3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844

General

Target

3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
Size

268KB
MD5

1cc47f0f1b6fee5dc60a2f4fc70ff603
SHA1

411b91132339da62c78881d0da6e2b6f67bf44e7
SHA256

3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844
SHA512

d1e719106c6f5949c7264e59e5d3d9afc989cb9bfd1e530d4afa54af745cacea18c5e7ed6efad658fb2274ef53dcea58ca11066b31aba087f5891f72b5960412
SSDEEP

6144:bIpnHdreWWrsszHVx0RG6J2L3RmvrR4Er75tLZudw8iXny:OnHdrPW1HVx0RG6Js3erR4Er75tLZudN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Processes:

juuohaw.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	juuohaw.exe

Executes dropped EXE 1 IoCs

Processes:

juuohaw.exe

pid process

2912 juuohaw.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

juuohaw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /z"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /N"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /m"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /v"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /S"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /G"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /s"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /t"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /P"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /d"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /u"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /o"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /M"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /Z"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /X"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /g"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /c"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /a"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /A"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /J"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /q"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /B"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /T"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /Q"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /V"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /p"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /R"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /i"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /E"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /C"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /n"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /O"	juuohaw.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run\	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /l"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /H"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /j"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /I"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /K"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /b"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /L"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /Y"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /f"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /F"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /e"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /x"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /r"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /W"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /w"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /k"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /h"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /D"	juuohaw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juuohaw = "C:\\Users\\Admin\\juuohaw.exe /U"	juuohaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

juuohaw.exe

pid	process
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe
2912	juuohaw.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exejuuohaw.exe

pid process

4964 3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
2912 juuohaw.exe

pid	process
4964	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
2912	juuohaw.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exejuuohaw.exe

description	pid	process	target process
PID 4964 wrote to memory of 2912	4964	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe	juuohaw.exe
PID 4964 wrote to memory of 2912	4964	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe	juuohaw.exe
PID 4964 wrote to memory of 2912	4964	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe	juuohaw.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
PID 2912 wrote to memory of 4964	2912	juuohaw.exe	3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe

C:\Users\Admin\AppData\Local\Temp\3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe
"C:\Users\Admin\AppData\Local\Temp\3cc9b8a43698449a0429a03a60cb79409d5fe7e7c1931cf711096ad552ce8844.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4964

C:\Users\Admin\juuohaw.exe
"C:\Users\Admin\juuohaw.exe"
2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\juuohaw.exe

Filesize
268KB

MD5
02ac9b8715176fb8e3796d44580dafde

SHA1
4a57fcb1e7d9c0d742b8496b991cca68d5f031a2

SHA256
15be199aa809cd250dfa7a3cb0a851487192c3b9e9ee3fcab90c1db73f797b46

SHA512
850dbbf9b32aebc5f926c3ef3384e3f8d6c6b95bb36660c7f2c7b1729f2c504c30cffc9e07279c9eac8057f963b320d33eb07811701bcb9e954976baed840d90

Download Submit
C:\Users\Admin\juuohaw.exe

Filesize
268KB

MD5
02ac9b8715176fb8e3796d44580dafde

SHA1
4a57fcb1e7d9c0d742b8496b991cca68d5f031a2

SHA256
15be199aa809cd250dfa7a3cb0a851487192c3b9e9ee3fcab90c1db73f797b46

SHA512
850dbbf9b32aebc5f926c3ef3384e3f8d6c6b95bb36660c7f2c7b1729f2c504c30cffc9e07279c9eac8057f963b320d33eb07811701bcb9e954976baed840d90

Download Submit
memory/2912-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads