233af642b3e22613551e087a7cefcf2a530752da6613efc52da7cb957cb8f0f3

General

Target

233af642b3e22613551e087a7cefcf2a530752da6613efc52da7cb957cb8f0f3.dll
Size

63KB
MD5

ab07a13a5f27d85daa3f4636b41c4622
SHA1

d6a919d524356f3ddbf6d8b209bc65cbddf2294d
SHA256

233af642b3e22613551e087a7cefcf2a530752da6613efc52da7cb957cb8f0f3
SHA512

e8459c5988bac2633c7d052f961fc3dc4c1eae64dd2686e74d909ee1a0f338460117031278c886a8e22fd82086be9451fb73e141f54dbd40bd4818814704ec66
SSDEEP

1536:jeYzhn0K1uAiuYUaZabt5Qv7fU1WTD+TUT+1A:KYzhnHcAimEyfSfWkU1

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

imejpmig.exe

pid process

2404 imejpmig.exe

pid	process
2404	imejpmig.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4840-133-0x0000000010000000-0x000000001002D000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

imejpmig.exe

pid process

2404 imejpmig.exe

pid	process
2404	imejpmig.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

imejpmig.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\imejp = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\IMJP8_1\\imejpmig.exe"	imejpmig.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

3504 ipconfig.exe
4972 ipconfig.exe
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

4216 systeminfo.exe
3648 systeminfo.exe
Runs net.exe

pid	process
3504	ipconfig.exe
4972	ipconfig.exe

pid	process
4216	systeminfo.exe
3648	systeminfo.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

rundll32.exerundll32.exeimejpmig.execmd.execmd.exenet.execmd.execmd.execmd.exenet.execmd.exe

description	pid	process	target process
PID 1968 wrote to memory of 4840	1968	rundll32.exe	rundll32.exe
PID 1968 wrote to memory of 4840	1968	rundll32.exe	rundll32.exe
PID 1968 wrote to memory of 4840	1968	rundll32.exe	rundll32.exe
PID 4840 wrote to memory of 2404	4840	rundll32.exe	imejpmig.exe
PID 4840 wrote to memory of 2404	4840	rundll32.exe	imejpmig.exe
PID 4840 wrote to memory of 2404	4840	rundll32.exe	imejpmig.exe
PID 2404 wrote to memory of 4612	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 4612	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 4612	2404	imejpmig.exe	cmd.exe
PID 4612 wrote to memory of 3504	4612	cmd.exe	ipconfig.exe
PID 4612 wrote to memory of 3504	4612	cmd.exe	ipconfig.exe
PID 4612 wrote to memory of 3504	4612	cmd.exe	ipconfig.exe
PID 2404 wrote to memory of 4236	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 4236	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 4236	2404	imejpmig.exe	cmd.exe
PID 4236 wrote to memory of 4760	4236	cmd.exe	net.exe
PID 4236 wrote to memory of 4760	4236	cmd.exe	net.exe
PID 4236 wrote to memory of 4760	4236	cmd.exe	net.exe
PID 4760 wrote to memory of 4320	4760	net.exe	net1.exe
PID 4760 wrote to memory of 4320	4760	net.exe	net1.exe
PID 4760 wrote to memory of 4320	4760	net.exe	net1.exe
PID 2404 wrote to memory of 1528	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 1528	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 1528	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 4484	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 4484	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 4484	2404	imejpmig.exe	cmd.exe
PID 4484 wrote to memory of 4216	4484	cmd.exe	systeminfo.exe
PID 4484 wrote to memory of 4216	4484	cmd.exe	systeminfo.exe
PID 4484 wrote to memory of 4216	4484	cmd.exe	systeminfo.exe
PID 2404 wrote to memory of 4596	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 4596	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 4596	2404	imejpmig.exe	cmd.exe
PID 4596 wrote to memory of 4972	4596	cmd.exe	ipconfig.exe
PID 4596 wrote to memory of 4972	4596	cmd.exe	ipconfig.exe
PID 4596 wrote to memory of 4972	4596	cmd.exe	ipconfig.exe
PID 2404 wrote to memory of 1900	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 1900	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 1900	2404	imejpmig.exe	cmd.exe
PID 1900 wrote to memory of 5032	1900	cmd.exe	net.exe
PID 1900 wrote to memory of 5032	1900	cmd.exe	net.exe
PID 1900 wrote to memory of 5032	1900	cmd.exe	net.exe
PID 5032 wrote to memory of 3356	5032	net.exe	net1.exe
PID 5032 wrote to memory of 3356	5032	net.exe	net1.exe
PID 5032 wrote to memory of 3356	5032	net.exe	net1.exe
PID 2404 wrote to memory of 5112	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 5112	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 5112	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 1248	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 1248	2404	imejpmig.exe	cmd.exe
PID 2404 wrote to memory of 1248	2404	imejpmig.exe	cmd.exe
PID 1248 wrote to memory of 3648	1248	cmd.exe	systeminfo.exe
PID 1248 wrote to memory of 3648	1248	cmd.exe	systeminfo.exe
PID 1248 wrote to memory of 3648	1248	cmd.exe	systeminfo.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\233af642b3e22613551e087a7cefcf2a530752da6613efc52da7cb957cb8f0f3.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\233af642b3e22613551e087a7cefcf2a530752da6613efc52da7cb957cb8f0f3.dll,#1
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4840

