28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
18/09/2022, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b.exe
Size

82KB
MD5

e8f38be87a034c7df4c6e1ed807d44b4
SHA1

cd12ca78e3ac8aa76016accf61ac88f4323c3d55
SHA256

28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b
SHA512

085677c0bcd750fad1d0975371302036772d0a1c5f37a52ffb96811dcb576e0dae5934251df46a918754f7f0fa0ee9ed43c4913d0639c98983577fe330d78e04
SSDEEP

1536:0uSmyOP37TBjIGvDwONdVYsCW/ShuBq4Zy/mM89JynIeLPe9f9V8jrwdYFo:NSmNDtR1NrXCo5Bq4ZUwvyn7LPepvorg

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3008	jp1.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/364-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/364-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b.exe

Loads dropped DLL 2 IoCs

pid	Process
3008	jp1.exe
3008	jp1.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\explorer.exe	jp1.exe
File created	C:\Windows\SysWOW64\adll.dll	jp1.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\real	28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b.exe
File created	C:\Program Files\real\02.jpg	28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b.exe
File opened for modification	C:\Program Files\real\02.jpg	28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b.exe
File created	C:\Program Files\real\jp1.exe	28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b.exe
File opened for modification	C:\Program Files\real\jp1.exe	28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe
3008	jp1.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3008	jp1.exe
3008	jp1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 364 wrote to memory of 3008	364	28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b.exe	84
PID 364 wrote to memory of 3008	364	28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b.exe	84
PID 364 wrote to memory of 3008	364	28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b.exe	84

C:\Users\Admin\AppData\Local\Temp\28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b.exe
"C:\Users\Admin\AppData\Local\Temp\28a43856870e803e588fbac19f80505c743a587122d7f97a202ed4644819d99b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:364
- C:\Program Files\real\jp1.exe
  "C:\Program Files\real\jp1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\real\jp1.exe

Filesize
24KB

MD5
ba355a7fb0739556728bcf16d302627d

SHA1
20413bcdbeaf13691eb7eed344c19f5ce68a3a80

SHA256
6b6a83e167c1290e13243897b9abfc448d7859fbd9a75542ba3c1b3436092d3b

SHA512
74fef3541441ee8a1434616afe495cc895c79d8ee7fbf90782932fe6997d2ae852c31dfdec2217fe5ce85ff81bb0faba619d41f37b06ba1ff22093f0475c2905

Download Submit
C:\Program Files\real\jp1.exe

Filesize
24KB

MD5
ba355a7fb0739556728bcf16d302627d

SHA1
20413bcdbeaf13691eb7eed344c19f5ce68a3a80

SHA256
6b6a83e167c1290e13243897b9abfc448d7859fbd9a75542ba3c1b3436092d3b

SHA512
74fef3541441ee8a1434616afe495cc895c79d8ee7fbf90782932fe6997d2ae852c31dfdec2217fe5ce85ff81bb0faba619d41f37b06ba1ff22093f0475c2905

Download Submit
C:\Windows\SysWOW64\adll.dll

Filesize
36KB

MD5
8d07a49f97ec2b4da3b1eb600f252a96

SHA1
7c4f81a754729ec3e5aad7b33dba207f5bbdb6ca

SHA256
434c2b7cc73b59141d80f76bf4663bc407cca8f662e5eb61cee9255f519f30e1

SHA512
e50552e9bed099782c5a6171216bfbf95422b1c80408a8fe07756af5f18fa50b7a2d491631172b5b194043d9575e123f26b00c1809dfe1d4c0506f49e323dfa8

Download Submit
C:\Windows\SysWOW64\adll.dll

Filesize
36KB

MD5
8d07a49f97ec2b4da3b1eb600f252a96

SHA1
7c4f81a754729ec3e5aad7b33dba207f5bbdb6ca

SHA256
434c2b7cc73b59141d80f76bf4663bc407cca8f662e5eb61cee9255f519f30e1

SHA512
e50552e9bed099782c5a6171216bfbf95422b1c80408a8fe07756af5f18fa50b7a2d491631172b5b194043d9575e123f26b00c1809dfe1d4c0506f49e323dfa8

Download Submit
memory/364-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/364-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3008-138-0x0000000000590000-0x000000000059F000-memory.dmp

Filesize
60KB

Download