Analysis

  • max time kernel
    120s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/07/2024, 04:12

General

  • Target

    8edc229276235f28da6a7c4badbef360N.exe

  • Size

    11KB

  • MD5

    8edc229276235f28da6a7c4badbef360

  • SHA1

    d31e42f6895b6b18229374f5616586fb36b24862

  • SHA256

    b023d1cfb273b515a30b82298c5fcaa7b5a6f6e7d8d85b9ba4e5204944b06f64

  • SHA512

    ad61a6ed08e8be07c4fb9a329cc978412604e93d3cde7a9e4287878d47468963e574c4938084111facba6b7b581790b9d23ce19b65a0e2daeaae14264cc3e04a

  • SSDEEP

    192:y5085ewGKJM3+CKPJXV1CGgNMIGIV/4zM/i/rH2Y0u2tbOVhHNMAPabg:y5fHBl1mxGIVg+KHf8aVhtMA4g

Malware Config

Signatures

  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in System32 directory 3 IoCs
  • Event Triggered Execution: Accessibility Features 1 TTPs

    Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8edc229276235f28da6a7c4badbef360N.exe
    "C:\Users\Admin\AppData\Local\Temp\8edc229276235f28da6a7c4badbef360N.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\SysWOW64\jolinosk.exe
      C:\Windows\system32\jolinosk.exe ˜‰
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1228
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\8edc229276235f28da6a7c4badbef360N.exe.bat
      2⤵
      • System Location Discovery: System Language Discovery
      PID:3744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\8edc229276235f28da6a7c4badbef360N.exe.bat

    Filesize

    184B

    MD5

    6a345be9d1966844cb2042d0a47232a0

    SHA1

    ad78b71ec1d8b68beb3143285deae44f874b24d7

    SHA256

    9e5e9ab9ab69bcf3e2bb43d96ce520550815133e6463e87fea288effcc2232e1

    SHA512

    2feeded17883523b517fdd073b4af97c2fcc974a4b4358787f6f5b37bea26363271b5419eb0a15640e453d13e20c18b64b57949d3cddf2cc7bdc2e0c51c92882

  • C:\Windows\SysWOW64\jolinosk.exe

    Filesize

    11KB

    MD5

    8edc229276235f28da6a7c4badbef360

    SHA1

    d31e42f6895b6b18229374f5616586fb36b24862

    SHA256

    b023d1cfb273b515a30b82298c5fcaa7b5a6f6e7d8d85b9ba4e5204944b06f64

    SHA512

    ad61a6ed08e8be07c4fb9a329cc978412604e93d3cde7a9e4287878d47468963e574c4938084111facba6b7b581790b9d23ce19b65a0e2daeaae14264cc3e04a

  • memory/1228-7-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/1228-9-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/1228-21-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2896-0-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB

  • memory/2896-6-0x0000000000400000-0x000000000040E000-memory.dmp

    Filesize

    56KB