Analysis
-
max time kernel
143s -
max time network
152s -
resource
win10v191014
Task
task1
Sample
jphxaul.exe
Resource
win7v191014
0 signatures
General
-
Target
jphxaul.exe
-
Sample
191111-jzlt6rkwlj
-
SHA256
e736cf964b998e582fd2c191a0c9865814b632a315435f80798dd2a239a5e5f5
Score
N/A
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4872 wrote to memory of 4984 4872 jphxaul.exe 73 PID 5076 wrote to memory of 5108 5076 SppExtComObj.exe 75 PID 4872 wrote to memory of 1780 4872 jphxaul.exe 76 PID 4872 wrote to memory of 1684 4872 jphxaul.exe 77 PID 1780 wrote to memory of 1440 1780 ijsethyt.exe 79 PID 1780 wrote to memory of 4276 1780 ijsethyt.exe 80 PID 1780 wrote to memory of 3976 1780 ijsethyt.exe 82 PID 2876 wrote to memory of 3468 2876 jphxaul.exe 92 PID 2876 wrote to memory of 3700 2876 jphxaul.exe 94 PID 2876 wrote to memory of 4824 2876 jphxaul.exe 96 PID 2876 wrote to memory of 596 2876 jphxaul.exe 98 PID 2876 wrote to memory of 880 2876 jphxaul.exe 100 PID 2876 wrote to memory of 392 2876 jphxaul.exe 102 PID 2876 wrote to memory of 1160 2876 jphxaul.exe 104 PID 2876 wrote to memory of 1376 2876 jphxaul.exe 106 PID 2876 wrote to memory of 1540 2876 jphxaul.exe 108 PID 2876 wrote to memory of 1620 2876 jphxaul.exe 110 PID 1620 wrote to memory of 1876 1620 ijsethyt.exe 111 PID 2876 wrote to memory of 980 2876 jphxaul.exe 112 PID 2876 wrote to memory of 2104 2876 jphxaul.exe 113 -
Executes dropped EXE 4 IoCs
pid Process 1780 ijsethyt.exe 1440 ijsethyt.exe 1620 ijsethyt.exe 1876 ijsethyt.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1780 ijsethyt.exe -
Qakbot persistence 1 IoCs
description ioc pid Process Event created 2ijsethyt3976 3976 explorer.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr = "0" 1540 reg.exe -
Uses Task Scheduler COM API 1 TTPs 14 IoCs
description ioc pid Process Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} 2104 schtasks.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd} 2104 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs 2104 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\ 2104 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 2104 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\InprocServer32 2104 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ 2104 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32\ThreadingModel 2104 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 2104 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler 2104 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 2104 schtasks.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\AppID 2104 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer 2104 schtasks.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation 2104 schtasks.exe -
Drops file in system dir 5 IoCs
description ioc pid Process File opened for modification C:\Windows\Debug\ESE.TXT 3848 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3848 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp 3848 svchost.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3848 svchost.exe File created C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-2.tmp 3848 svchost.exe -
Adds Run entry to start application 2 TTPs 1 IoCs
description ioc pid Process Set value (str) \REGISTRY\USER\S-1-5-21-634046074-2673730973-2644684987-1000\Software\Microsoft\Windows\CurrentVersion\Run\jsnjow = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Onjpsefhpr\\ijsethyt.exe\"" 3976 explorer.exe -
Checks SCSI registry key(s) (likely anti-VM) 3 TTPs 18 IoCs
description ioc pid Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 4984 jphxaul.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 4984 jphxaul.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 4984 jphxaul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 4984 jphxaul.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 4984 jphxaul.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 4984 jphxaul.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 1440 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 1440 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 1440 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 1440 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 1440 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 1440 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&135B206D&0&010000 1876 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\DeviceDesc 1876 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&135b206d&0&010000\Service 1876 ijsethyt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&135B206D&0&000000 1876 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\DeviceDesc 1876 ijsethyt.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&135b206d&0&000000\Service 1876 ijsethyt.exe -
