e12b9172e8be141907529cd981ea57db8aa2ed0ce21d3fa8ef0d7d59f1216d9e

Analysis

max time kernel
151s
max time network
154s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
10/03/2024, 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bdd522d760e0f66b08fca4b21845fbc3.exe
Size

175KB
MD5

bdd522d760e0f66b08fca4b21845fbc3
SHA1

a03dc47e2237f2c12f1f298aa3ad9ac5ac39ab5e
SHA256

e12b9172e8be141907529cd981ea57db8aa2ed0ce21d3fa8ef0d7d59f1216d9e
SHA512

4ee09868cd160eec271f30106863b358262484c43cf42393d2918fe6d8ae1ea83822070ff3ecb30ba941bb33320be3b22f1413a0c604cd8291b95fc8810ea250
SSDEEP

3072:EQKskHJn+Y5imxacyZ10zPRQHh/MTD8desoMVhZH3sPUMMnMMMMMX7I7Da:oHFLA0K70zPRI58D8dfoMVDH3scMMnMC

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2904	poju.exe

Loads dropped DLL 1 IoCs

pid	Process
2100	bdd522d760e0f66b08fca4b21845fbc3.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Windows\CurrentVersion\Run\{19F71248-7EB4-80A4-4F53-7AA2BAD9F811} = "C:\\Users\\Admin\\AppData\\Roaming\\Nepo\\poju.exe"	poju.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
2100	bdd522d760e0f66b08fca4b21845fbc3.exe
2100	bdd522d760e0f66b08fca4b21845fbc3.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe
2904	poju.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2100	bdd522d760e0f66b08fca4b21845fbc3.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2904	2100	bdd522d760e0f66b08fca4b21845fbc3.exe	28
PID 2100 wrote to memory of 2904	2100	bdd522d760e0f66b08fca4b21845fbc3.exe	28
PID 2100 wrote to memory of 2904	2100	bdd522d760e0f66b08fca4b21845fbc3.exe	28
PID 2100 wrote to memory of 2904	2100	bdd522d760e0f66b08fca4b21845fbc3.exe	28
PID 2904 wrote to memory of 1124	2904	poju.exe	19
PID 2904 wrote to memory of 1124	2904	poju.exe	19
PID 2904 wrote to memory of 1124	2904	poju.exe	19
PID 2904 wrote to memory of 1124	2904	poju.exe	19
PID 2904 wrote to memory of 1124	2904	poju.exe	19
PID 2904 wrote to memory of 1180	2904	poju.exe	20
PID 2904 wrote to memory of 1180	2904	poju.exe	20
PID 2904 wrote to memory of 1180	2904	poju.exe	20
PID 2904 wrote to memory of 1180	2904	poju.exe	20
PID 2904 wrote to memory of 1180	2904	poju.exe	20
PID 2904 wrote to memory of 1264	2904	poju.exe	21
PID 2904 wrote to memory of 1264	2904	poju.exe	21
PID 2904 wrote to memory of 1264	2904	poju.exe	21
PID 2904 wrote to memory of 1264	2904	poju.exe	21
PID 2904 wrote to memory of 1264	2904	poju.exe	21
PID 2904 wrote to memory of 2004	2904	poju.exe	23
PID 2904 wrote to memory of 2004	2904	poju.exe	23
PID 2904 wrote to memory of 2004	2904	poju.exe	23
PID 2904 wrote to memory of 2004	2904	poju.exe	23
PID 2904 wrote to memory of 2004	2904	poju.exe	23
PID 2904 wrote to memory of 2100	2904	poju.exe	27
PID 2904 wrote to memory of 2100	2904	poju.exe	27
PID 2904 wrote to memory of 2100	2904	poju.exe	27
PID 2904 wrote to memory of 2100	2904	poju.exe	27
PID 2904 wrote to memory of 2100	2904	poju.exe	27
PID 2904 wrote to memory of 2496	2904	poju.exe	29
PID 2904 wrote to memory of 2496	2904	poju.exe	29
PID 2904 wrote to memory of 2496	2904	poju.exe	29
PID 2904 wrote to memory of 2496	2904	poju.exe	29
PID 2904 wrote to memory of 2496	2904	poju.exe	29

