0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063

General

Target

0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
Size

511KB
MD5

0003852580f588ecac459b5e3d887c06
SHA1

fd7e307f629f0d19f530ad4e35d45a312d0cc421
SHA256

0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063
SHA512

5370cedb93d7a3adfa0cbb3218ef4d0649f80c0b085f5772d7822a2a2f80935b6c5a8d449a3ebbfe2af11cc8a916a7c5b600e80f9688510c027ab8c6fc58b639
SSDEEP

12288:E14ImkxluCvjpc6TLuTB9LBqa/G1gzqXCTdKV7A+ieyE:a4vuzK6YBd0oG1KBTEdjG

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1180	jlguaji.exe
1272	jlguaji.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000c0000000054a8-58.dat	upx
behavioral1/files/0x000c0000000054a8-59.dat	upx
behavioral1/files/0x000c0000000054a8-61.dat	upx
behavioral1/memory/1180-64-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-65.dat	upx
behavioral1/memory/1180-66-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-68.dat	upx
behavioral1/memory/1272-72-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/files/0x000c0000000054a8-70.dat	upx

Loads dropped DLL 3 IoCs

pid	Process
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\jlguaji.exe	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
File opened for modification	C:\Program Files\jlguaji.exe	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	jlguaji.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	jlguaji.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	jlguaji.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
1180	jlguaji.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1180	jlguaji.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1180	jlguaji.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
1180	jlguaji.exe
1180	jlguaji.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 532 wrote to memory of 1180	532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe	27
PID 532 wrote to memory of 1180	532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe	27
PID 532 wrote to memory of 1180	532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe	27
PID 532 wrote to memory of 1180	532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe	27
PID 532 wrote to memory of 1272	532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe	30
PID 532 wrote to memory of 1272	532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe	30
PID 532 wrote to memory of 1272	532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe	30
PID 532 wrote to memory of 1272	532	0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe	30

C:\Users\Admin\AppData\Local\Temp\0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe
"C:\Users\Admin\AppData\Local\Temp\0574aab4b001522d26b32e2bc0c25f3b8f0d3cc7921a4e232fac944ebb6a6063.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532
- C:\Program Files\jlguaji.exe
  "C:\Program Files\jlguaji.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1180
- C:\Program Files\jlguaji.exe
  "C:\Program Files\jlguaji.exe"
  2⤵
  - Executes dropped EXE
  PID:1272

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\jlguaji.exe

Filesize
296KB

MD5
e85a4c6c9038977ef7d8989c52db035e

SHA1
cc4f1d2e75b5c5be718b9eabcd84a9b3ab146b28

SHA256
ae66987b372c351016cfbae7e7a231beff1bc45ced43044e8fec19b9b65219df

SHA512
ace0fae98d7ccc19a849d07b546a1f5ced79fdb177d54b41745d145eb571676fcc027bfbdcaaea0750859afe4dd407ec25d094a96552f3c83ae32074ada82891

Download Submit
C:\Program Files\jlguaji.exe

Filesize
296KB

MD5
e85a4c6c9038977ef7d8989c52db035e

SHA1
cc4f1d2e75b5c5be718b9eabcd84a9b3ab146b28

SHA256
ae66987b372c351016cfbae7e7a231beff1bc45ced43044e8fec19b9b65219df

SHA512
ace0fae98d7ccc19a849d07b546a1f5ced79fdb177d54b41745d145eb571676fcc027bfbdcaaea0750859afe4dd407ec25d094a96552f3c83ae32074ada82891

Download Submit
C:\Program Files\jlguaji.exe

Filesize
296KB

MD5
e85a4c6c9038977ef7d8989c52db035e

SHA1
cc4f1d2e75b5c5be718b9eabcd84a9b3ab146b28

SHA256
ae66987b372c351016cfbae7e7a231beff1bc45ced43044e8fec19b9b65219df

SHA512
ace0fae98d7ccc19a849d07b546a1f5ced79fdb177d54b41745d145eb571676fcc027bfbdcaaea0750859afe4dd407ec25d094a96552f3c83ae32074ada82891

Download Submit
\Program Files\jlguaji.exe

Filesize
296KB

MD5
e85a4c6c9038977ef7d8989c52db035e

SHA1
cc4f1d2e75b5c5be718b9eabcd84a9b3ab146b28

SHA256
ae66987b372c351016cfbae7e7a231beff1bc45ced43044e8fec19b9b65219df

SHA512
ace0fae98d7ccc19a849d07b546a1f5ced79fdb177d54b41745d145eb571676fcc027bfbdcaaea0750859afe4dd407ec25d094a96552f3c83ae32074ada82891

Download Submit
\Program Files\jlguaji.exe

Filesize
296KB

MD5
e85a4c6c9038977ef7d8989c52db035e

SHA1
cc4f1d2e75b5c5be718b9eabcd84a9b3ab146b28

SHA256
ae66987b372c351016cfbae7e7a231beff1bc45ced43044e8fec19b9b65219df

SHA512
ace0fae98d7ccc19a849d07b546a1f5ced79fdb177d54b41745d145eb571676fcc027bfbdcaaea0750859afe4dd407ec25d094a96552f3c83ae32074ada82891

Download Submit
\Program Files\jlguaji.exe

Filesize
296KB

MD5
e85a4c6c9038977ef7d8989c52db035e

SHA1
cc4f1d2e75b5c5be718b9eabcd84a9b3ab146b28

SHA256
ae66987b372c351016cfbae7e7a231beff1bc45ced43044e8fec19b9b65219df

SHA512
ace0fae98d7ccc19a849d07b546a1f5ced79fdb177d54b41745d145eb571676fcc027bfbdcaaea0750859afe4dd407ec25d094a96552f3c83ae32074ada82891

Download Submit
memory/532-55-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/532-57-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/532-63-0x0000000003040000-0x00000000030F7000-memory.dmp

Filesize
732KB

Download
memory/532-54-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/532-73-0x0000000000400000-0x00000000004FD000-memory.dmp

Filesize
1012KB

Download
memory/1180-64-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1180-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/1272-72-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download

Analysis

Sharing