pid Process 2444 PING.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4872 jphxaul.exe 4984 jphxaul.exe 1780 ijsethyt.exe 1440 ijsethyt.exe 3976 explorer.exe 2876 jphxaul.exe 1620 ijsethyt.exe 1876 ijsethyt.exe -
Checks system information in the registry (likely anti-VM) 2 TTPs 2 IoCs
description ioc pid Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer 4624 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName 4624 svchost.exe -
description ioc pid Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "0" 4500 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\cval = "1" 4500 svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SpyNetReporting = "0" 3468 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet\SubmitSamplesConsent = "2" 3700 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 880 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 392 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0" 1160 reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "2" 1376 reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jphxaul.exe"C:\Users\Admin\AppData\Local\Temp\jphxaul.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:4872
-
C:\Users\Admin\AppData\Local\Temp\jphxaul.exeC:\Users\Admin\AppData\Local\Temp\jphxaul.exe /C1⤵
- Checks SCSI registry key(s) (likely anti-VM)
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
- Suspicious use of WriteProcessMemory
PID:5076
-
C:\Windows\System32\SLUI.exe"C:\Windows\System32\SLUI.exe" RuleId=eeba1977-569e-4571-b639-7623d8bfecc0;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=2de67392-b7a7-462a-b1ca-108dd189f588;NotificationInterval=1440;Trigger=TimerEvent1⤵PID:5108
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: EnumeratesProcesses
PID:1780
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /tn udgnhbkwcb /tr "\"C:\Users\Admin\AppData\Local\Temp\jphxaul.exe\" /I udgnhbkwcb" /SC ONCE /Z /ST 12:04 /ET 12:161⤵PID:1684
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C1⤵
- Executes dropped EXE
- Checks SCSI registry key(s) (likely anti-VM)
- Suspicious behavior: EnumeratesProcesses
PID:1440
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵PID:4276
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe1⤵
- Qakbot persistence
- Adds Run entry to start application
- Suspicious behavior: EnumeratesProcesses
PID:3976
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s BITS1⤵
- Drops file in system dir
PID:3848
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4560
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DoSvc1⤵
- Checks system information in the registry (likely anti-VM)
PID:4624
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup1⤵PID:3784
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s wscsvc1⤵
- Windows security modification
PID:4500
-
C:\Users\Admin\AppData\Local\Temp\jphxaul.exeC:\Users\Admin\AppData\Local\Temp\jphxaul.exe /I udgnhbkwcb1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:3468
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:3700
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵PID:4824
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft AntiMalware\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵PID:596
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:880
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:392
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SpyNetReporting" /d "0"1⤵
- Windows security modification
PID:1160
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet" /f /t REG_DWORD /v "SubmitSamplesConsent" /d "2"1⤵
- Windows security modification
PID:1376
-
C:\Windows\system32\reg.exeC:\Windows\system32\reg.exe ADD "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" /f /t REG_DWORD /v "C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr" /d "0"1⤵
- Windows security bypass
PID:1540
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe1⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1620
-
C:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exeC:\Users\Admin\AppData\Roaming\Microsoft\Onjpsefhpr\ijsethyt.exe /C1⤵
- Executes dropped EXE
- Checks SCSI registry key(s) (likely anti-VM)
- Suspicious behavior: EnumeratesProcesses
PID:1876
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c ping.exe -n 6 127.0.0.1 & type "C:\Windows\System32\calc.exe" > "C:\Users\Admin\AppData\Local\Temp\jphxaul.exe"1⤵PID:980
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /DELETE /F /TN udgnhbkwcb1⤵
- Uses Task Scheduler COM API
PID:2104
-
C:\Windows\system32\PING.EXEping.exe -n 6 127.0.0.11⤵
- Runs ping.exe
PID:2444
Network
MITRE ATT&CK Enterprise v15
MITRE ATT&CK Additional techniques
- T1089
- T1060