Analysis
-
max time kernel
185s -
max time network
191s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 00:17
Static task
static1
Behavioral task
behavioral1
Sample
23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe
Resource
win10v2004-20221111-en
General
-
Target
23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe
-
Size
306KB
-
MD5
03f011e7fd3e0e34b9819428265ac7d0
-
SHA1
8e0bb5143a9fa13db6d7396983d79f3305f324f6
-
SHA256
23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348
-
SHA512
d0b98a44e4498db6b67f2e3b9c13291f91d4b7c1e03208ddf836cb82c97b4f60a7ceb37d011e1947ce18eae768ae224beb2a0d9a16b6b2101ef158f655f45dc7
-
SSDEEP
6144:+QGUiVQ3MuE6Hz6gSPfZXx6v354302k9pvU8XzwFZgP:+QGvQ36HuJs02k9pvU8XzwF+
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exejuheh.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe Set value (int) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" juheh.exe -
Executes dropped EXE 1 IoCs
Processes:
juheh.exepid process 3180 juheh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Control Panel\International\Geo\Nation 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe -
Adds Run key to start application 2 TTPs 11 IoCs
Processes:
juheh.exe23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\ juheh.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juheh = "C:\\Users\\Admin\\juheh.exe /a" juheh.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juheh = "C:\\Users\\Admin\\juheh.exe /k" juheh.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juheh = "C:\\Users\\Admin\\juheh.exe /l" juheh.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juheh = "C:\\Users\\Admin\\juheh.exe /y" juheh.exe Key created \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\Software\Microsoft\Windows\CurrentVersion\Run\ 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juheh = "C:\\Users\\Admin\\juheh.exe /m" 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juheh = "C:\\Users\\Admin\\juheh.exe /v" juheh.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juheh = "C:\\Users\\Admin\\juheh.exe /w" juheh.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juheh = "C:\\Users\\Admin\\juheh.exe /h" juheh.exe Set value (str) \REGISTRY\USER\S-1-5-21-4060001867-1434967833-2212371794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\juheh = "C:\\Users\\Admin\\juheh.exe /z" juheh.exe -
Maps connected drives based on registry 3 TTPs 4 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
juheh.exe23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum juheh.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 juheh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
juheh.exedescription ioc process File opened for modification C:\Users\Admin\c\autorun.inf juheh.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exejuheh.exepid process 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe 3180 juheh.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exejuheh.exepid process 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe 3180 juheh.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exedescription pid process target process PID 1008 wrote to memory of 3180 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe juheh.exe PID 1008 wrote to memory of 3180 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe juheh.exe PID 1008 wrote to memory of 3180 1008 23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe juheh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe"C:\Users\Admin\AppData\Local\Temp\23211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348.exe"1⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Adds Run key to start application
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1008 -
C:\Users\Admin\juheh.exe"C:\Users\Admin\juheh.exe"2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Maps connected drives based on registry
- Drops autorun.inf file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3180
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
306KB
MD503f011e7fd3e0e34b9819428265ac7d0
SHA18e0bb5143a9fa13db6d7396983d79f3305f324f6
SHA25623211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348
SHA512d0b98a44e4498db6b67f2e3b9c13291f91d4b7c1e03208ddf836cb82c97b4f60a7ceb37d011e1947ce18eae768ae224beb2a0d9a16b6b2101ef158f655f45dc7
-
Filesize
306KB
MD503f011e7fd3e0e34b9819428265ac7d0
SHA18e0bb5143a9fa13db6d7396983d79f3305f324f6
SHA25623211e501f1c71a824685685fd0588527a958859e2409d48f538051f2ff7f348
SHA512d0b98a44e4498db6b67f2e3b9c13291f91d4b7c1e03208ddf836cb82c97b4f60a7ceb37d011e1947ce18eae768ae224beb2a0d9a16b6b2101ef158f655f45dc7