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\bdd522d760e0f66b08fca4b21845fbc3.exe
  "C:\Users\Admin\AppData\Local\Temp\bdd522d760e0f66b08fca4b21845fbc3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Roaming\Nepo\poju.exe
    "C:\Users\Admin\AppData\Roaming\Nepo\poju.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2904

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2004

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Nepo\poju.exe

Filesize
175KB

MD5
e68e247cd1eb54e81bcd9f9f3f5371b6

SHA1
c210f82789ce5b6e341f2c77441f811cfa421444

SHA256
01de0aed5ec715aa7f22b2f7dc1e720129843b50c307336b8f47ebb4d670938f

SHA512
4078069502d066ee1e9cd42ebfbd4c8bc1cb4a32c64dbd23ea29ba183f79a89a1a524de633ee9d6b5fce32a0f411d18c6f4491e2c033471dda804bcb2a9c181b

Download Submit
memory/1124-14-0x00000000004A0000-0x00000000004CE000-memory.dmp

Filesize
184KB

Download
memory/1124-16-0x00000000004A0000-0x00000000004CE000-memory.dmp

Filesize
184KB

Download
memory/1124-15-0x00000000004A0000-0x00000000004CE000-memory.dmp

Filesize
184KB

Download
memory/1124-11-0x00000000004A0000-0x00000000004CE000-memory.dmp

Filesize
184KB

Download
memory/1124-12-0x00000000004A0000-0x00000000004CE000-memory.dmp

Filesize
184KB

Download
memory/1180-18-0x00000000019C0000-0x00000000019EE000-memory.dmp

Filesize
184KB

Download
memory/1180-20-0x00000000019C0000-0x00000000019EE000-memory.dmp

Filesize
184KB

Download
memory/1180-19-0x00000000019C0000-0x00000000019EE000-memory.dmp

Filesize
184KB

Download
memory/1180-21-0x00000000019C0000-0x00000000019EE000-memory.dmp

Filesize
184KB

Download
memory/1264-26-0x0000000002590000-0x00000000025BE000-memory.dmp

Filesize
184KB

Download
memory/1264-28-0x0000000002590000-0x00000000025BE000-memory.dmp

Filesize
184KB

Download
memory/1264-24-0x0000000002590000-0x00000000025BE000-memory.dmp

Filesize
184KB

Download
memory/1264-30-0x0000000002590000-0x00000000025BE000-memory.dmp

Filesize
184KB

Download
memory/2004-36-0x0000000000380000-0x00000000003AE000-memory.dmp

Filesize
184KB

Download
memory/2004-33-0x0000000000380000-0x00000000003AE000-memory.dmp

Filesize
184KB

Download
memory/2004-34-0x0000000000380000-0x00000000003AE000-memory.dmp

Filesize
184KB

Download
memory/2004-35-0x0000000000380000-0x00000000003AE000-memory.dmp

Filesize
184KB

Download
memory/2100-46-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/2100-48-0x00000000000C0000-0x0000000000194000-memory.dmp

Filesize
848KB

Download
memory/2100-2-0x00000000000C0000-0x0000000000194000-memory.dmp

Filesize
848KB

Download
memory/2100-1-0x00000000000C0000-0x0000000000194000-memory.dmp

Filesize
848KB

Download
memory/2100-0-0x0000000002110000-0x0000000002660000-memory.dmp

Filesize
5.3MB

Download
memory/2100-38-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/2100-40-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/2100-42-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/2100-44-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/2496-63-0x0000000000410000-0x000000000043E000-memory.dmp

Filesize
184KB

Download
memory/2496-64-0x0000000000410000-0x000000000043E000-memory.dmp

Filesize
184KB

Download
memory/2496-61-0x0000000000410000-0x000000000043E000-memory.dmp

Filesize
184KB

Download
memory/2496-62-0x0000000000410000-0x000000000043E000-memory.dmp

Filesize
184KB

Download
memory/2904-68-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-70-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-65-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-66-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-67-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-10-0x0000000000970000-0x0000000000C10000-memory.dmp

Filesize
2.6MB

Download
memory/2904-69-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-13-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-71-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-72-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-73-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-74-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-75-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-76-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-77-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download
memory/2904-78-0x0000000000C10000-0x0000000000CE4000-memory.dmp

Filesize
848KB

Download