50aecbc7000c93d3c38cf68e77e0afaeb446fed99fc71e50c968feccf689223b

Analysis

max time kernel
122s
max time network
164s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
10/01/2024, 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

508315df5d3268c24aea07bdb9405915.exe
Size

14KB
MD5

508315df5d3268c24aea07bdb9405915
SHA1

2823a1cf6620a4de01f29631b7cc21c0ed9b5fc5
SHA256

50aecbc7000c93d3c38cf68e77e0afaeb446fed99fc71e50c968feccf689223b
SHA512

7fa4a119b18c2888da68884ef829e03558d22d3d135b0d8467117f0cc57a437855e9c7e9de0edb54026e74e464a64c45b7ac12dba54ac00054baaa49ed05de9c
SSDEEP

384:hwAV8wyIKKL+yxB0PbzYOyZyyfBmann9bOuNP:jbKKLJxBMbuygmanNz

Score

10^/10

persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\jdmjbima.dll = "{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}"	508315df5d3268c24aea07bdb9405915.exe

Deletes itself 1 IoCs

pid	Process
2084	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2776	508315df5d3268c24aea07bdb9405915.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\jdmjbima.tmp	508315df5d3268c24aea07bdb9405915.exe
File opened for modification	C:\Windows\SysWOW64\jdmjbima.nls	508315df5d3268c24aea07bdb9405915.exe
File created	C:\Windows\SysWOW64\jdmjbima.tmp	508315df5d3268c24aea07bdb9405915.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32	508315df5d3268c24aea07bdb9405915.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32\ = "C:\\Windows\\SysWow64\\jdmjbima.dll"	508315df5d3268c24aea07bdb9405915.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}\InProcServer32\ThreadingModel = "Apartment"	508315df5d3268c24aea07bdb9405915.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{21BE5FDF-D4CB-4850-AD99-21E68B50BF3F}	508315df5d3268c24aea07bdb9405915.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2776	508315df5d3268c24aea07bdb9405915.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2776	508315df5d3268c24aea07bdb9405915.exe
2776	508315df5d3268c24aea07bdb9405915.exe
2776	508315df5d3268c24aea07bdb9405915.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 2084	2776	508315df5d3268c24aea07bdb9405915.exe	29
PID 2776 wrote to memory of 2084	2776	508315df5d3268c24aea07bdb9405915.exe	29
PID 2776 wrote to memory of 2084	2776	508315df5d3268c24aea07bdb9405915.exe	29
PID 2776 wrote to memory of 2084	2776	508315df5d3268c24aea07bdb9405915.exe	29

C:\Users\Admin\AppData\Local\Temp\508315df5d3268c24aea07bdb9405915.exe
"C:\Users\Admin\AppData\Local\Temp\508315df5d3268c24aea07bdb9405915.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\5457.tmp.bat
  2⤵
  - Deletes itself
  PID:2084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5457.tmp.bat

Filesize
179B

MD5
4fda88b48af3a95a1b4e3f2994e52f7c

SHA1
6bf1b9dd9d72e5c59a2b37ba00b3646191effb43

SHA256
ce4319bcd3b70c4888b29321e921b32ffe08f7dc387157631bf165419e7a28d1

SHA512
0c317354ee568f19aa84abb5c1f203c7139a77f829e7a4aade9df247af8272dfd5d3b2a1ba83cff9499ed9671ef05b288d8f3edcbecfe24d6ec745ca07469640

Download Submit
\Windows\SysWOW64\jdmjbima.dll

Filesize
2.1MB

MD5
ff4b5ea87a773c3ed4e435297fc36c1a

SHA1
c848ef0a472283093224f5f4f6facb0bee81055f

SHA256
d705eda8f3f6690103ce3c2af9881f3d2cffcf5cad5ce4e25b2a903deb5d3ebd

SHA512
4bd2742a39c0b5eee9a5e0ce4fe970a490e5a76ee86e9d39238d5ed375b07a16040f4c6c5af57a0ebf4d2d1f409defbacd6eab93aab871d3f05afded61d80eb0

Download Submit
memory/2776-12-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download
memory/2776-22-0x0000000010000000-0x0000000010008000-memory.dmp

Filesize
32KB

Download