C:\Users\Admin\AppData\Roaming\Microsoft\IMJP8_1\imejpmig.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\IMJP8_1\imejpmig.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2404

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c IpConFig /All
4⤵
- Suspicious use of WriteProcessMemory
PID:4612

C:\Windows\SysWOW64\ipconfig.exe
IpConFig /All
5⤵
- Gathers network information
PID:3504

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Net STarT
4⤵
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SysWOW64\net.exe
Net STarT
5⤵
- Suspicious use of WriteProcessMemory
PID:4760

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STarT
6⤵
PID:4320

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Dir C:\ProGra~1\
4⤵
PID:1528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sYsTEmINFo
4⤵
- Suspicious use of WriteProcessMemory
PID:4484

C:\Windows\SysWOW64\systeminfo.exe
sYsTEmINFo
5⤵
- Gathers system information
PID:4216

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c IpConFig /All
4⤵
- Suspicious use of WriteProcessMemory
PID:4596

C:\Windows\SysWOW64\ipconfig.exe
IpConFig /All
5⤵
- Gathers network information
PID:4972

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Net STarT
4⤵
- Suspicious use of WriteProcessMemory
PID:1900

C:\Windows\SysWOW64\net.exe
Net STarT
5⤵
- Suspicious use of WriteProcessMemory
PID:5032

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 STarT
6⤵
PID:3356

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c Dir C:\ProGra~1\
4⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c sYsTEmINFo
4⤵
- Suspicious use of WriteProcessMemory
PID:1248

C:\Windows\SysWOW64\systeminfo.exe
sYsTEmINFo
5⤵
- Gathers system information
PID:3648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\IMJP8_1\imejpcic.dll

Filesize
78KB

MD5
9aed87892caa891097ccfe6b77a25639

SHA1
506e9b55918b931ac6950b607dd30ec71a969daa

SHA256
840d18698ff0b114ee587f57231001d046fbd1eb22603e0f951cbb8c290804ed

SHA512
cf0f8bf27b896c3ca007ec010f064e5a3fa5bc789511adb24ac58b8262684acdb9fca8d0db83c1e9bca6c2c0cc8b75c0c29ae7aef7c12b3bab1938ed4682cc13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IMJP8_1\imejpcic.dll

Filesize
78KB

MD5
9aed87892caa891097ccfe6b77a25639

SHA1
506e9b55918b931ac6950b607dd30ec71a969daa

SHA256
840d18698ff0b114ee587f57231001d046fbd1eb22603e0f951cbb8c290804ed

SHA512
cf0f8bf27b896c3ca007ec010f064e5a3fa5bc789511adb24ac58b8262684acdb9fca8d0db83c1e9bca6c2c0cc8b75c0c29ae7aef7c12b3bab1938ed4682cc13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IMJP8_1\imejpmig.exe

Filesize
41KB

MD5
2df1878ca93c40188ea6e9e56da921eb

SHA1
96ea489a56803d29aa73fa05bad0b14734aff6bd

SHA256
9d6f7a444c6700fbf9526445a35c07d509b58afa7430abf690ebfd09d9138525

SHA512
14b3eb4503901b0097fc16e5a45183e6c4afae24e4c0aa82fb7d2b71406ef0163f0a19485aecc980e5676a3156d9b68afb98893bd9570199cffde31c66de635e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\IMJP8_1\imejpmig.exe

Filesize
41KB

MD5
2df1878ca93c40188ea6e9e56da921eb

SHA1
96ea489a56803d29aa73fa05bad0b14734aff6bd

SHA256
9d6f7a444c6700fbf9526445a35c07d509b58afa7430abf690ebfd09d9138525

SHA512
14b3eb4503901b0097fc16e5a45183e6c4afae24e4c0aa82fb7d2b71406ef0163f0a19485aecc980e5676a3156d9b68afb98893bd9570199cffde31c66de635e

Download Submit
memory/1248-153-0x0000000000000000-mapping.dmp

Download
memory/1528-144-0x0000000000000000-mapping.dmp

Download
memory/1900-149-0x0000000000000000-mapping.dmp

Download
memory/2404-134-0x0000000000000000-mapping.dmp

Download
memory/3356-151-0x0000000000000000-mapping.dmp

Download
memory/3504-140-0x0000000000000000-mapping.dmp

Download
memory/3648-154-0x0000000000000000-mapping.dmp

Download
memory/4216-146-0x0000000000000000-mapping.dmp

Download
memory/4236-141-0x0000000000000000-mapping.dmp

Download
memory/4320-143-0x0000000000000000-mapping.dmp

Download
memory/4484-145-0x0000000000000000-mapping.dmp

Download
memory/4596-147-0x0000000000000000-mapping.dmp

Download
memory/4612-139-0x0000000000000000-mapping.dmp

Download
memory/4760-142-0x0000000000000000-mapping.dmp

Download
memory/4840-132-0x0000000000000000-mapping.dmp

Download
memory/4840-133-0x0000000010000000-0x000000001002D000-memory.dmp

Filesize
180KB

Download
memory/4972-148-0x0000000000000000-mapping.dmp

Download
memory/5032-150-0x0000000000000000-mapping.dmp

Download
memory/5112-152-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads