430ca1163ad0e90cfec5d2b808c343f703bcd021a7fe5f0cbcf48f9311d23b77

Analysis

max time kernel
125s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 16:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

430ca1163ad0e90cfec5d2b808c343f703bcd021a7fe5f0cbcf48f9311d23b77.exe
Size

196KB
MD5

60eedb72aa85cd2e8c0bd9d06d589ca0
SHA1

761f1cb7e20088eab416335aa722256780a54c1d
SHA256

430ca1163ad0e90cfec5d2b808c343f703bcd021a7fe5f0cbcf48f9311d23b77
SHA512

e3bb7388cddebb36e388469f12c31625c2d4956c42ef19eebc0c767c58674cf154194bc2ba8f75fcf4706c3cff186726d4ea5d7f09fd13612bf3f4980e1ef420
SSDEEP

3072:ILNulDJ9xS7xHXfHOngAVJgdx0/wKdZI8FsEKIeb7JxTb1TsuZf/:IZulxSF3WngAVo+XI8p7eb7JxTpwuZH

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1796	jupccy.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	jupccy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	jupccy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	jupccy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\utoun\\command	jupccy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	jupccy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\utoun	jupccy.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\\{871C5380-42A0-1069-A2EA-08002B30309D}\\shell\\utoun	jupccy.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3760	PING.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 4656	1596	430ca1163ad0e90cfec5d2b808c343f703bcd021a7fe5f0cbcf48f9311d23b77.exe	82
PID 1596 wrote to memory of 4656	1596	430ca1163ad0e90cfec5d2b808c343f703bcd021a7fe5f0cbcf48f9311d23b77.exe	82
PID 1596 wrote to memory of 4656	1596	430ca1163ad0e90cfec5d2b808c343f703bcd021a7fe5f0cbcf48f9311d23b77.exe	82
PID 4656 wrote to memory of 1796	4656	cmd.exe	85
PID 4656 wrote to memory of 1796	4656	cmd.exe	85
PID 4656 wrote to memory of 1796	4656	cmd.exe	85
PID 4656 wrote to memory of 3760	4656	cmd.exe	86
PID 4656 wrote to memory of 3760	4656	cmd.exe	86
PID 4656 wrote to memory of 3760	4656	cmd.exe	86

C:\Users\Admin\AppData\Local\Temp\430ca1163ad0e90cfec5d2b808c343f703bcd021a7fe5f0cbcf48f9311d23b77.exe
"C:\Users\Admin\AppData\Local\Temp\430ca1163ad0e90cfec5d2b808c343f703bcd021a7fe5f0cbcf48f9311d23b77.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ltrkgyn.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Users\Admin\AppData\Local\Temp\jupccy.exe
    "C:\Users\Admin\AppData\Local\Temp\jupccy.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1796
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1
    3⤵
    - Runs ping.exe
    PID:3760

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jupccy.exe

Filesize
148KB

MD5
487f3b97c9fa292d2854ec779e9f9d39

SHA1
7aa16bbf8b8fe96cc892213c894d375d108c6116

SHA256
cb82103455bb3803a6cfad84d711560f1c1f5d1250c0ffcfd244b8d100f3317b

SHA512
27aa11a678338dd7047d19e96c8b635b4ec6afc2a473c7fe4722528161231fac79f289244c6ad73c9f0b5748f921a5f2facdf1f984fad7dd4c221aaba0129feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jupccy.exe

Filesize
148KB

MD5
487f3b97c9fa292d2854ec779e9f9d39

SHA1
7aa16bbf8b8fe96cc892213c894d375d108c6116

SHA256
cb82103455bb3803a6cfad84d711560f1c1f5d1250c0ffcfd244b8d100f3317b

SHA512
27aa11a678338dd7047d19e96c8b635b4ec6afc2a473c7fe4722528161231fac79f289244c6ad73c9f0b5748f921a5f2facdf1f984fad7dd4c221aaba0129feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kydqae.bat

Filesize
188B

MD5
7f9d38838d2e9aeec2f1cfefc27bf30e

SHA1
dc83cd8efb3fea74f7d63a7d2dadac1b47993847

SHA256
fe2dc330e9ade62d8b2b35e38cd60b0af7182d8daf7ef33bd526c22fede9a76f

SHA512
eec97364255e8c29a612f7cf75e84189ddb816c5a74096b18ca33e3f8ed9b3ac99d4650f9c16b2abb81ca7ef2f1946023c72ad60a8a298bd68a1d777aef402e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ltrkgyn.bat

Filesize
124B

MD5
04c81a20b34112427f7e1ba801fdc14d

SHA1
0b243b086f1ac24d0408f905181427d61408e298

SHA256
bd797960f7b89c72299e1a95141f9e1d74d1da5036d0a562ac7b34cf3ece14c9

SHA512
abffcc441c5ff4e770dc4ac4d69011723389e7cd6baffc0fd00f278572d5b7aa8381e7b399fa42ae22ab89efafaf34ea7a34086b59c5ea57eeadd8be1a04502c

Download Submit