b974d4f04c7542f4db0ce15dd26ac5006a47971bae65929a26d88c6d3836d698f648246a68df070e40

Download Submit
\Users\Admin\jaekaax.exe

Filesize
52KB

MD5
7a34888842629c45af7359245d6d1650

SHA1
ed73759076eccf73781cdf22f7d775b7617e10e7

SHA256
275edf2a7cd0dc745e32f3551c9c918d42ed00c5ac54427a1a448372555ebc36

SHA512
f3563fe99ca0030d86765e24aa84319bb40fdba9287460da47916aefb925276a24643d3950dfa7c1d33fc3e423d247ef62081394023ce898be5c9c5ffaf44106

Download Submit
memory/1684-2-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1684-15-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/1684-14-0x00000000027D0000-0x00000000027E0000-memory.dmp

Filesize
64KB

Download
memory/2208-16-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download