Analysis
-
max time kernel
123s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-11-2020 07:16
Static task
static1
Behavioral task
behavioral1
Sample
ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
Resource
win10v20201028
General
-
Target
ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe
-
Size
2.2MB
-
MD5
aa94f1a2abab96f5bd41a84a37e2784b
-
SHA1
a8df73a1c902839b456e3d9ada25b53ab95436df
-
SHA256
ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d
-
SHA512
0287f6ed3cc3bb66789b8929ba45bf6e8ed70c31b8096d36bcdb93ab3d3c0a06aa41987d749eb1db55126b234a3ed468074f9e5ed7bac98f87829f8c4eed13d4
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
DjvuApp.exeDjvuApp.exepid process 3848 DjvuApp.exe 2932 DjvuApp.exe -
Loads dropped DLL 1 IoCs
Processes:
ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exepid process 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
DjvuApp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\DjvuApp = "\"C:\\Users\\Admin\\AppData\\Roaming\\DjvuApp\\DjvuApp.exe\"" DjvuApp.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exepid process 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exedescription pid process target process PID 580 wrote to memory of 3848 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe DjvuApp.exe PID 580 wrote to memory of 3848 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe DjvuApp.exe PID 580 wrote to memory of 3848 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe DjvuApp.exe PID 580 wrote to memory of 2932 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe DjvuApp.exe PID 580 wrote to memory of 2932 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe DjvuApp.exe PID 580 wrote to memory of 2932 580 ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe DjvuApp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe"C:\Users\Admin\AppData\Local\Temp\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:580 -
C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exe"C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exe" "first_run" "C:\Users\Admin\AppData\Local\Temp\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3848 -
C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exe"C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exe" "write_patch_str_to_reg" "C:\Users\Admin\AppData\Local\Temp\ce978a075bac32865a6627f2bb855c329d2e798730b718dc9f309f2b432a8d7d.exe" "HKCU" "Software\DjvuApp" "intesq"2⤵
- Executes dropped EXE
PID:2932
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exeMD5
c23306cf36744a780fef171015d541d8
SHA1f70ef0d7124d369dd67a9846a0f8ae3751ab66cd
SHA2561916cd0a0d64136e443bcd120fd2f003a9fde313c7925ff363f2625030e270bc
SHA5124a61c15809e185ed0e1a39ee436e90b1ed715bcb0aca1e23d20eb5b9a282efcae216a6ef7ef554177a95a6ff7cb307bd1c64c2ccef098a9b0667bfbbecdad67e
-
C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exeMD5
c23306cf36744a780fef171015d541d8
SHA1f70ef0d7124d369dd67a9846a0f8ae3751ab66cd
SHA2561916cd0a0d64136e443bcd120fd2f003a9fde313c7925ff363f2625030e270bc
SHA5124a61c15809e185ed0e1a39ee436e90b1ed715bcb0aca1e23d20eb5b9a282efcae216a6ef7ef554177a95a6ff7cb307bd1c64c2ccef098a9b0667bfbbecdad67e
-
C:\Users\Admin\AppData\Roaming\DjvuApp\DjvuApp.exeMD5
c23306cf36744a780fef171015d541d8
SHA1f70ef0d7124d369dd67a9846a0f8ae3751ab66cd
SHA2561916cd0a0d64136e443bcd120fd2f003a9fde313c7925ff363f2625030e270bc
SHA5124a61c15809e185ed0e1a39ee436e90b1ed715bcb0aca1e23d20eb5b9a282efcae216a6ef7ef554177a95a6ff7cb307bd1c64c2ccef098a9b0667bfbbecdad67e
-
\Users\Admin\AppData\Local\Temp\nsk860F.tmp\nsProcess.dllMD5
f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
memory/2932-4-0x0000000000000000-mapping.dmp
-
memory/3848-1-0x0000000000000000-mapping.dmp