00f0a5476c87e74f53a8079ad610b06bf944aa3ec1b01fa4e3c151ac3bca6699

General

Target

e0d2d5a1643a9dfc6292819c60d8760d.exe
Size

878KB
MD5

e0d2d5a1643a9dfc6292819c60d8760d
SHA1

7c2e5e1c0f451b9b565571bdfb14a3b9f065d4c5
SHA256

00f0a5476c87e74f53a8079ad610b06bf944aa3ec1b01fa4e3c151ac3bca6699
SHA512

ac19c11ff81f45d36a3068cb0a9c4728382bd1545483f57d83bb8868182f1e52e5d8b859b7d503262a44e94a9df23204e05481f173e85f0742abf6eb781c8d30
SSDEEP

12288:hau9MG94UXi1em6M71qHfgudE0SXejQSZMRkKVt51X5O+uU+8n/aJhksmxhOTown:hawM8YJzKO0aRN6I+Ya7ksM6oxWB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
2332	svchost.exe
2940	e0d2d5a1643a9dfc6292819c60d8760d.exe
2568	samurai.exe
2688	svchost.exe

Loads dropped DLL 8 IoCs

pid	Process
2332	svchost.exe
2332	svchost.exe
2940	e0d2d5a1643a9dfc6292819c60d8760d.exe
2940	e0d2d5a1643a9dfc6292819c60d8760d.exe
2940	e0d2d5a1643a9dfc6292819c60d8760d.exe
2940	e0d2d5a1643a9dfc6292819c60d8760d.exe
2940	e0d2d5a1643a9dfc6292819c60d8760d.exe
2568	samurai.exe

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\DismountAssert.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	e0d2d5a1643a9dfc6292819c60d8760d.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2940	e0d2d5a1643a9dfc6292819c60d8760d.exe
2940	e0d2d5a1643a9dfc6292819c60d8760d.exe
2940	e0d2d5a1643a9dfc6292819c60d8760d.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2324 wrote to memory of 2332	2324	e0d2d5a1643a9dfc6292819c60d8760d.exe	28
PID 2324 wrote to memory of 2332	2324	e0d2d5a1643a9dfc6292819c60d8760d.exe	28
PID 2324 wrote to memory of 2332	2324	e0d2d5a1643a9dfc6292819c60d8760d.exe	28
PID 2324 wrote to memory of 2332	2324	e0d2d5a1643a9dfc6292819c60d8760d.exe	28
PID 2332 wrote to memory of 2940	2332	svchost.exe	29
PID 2332 wrote to memory of 2940	2332	svchost.exe	29
PID 2332 wrote to memory of 2940	2332	svchost.exe	29
PID 2332 wrote to memory of 2940	2332	svchost.exe	29
PID 2940 wrote to memory of 2568	2940	e0d2d5a1643a9dfc6292819c60d8760d.exe	30
PID 2940 wrote to memory of 2568	2940	e0d2d5a1643a9dfc6292819c60d8760d.exe	30
PID 2940 wrote to memory of 2568	2940	e0d2d5a1643a9dfc6292819c60d8760d.exe	30
PID 2940 wrote to memory of 2568	2940	e0d2d5a1643a9dfc6292819c60d8760d.exe	30

C:\Users\Admin\AppData\Local\Temp\e0d2d5a1643a9dfc6292819c60d8760d.exe
"C:\Users\Admin\AppData\Local\Temp\e0d2d5a1643a9dfc6292819c60d8760d.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2324
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\e0d2d5a1643a9dfc6292819c60d8760d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Users\Admin\AppData\Local\Temp\e0d2d5a1643a9dfc6292819c60d8760d.exe
    "C:\Users\Admin\AppData\Local\Temp\e0d2d5a1643a9dfc6292819c60d8760d.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\samurai.exe
      "C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\samurai.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2568

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\samurai.exe

Filesize
640KB

MD5
cfcfb355a1857b9d34ac0978b2294f56

SHA1
ecd6674943fbbfac2ef4806734398ab11e55b3b4

SHA256
63f1cfbef2235dce63c2600211a0fbae1026eb649e38696b3525eef0a07eef69

SHA512
277ec5e95e97f2426a8bea02f1541fee3f54d8f2396d4fce31965af28e47ce8e20e10b0136be012096b991c7c2b6714dee30625aea961f9a3b43db7013513acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jgl_Rt\samurai.exe

Filesize
634KB

MD5
8a7664d566fef0afc18fc67e4cfed91a

SHA1
7e5f49e3c729a2f200a0d50da2af3cfacdfa4bba

SHA256
ce673a5f3359e5f557576fd47562ae1510b682ed480b3670aa25bf94a350a50d

SHA512
426392c1643641e8c08c290f720db8acba64c8a3244a5d1c9a8058f512e6ab677ee72ee084c339c4994c2f608fa00c4c3cdaaec41c636fe01d98aa2b4a75d2fc

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
345861f739ef259c33abc7ef49b81694

SHA1
3b6aff327d91e66a207c0557eac6ddefab104598

SHA256
fc3220611aded768e37b125c4e4d5a8ffdbf7dfa8d8c19c07c7791b486457948

SHA512
7b0aae948a594f29125a3e80f6c2b51421cda07f5ee4554538037f12b87d4b3937ee74fb400505efcd2a953c897a49d79d875148516dcef619c514251854dfad

Download Submit
\Users\Admin\AppData\Local\Temp\Jgl_Rt\jesterrun0.dll

Filesize
22KB

MD5
3c090bac965ee3543728d16b87a4d29f

SHA1
859fbb59a7d8468100d20fd120a100d555651438

SHA256
e54391a41a9a2807f1f5117a5e2947e9bc2875ae91fa2ac8868d26a3208d7d39

SHA512
de351362ee253d63a4eea0f66cb5172bd219c51774e58186add730e6f752b94a7ae0ef4bafc22aa260532410a75bc9c01d7355c3d707168683f3e925d68a2dd8

Download Submit
\Users\Admin\AppData\Local\Temp\Jgl_Rt\samurai.exe

Filesize
951KB

MD5
708f978b10ad557769849f7a234928af

SHA1
91c042b39745cf969fa1d7ced9710bc788a65b6c

SHA256
212fc2b874215a772ec5139e39ffb26001b2675cfc279279643f1e1649d84a05

SHA512
6918359792958e8db7c2b05f6b0bcc5ff1528ebf4f02df75172a202c964c8ef608baea8a0c5156c4da63202bd0efd6629445e6d43e7d688ed3f7f89083f2ab3f

Download Submit
\Users\Admin\AppData\Local\Temp\e0d2d5a1643a9dfc6292819c60d8760d.exe

Filesize
842KB

MD5
0a742b640a54f6a6359e556119f48ade

SHA1
45324e147c2bce5c13f9558fd6d2ea56ded80262

SHA256
57186712bf96527a9824fcd2d29884e557cd039cfe6991b3574a9fa70fff0a5b

SHA512
77b17f0c0d34761e11ca80e6c8b0ddb6b09741d960764c9c811b42e8ed861dcad16f4a978a2de8fccf6a0fa5222548af4c393ede90e6ccc5b92768b62b655ee2

Download Submit
memory/2324-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/2332-38-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2568-46-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download
memory/2688-47-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2688-95-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2940-44-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2940-45-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing