5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
22-11-2022 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe
Size

1.0MB
MD5

27fe66f32b3bdad4fb04a0b15701f7e3
SHA1

a1a97813c5be852a63526d81254cd4f75e5da3ae
SHA256

5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5
SHA512

2a935a04e1b2d968219e2a9e1393ca11fe1dd324693040a72ee06f0d49ce387d0b6a763476be4dde6c1015e1c9145d12bfeef6c101fe3b899f3a3de60a2d7266
SSDEEP

24576:mt24vqVnszwQ28Qcuc+OSgLphaZ3etWrJ:sXwQ2jbD8hm3vJ

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
760	jnotg.com
836	jnotg.com

Loads dropped DLL 5 IoCs

pid	Process
1764	5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe
1764	5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe
1764	5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe
1764	5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe
760	jnotg.com

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	jnotg.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WindowsUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\uueea\\jnotg.com C:\\Users\\Admin\\AppData\\Roaming\\uueea\\egwlg.plw"	jnotg.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 836 set thread context of 1064	836	jnotg.com	30

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 760	1764	5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe	28
PID 1764 wrote to memory of 760	1764	5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe	28
PID 1764 wrote to memory of 760	1764	5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe	28
PID 1764 wrote to memory of 760	1764	5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe	28
PID 1764 wrote to memory of 760	1764	5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe	28
PID 1764 wrote to memory of 760	1764	5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe	28
PID 1764 wrote to memory of 760	1764	5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe	28
PID 760 wrote to memory of 836	760	jnotg.com	29
PID 760 wrote to memory of 836	760	jnotg.com	29
PID 760 wrote to memory of 836	760	jnotg.com	29
PID 760 wrote to memory of 836	760	jnotg.com	29
PID 760 wrote to memory of 836	760	jnotg.com	29
PID 760 wrote to memory of 836	760	jnotg.com	29
PID 760 wrote to memory of 836	760	jnotg.com	29
PID 836 wrote to memory of 1064	836	jnotg.com	30
PID 836 wrote to memory of 1064	836	jnotg.com	30
PID 836 wrote to memory of 1064	836	jnotg.com	30
PID 836 wrote to memory of 1064	836	jnotg.com	30
PID 836 wrote to memory of 1064	836	jnotg.com	30
PID 836 wrote to memory of 1064	836	jnotg.com	30
PID 836 wrote to memory of 1064	836	jnotg.com	30
PID 836 wrote to memory of 1064	836	jnotg.com	30

C:\Users\Admin\AppData\Local\Temp\5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe
"C:\Users\Admin\AppData\Local\Temp\5a178e873bea63aa2c0c4c05c2fab788cf3e18bbeeeb94cdc921b77c2c5584c5.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Users\Admin\AppData\Roaming\uueea\jnotg.com
  "C:\Users\Admin\AppData\Roaming\uueea\jnotg.com" egwlg.plw
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:760
- - C:\Users\Admin\AppData\Roaming\uueea\jnotg.com
    C:\Users\Admin\AppData\Roaming\uueea\jnotg.com C:\Users\Admin\AppData\Roaming\uueea\QGEKR
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:1064

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\uueea\QGEKR

Filesize
118KB

MD5
c346f5cd7684d742e218dc717b47c027

SHA1
c1486531db25d3c7f86e6a0031342885bd8580b5

SHA256
f4277a31ceba382ca8de4d8771e9d12e67dac07c421edbb9dc38be4d843bcb63

SHA512
90548e009e967c0151b3330c5070352a5de2e227d61a0695044ebaddad492d2a95a05fbeddb7155b959320ffbfbb0866f091348f8e7927a5810aa8ec2344edaf

Download Submit
C:\Users\Admin\AppData\Roaming\uueea\YMQGIX

Filesize
30KB

MD5
a500068edd85d9eb32b9f3f72be05243

SHA1
80646209a2639306075d6090767fc8f33208cfbb

SHA256
5921af928a8577b129ae3a1ba8a29b7f7763e9a4aa2870429c5b6ee35490c28b

SHA512
704384f8b83c837a34d4eda349e64cb68ce3c05a98c0b8615c3286002c95b7579126f68b3091d459e21fbfce6896d7ae6218e906b18636706c86f3aba5d0e018

Download Submit
C:\Users\Admin\AppData\Roaming\uueea\egwlg.plw

Filesize
127KB

MD5
d598e742d1aa8ff9de5eae06207552d4

SHA1
f623c13916ecd450cb8c090dd65226c40a5d1a8e

SHA256
e12b30f79ad7cf4b71d5aaf2eb5b1d2b0971a5d460f526406ce2def601c4f3df

SHA512
3efc8bc8a7b562c21127732d8bb6e1f3ed70f702edc2b1a99f624f13b92de054accb09014ebf8d32eb82a64c7d0a4c7ac441b951170a6da8152c64be75f59364

Download Submit
C:\Users\Admin\AppData\Roaming\uueea\hllwp

Filesize
277KB

MD5
6a637d94198ddffcbc6bb0c5f7d1f9fa

SHA1
62dc7ae5444a2a31d8ea4160851e89c327e0a8ff

SHA256
7ef88c8ffd41bacbb7cdf540dd1e4cac7df32881cb8dfb0aaab3339bb120bf8c

SHA512
ac1dcabf380917a24ffce1c72c74cd52514dc4aaf15b263114096740dfe16c42d3e128b4d04649b3a0b518ee8a378ab8e26050a9bebf258dd914182c6a316317

Download Submit
C:\Users\Admin\AppData\Roaming\uueea\jnotg.com

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\uueea\jnotg.com

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\uueea\jnotg.com

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
C:\Users\Admin\AppData\Roaming\uueea\pfxif.wte

Filesize
118KB

MD5
f6e15c6d7f0c9520825cb0f0b792153f

SHA1
337135a46591e4139300775cf0acee39e87d961e

SHA256
b84f15965a8afe578a1a138e6bf194fc283d76e7131a013ea5c3a996a5173af4

SHA512
d196fc316d2c2e9fdc4e58aa432a29cd7bbd54b03a6f71bb7dbe1832d750194caccddf441677fd975d3a5d094ed86cfcab618bbf05d0e9866ccf32b570291920

Download Submit
\Users\Admin\AppData\Roaming\uueea\jnotg.com

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\uueea\jnotg.com

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\uueea\jnotg.com

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\uueea\jnotg.com

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
\Users\Admin\AppData\Roaming\uueea\jnotg.com

Filesize
732KB

MD5
71d8f6d5dc35517275bc38ebcc815f9f

SHA1
cae4e8c730de5a01d30aabeb3e5cb2136090ed8d

SHA256
fb73a819b37523126c7708a1d06f3b8825fa60c926154ab2d511ba668f49dc4b

SHA512
4826f45000ea50d9044e3ef11e83426281fbd5f3f5a25f9786c2e487b4cf26b04f6f900ca6e70440644c9d75f700a4c908ab6f398f59c65ee1bff85dfef4ce59

Download Submit
memory/1764-54-0x0000000075BA1000-0x0000000075BA3000-memory.dmp

Filesize
8KB

Download