Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 02:22
Static task
static1
Behavioral task
behavioral1
Sample
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
Resource
win10v20210410
General
-
Target
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe
-
Size
231KB
-
MD5
6b699598d9b88107f16ea4977a39dd2c
-
SHA1
28ae2c9fe6ae8ca1e891d32094e159684363cef1
-
SHA256
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248
-
SHA512
668ca675242b843f7781df225c4156b2b7722b7f7a5afe9233e45ff587546ac5d35f282f43fc518228ae7591290f4bb0da5aada839bcfe1ee255f98c694d0050
Malware Config
Signatures
-
Modifies system executable filetype association 2 TTPs 3 IoCs
Processes:
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exeAJVW.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\NJNAA.EXE \"%1\" %*" de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command AJVW.EXE -
Processes:
resource yara_rule C:\odt\AJVW.EXE aspack_v212_v242 C:\odt\AJVW.EXE aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
AJVW.EXEpid process 4724 AJVW.EXE -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDMQCWM.EXE = "C:\\Program Files (x86)\\WSUQPL.EXE" de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe -
Enumerates connected drives 3 TTPs 18 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exedescription ioc process File opened (read-only) \??\P: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\R: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\E: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\I: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\O: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\S: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\T: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\F: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\N: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\Q: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\H: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\J: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\U: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\M: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\V: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\G: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\K: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File opened (read-only) \??\L: de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe -
Drops file in Program Files directory 3 IoCs
Processes:
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exedescription ioc process File created C:\Program Files (x86)\WSUQPL.EXE de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File created C:\Program Files\ECEWR.EXE de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe File created C:\Program Files\NJNAA.EXE de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe -
Modifies registry class 15 IoCs
Processes:
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exeAJVW.EXEdescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\NJNAA.EXE \"%1\" %*" de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\Boot\\PGR.EXE \"%1\"" de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command AJVW.EXE Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\PFGWJXT.EXE %1" de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\chm.file de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\$Recycle.Bin\\XON.EXE \"%1\"" de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\PerfLogs\\KQEB.EXE %1" de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AJVW.EXEpid process 4724 AJVW.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exedescription pid process target process PID 4436 wrote to memory of 4724 4436 de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe AJVW.EXE PID 4436 wrote to memory of 4724 4436 de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe AJVW.EXE PID 4436 wrote to memory of 4724 4436 de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe AJVW.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe"C:\Users\Admin\AppData\Local\Temp\de048753f687a726312de3ad7f8f0e05966fdd5207942d4a4a82488ff2936248.exe"1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\odt\AJVW.EXEC:\odt\AJVW.EXE2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\odt\AJVW.EXEMD5
9d27d73e77ca97561af50f540cea4842
SHA1d5254a255ac6778a5f1c9864c0f18fc142b5ddb0
SHA256cf4e201ae5df23f18e44374d166e0e2ce8167caa3cd981d40d317d918f34f082
SHA512ad2c15b553b2f1c62dcaf0b2f91c39eb5245bd7a18320d028002046e29d3b761ea0c8454abe8e5a54d41675263c356d5ca9ab90ce465b65018f3e2ce346c4167
-
C:\odt\AJVW.EXEMD5
9d27d73e77ca97561af50f540cea4842
SHA1d5254a255ac6778a5f1c9864c0f18fc142b5ddb0
SHA256cf4e201ae5df23f18e44374d166e0e2ce8167caa3cd981d40d317d918f34f082
SHA512ad2c15b553b2f1c62dcaf0b2f91c39eb5245bd7a18320d028002046e29d3b761ea0c8454abe8e5a54d41675263c356d5ca9ab90ce465b65018f3e2ce346c4167
-
memory/4436-117-0x00000000004D0000-0x000000000057E000-memory.dmpFilesize
696KB
-
memory/4724-114-0x0000000000000000-mapping.dmp
-
memory/4724-118-0x0000000002240000-0x0000000002241000-memory.dmpFilesize
4KB