3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc

General

Target

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
Size

252KB
MD5

4ac1afd1d94d25e4495c8290591f4020
SHA1

fbaed259b8a0a3ee435fe8b5a307aa14fb2b7c2a
SHA256

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc
SHA512

88da364ef35092c553698f7fa8dd6c8439198c875e19b9a1c1410e4196e42cbc06987bc67620ee5d63e9c35b6d105227bf4eeda6aa3d18e06f8b08f7e26600cc
SSDEEP

3072:grAc+x7LaShsNvZ0OgRqTAJcLGGO/xuiEyJeOOeGs5oxnkNzQKtjQx:grghCx/ZLA4PmG6dK

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exejeairu.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jeairu.exe

Executes dropped EXE 1 IoCs

Processes:

jeairu.exe

pid process

1832 jeairu.exe

pid	process
1832	jeairu.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exejeairu.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /l"	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /T"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /E"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /I"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /b"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /R"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /O"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /u"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /a"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /J"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /x"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /h"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /j"	jeairu.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /r"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /G"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /D"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /l"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /S"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /N"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /n"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /K"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /m"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /B"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /w"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /z"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /i"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /o"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /U"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /V"	jeairu.exe
Key created	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /X"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /Y"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /C"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /g"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /y"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /W"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /f"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /P"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /p"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /k"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /q"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /A"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /v"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /Q"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /F"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /H"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /d"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /L"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /c"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /Z"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /s"	jeairu.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jeairu = "C:\\Users\\Admin\\jeairu.exe /t"	jeairu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exejeairu.exe

pid	process
4668	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
4668	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe
1832	jeairu.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exejeairu.exe

pid process

4668 3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
1832 jeairu.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe

description	pid	process	target process
PID 4668 wrote to memory of 1832	4668	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe	jeairu.exe
PID 4668 wrote to memory of 1832	4668	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe	jeairu.exe
PID 4668 wrote to memory of 1832	4668	3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe	jeairu.exe

C:\Users\Admin\AppData\Local\Temp\3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe
"C:\Users\Admin\AppData\Local\Temp\3d5cd7abb7a366ab2bd7fa19512b5e5cfb606a9d2405bee5262c3cecd1e421dc.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4668

C:\Users\Admin\jeairu.exe
"C:\Users\Admin\jeairu.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jeairu.exe

Filesize
252KB

MD5
b47a33e49e080043251db5252ecc74e1

SHA1
5b362578f228eec838a5eddc098845dd824705b1

SHA256
fddc2d599ca996acabe64a11bee5f0d90d9783eda91f52f647b8e0b0109f4340

SHA512
75de8111a4e5ab22c622bab3cbeca02dd45321e39c59beb415779edb4e6d42455313333aeb952f1c626677970ca51b8c053f8192a4b8263e929b68fb7aefba74

Download Submit
C:\Users\Admin\jeairu.exe

Filesize
252KB

MD5
b47a33e49e080043251db5252ecc74e1

SHA1
5b362578f228eec838a5eddc098845dd824705b1

SHA256
fddc2d599ca996acabe64a11bee5f0d90d9783eda91f52f647b8e0b0109f4340

SHA512
75de8111a4e5ab22c622bab3cbeca02dd45321e39c59beb415779edb4e6d42455313333aeb952f1c626677970ca51b8c053f8192a4b8263e929b68fb7aefba74

Download Submit
memory/1832-134-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads