f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478

General

Target

f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe
Size

216KB
MD5

7ae277ad33f1eda32a8c934615f9ae57
SHA1

8e1fe6f543a3e6fd66477c3aa0dbe9a230ef8f85
SHA256

f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478
SHA512

45c6d5e2e2ee4e529e2f6362931a555206f11e32c3a4d30d2900f25365ee5cef3410f0b83d48e9c1fe05a1d1fb33cc50bf40784918073b7378123f76cca3e147
SSDEEP

3072:L7jVeHLXsnENPCcRDUN3PBneGHB/ThdFJpS5W7FQaum4GeMBpbVVDQ:2LXsnuKeoBXBbfF3V7GD8/b8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4840	Jsegzrrtapjsaoxe.exe
3524	Jsegzrrtapjsaoxe.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jsegzrrtapjsaoxe.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\Jsegzrrtapjsaoxe.exe\"耀"	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4280 set thread context of 4276	4280	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	83
PID 4840 set thread context of 3524	4840	Jsegzrrtapjsaoxe.exe	85

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4276	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4276	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe
Token: SeIncBasePriorityPrivilege	4276	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe
Token: 33	3524	Jsegzrrtapjsaoxe.exe
Token: SeIncBasePriorityPrivilege	3524	Jsegzrrtapjsaoxe.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4280 wrote to memory of 4276	4280	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	83
PID 4280 wrote to memory of 4276	4280	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	83
PID 4280 wrote to memory of 4276	4280	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	83
PID 4280 wrote to memory of 4276	4280	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	83
PID 4280 wrote to memory of 4276	4280	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	83
PID 4280 wrote to memory of 4276	4280	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	83
PID 4280 wrote to memory of 4276	4280	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	83
PID 4280 wrote to memory of 4276	4280	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	83
PID 4280 wrote to memory of 4276	4280	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	83
PID 4276 wrote to memory of 4840	4276	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	84
PID 4276 wrote to memory of 4840	4276	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	84
PID 4276 wrote to memory of 4840	4276	f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe	84
PID 4840 wrote to memory of 3524	4840	Jsegzrrtapjsaoxe.exe	85
PID 4840 wrote to memory of 3524	4840	Jsegzrrtapjsaoxe.exe	85
PID 4840 wrote to memory of 3524	4840	Jsegzrrtapjsaoxe.exe	85
PID 4840 wrote to memory of 3524	4840	Jsegzrrtapjsaoxe.exe	85
PID 4840 wrote to memory of 3524	4840	Jsegzrrtapjsaoxe.exe	85
PID 4840 wrote to memory of 3524	4840	Jsegzrrtapjsaoxe.exe	85
PID 4840 wrote to memory of 3524	4840	Jsegzrrtapjsaoxe.exe	85
PID 4840 wrote to memory of 3524	4840	Jsegzrrtapjsaoxe.exe	85
PID 4840 wrote to memory of 3524	4840	Jsegzrrtapjsaoxe.exe	85

C:\Users\Admin\AppData\Local\Temp\f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe
"C:\Users\Admin\AppData\Local\Temp\f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Users\Admin\AppData\Local\Temp\f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe
  "C:\Users\Admin\AppData\Local\Temp\f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Users\Admin\AppData\Roaming\Jsegzrrtapjsaoxe.exe
    -n
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4840
  - - C:\Users\Admin\AppData\Roaming\Jsegzrrtapjsaoxe.exe
      -n
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3524

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\~54812.tmp

Filesize
216KB

MD5
7ae277ad33f1eda32a8c934615f9ae57

SHA1
8e1fe6f543a3e6fd66477c3aa0dbe9a230ef8f85

SHA256
f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478

SHA512
45c6d5e2e2ee4e529e2f6362931a555206f11e32c3a4d30d2900f25365ee5cef3410f0b83d48e9c1fe05a1d1fb33cc50bf40784918073b7378123f76cca3e147

Download Submit
C:\Users\Admin\AppData\Roaming\Jsegzrrtapjsaoxe.exe

Filesize
216KB

MD5
7ae277ad33f1eda32a8c934615f9ae57

SHA1
8e1fe6f543a3e6fd66477c3aa0dbe9a230ef8f85

SHA256
f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478

SHA512
45c6d5e2e2ee4e529e2f6362931a555206f11e32c3a4d30d2900f25365ee5cef3410f0b83d48e9c1fe05a1d1fb33cc50bf40784918073b7378123f76cca3e147

Download Submit
C:\Users\Admin\AppData\Roaming\Jsegzrrtapjsaoxe.exe

Filesize
216KB

MD5
7ae277ad33f1eda32a8c934615f9ae57

SHA1
8e1fe6f543a3e6fd66477c3aa0dbe9a230ef8f85

SHA256
f1a4df9568feadb23b63c862bc9bb8a779d1b15a81ef9938aeb383e6a0f47478

SHA512
45c6d5e2e2ee4e529e2f6362931a555206f11e32c3a4d30d2900f25365ee5cef3410f0b83d48e9c1fe05a1d1fb33cc50bf40784918073b7378123f76cca3e147

Download Submit
memory/3524-139-0x0000000000000000-mapping.dmp

Download
memory/3524-145-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4276-132-0x0000000000000000-mapping.dmp

Download
memory/4276-133-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4276-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4276-138-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4840-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing