5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6

General

Target

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Size

207KB
MD5

06a3c6eef03c24505b9c2152ec78380a
SHA1

3dbe9afc76c4099e57df6402b199c650b1d98681
SHA256

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6
SHA512

9d3759f934ef6bf57246c49c8121f0fa5b69d9393902a5a15c7ef1e400e4682a373142a471a8100886776602ac0c3f722b2aea86d1ca57dbc0e7157237ebf58a
SSDEEP

3072:EDQkrZoosbIfXJ6S6W6DW6czlhFgChaK8nqyRvd2DT3LNBvv0ArGAK0ZlljM8+7k:EDpoeLRvJD+q8lEbLfhKsVM4Cm

Score

8^/10

persistence

Malware Config

Signatures

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jtkyyvgiu.exe\DisableExceptionChainValidation	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jtkyyvgiu.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

Loads dropped DLL 1 IoCs

Processes:

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

pid process

900 5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

pid	process
900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

Checks for any installed AV software in registry 1 TTPs 2 IoCs

Security Software Discovery

T1063

Processes:

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\avast! Antivirus	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

description ioc process

File created C:\ProgramData\Win Audio\desktop.ini 5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

description	ioc	process
File created	C:\ProgramData\Win Audio\desktop.ini	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

description	pid	process	target process
PID 900 set thread context of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1736 schtasks.exe

pid	process
1736	schtasks.exe

Modifies registry class 7 IoCs

Processes:

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{C0BE651F-FD73-624F-87CD-9F2BE035C723}\16510401\CG1	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{C0BE651F-FD73-624F-87CD-9F2BE035C723}	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{C0BE651F-FD73-624F-87CD-9F2BE035C723}\16510401	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{C0BE651F-FD73-624F-87CD-9F2BE035C723}\16510401\CG1\HAL = 05ee0000	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{C0BE651F-FD73-624F-87CD-9F2BE035C723}\16510401\ê'ât3	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\CLSID\{C0BE651F-FD73-624F-87CD-9F2BE035C723}\16510401\ê'ât3\BID = 2000080018000b00e60700001400000018000c0035002c000000000058697f63	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

pid	process
912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

pid process

912 5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

description	pid	process
Token: SeRestorePrivilege	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Token: SeBackupPrivilege	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
Token: SeDebugPrivilege	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe

description	pid	process	target process
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 900 wrote to memory of 912	900	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
PID 912 wrote to memory of 1736	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	schtasks.exe
PID 912 wrote to memory of 1736	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	schtasks.exe
PID 912 wrote to memory of 1736	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	schtasks.exe
PID 912 wrote to memory of 1736	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	schtasks.exe
PID 912 wrote to memory of 1696	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	WerFault.exe
PID 912 wrote to memory of 1696	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	WerFault.exe
PID 912 wrote to memory of 1696	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	WerFault.exe
PID 912 wrote to memory of 1696	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	WerFault.exe
PID 912 wrote to memory of 1696	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	WerFault.exe
PID 912 wrote to memory of 1696	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	WerFault.exe
PID 912 wrote to memory of 1696	912	5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
"C:\Users\Admin\AppData\Local\Temp\5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900

C:\Users\Admin\AppData\Local\Temp\5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe
"C:\Users\Admin\AppData\Local\Temp\5e8e046ec47d9fa95a3d94fe465ed7e1e07ff8dcd77d3cc57d647559ae6400f6.exe"
2⤵
- Sets file execution options in registry
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:912

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /CREATE /SC ONLOGON /TN "Windows Update Check - 0x16510401" /TR "C:\ProgramData\Win Audio\jtkyyvgiu.exe" /RL HIGHEST
3⤵
- Creates scheduled task(s)
PID:1736

C:\Windows\SysWOW64\WerFault.exe
"C:\Windows\SysWOW64\WerFault.exe"
3⤵
PID:1696

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Security Software Discovery

1

T1063

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso47EC.tmp\mozambican.dll

Filesize
60KB

MD5
b44d5800a97bbf5a60bc9c2bd41fec1d

SHA1
e6d359df173ec66d624c510e5ba50682556a7f61

SHA256
c0df69587197b0eb513582a951c2f833f0a1b80a5e2ea715722c48b1b5ea9b8f

SHA512
db69d9fa3ae1fd545e485a0af3ab3645692ae646701b4150e2dc1f902a4174e0bb6d615ad00d8df62f02a46f059f5c0219439e35123af511b57940d970b8e737

Download Submit
memory/900-54-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/900-56-0x0000000001E50000-0x0000000001E68000-memory.dmp

Filesize
96KB

Download
memory/912-66-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/912-70-0x00000000001D0000-0x000000000021B000-memory.dmp

Filesize
300KB

Download
memory/912-60-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/912-57-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/912-62-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/912-63-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/912-64-0x000000000040120A-mapping.dmp

Download
memory/912-58-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/912-69-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/912-59-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/912-71-0x00000000001D0000-0x000000000021B000-memory.dmp

Filesize
300KB

Download
memory/912-72-0x0000000000440000-0x000000000044B000-memory.dmp

Filesize
44KB

Download
memory/912-75-0x00000000001D0000-0x000000000021B000-memory.dmp

Filesize
300KB

Download
memory/1696-74-0x0000000000000000-mapping.dmp

Download
memory/1696-76-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/1696-77-0x00000000775D0000-0x0000000077751000-memory.dmp

Filesize
1.5MB

Download
memory/1696-78-0x00000000000D0000-0x0000000000152000-memory.dmp

Filesize
520KB

Download
memory/1696-79-0x00000000775D0000-0x0000000077751000-memory.dmp

Filesize
1.5MB

Download
memory/1736-73-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads