aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97

Analysis

max time kernel
145s
max time network
54s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
25-11-2022 12:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe
Size

777KB
MD5

d82e609b6ce178344f82b963648f67bc
SHA1

412496833d5f6d68c218053b4a5ce960d50a4d07
SHA256

aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97
SHA512

e9371dedd2de892764924e9febbe732cd62aef1699043dffd09bb6dc9ba5e886dea1943a62fc5aac7d9e0d97f6857a8a336e183c1b700246050ce17537da3561
SSDEEP

24576:tt24jEqdf2XHdnA/PmKH2v27efUlcaVW67fsMc:J7mpMm/lsqKWKf1c

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

uxjev.pifuxjev.pif

pid process

556 uxjev.pif
1276 uxjev.pif

pid	process
556	uxjev.pif
1276	uxjev.pif

Loads dropped DLL 6 IoCs

Processes:

aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exeuxjev.pif

pid	process
1768	aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe
1768	aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe
1768	aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe
1768	aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe
1768	aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe
556	uxjev.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

uxjev.pif

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	uxjev.pif
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\JavaUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\akllh\\uxjev.pif C:\\Users\\Admin\\AppData\\Roaming\\akllh\\pjpno.xqp"	uxjev.pif

Suspicious use of SetThreadContext 1 IoCs

Processes:

uxjev.pif

description pid process target process

PID 1276 set thread context of 1616 1276 uxjev.pif RegSvcs.exe
Drops file in Windows directory 1 IoCs

Processes:

RegSvcs.exe

description ioc process

File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier RegSvcs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1112 taskkill.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

uxjev.pif

pid process

1276 uxjev.pif
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

taskkill.exe

description pid process

Token: SeDebugPrivilege 1112 taskkill.exe

description	pid	process	target process
PID 1276 set thread context of 1616	1276	uxjev.pif	RegSvcs.exe

description	ioc	process
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\.Identifier	RegSvcs.exe

pid	process
1112	taskkill.exe

pid	process
1276	uxjev.pif

description	pid	process
Token: SeDebugPrivilege	1112	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exeuxjev.pifuxjev.pif

description	pid	process	target process
PID 1768 wrote to memory of 556	1768	aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe	uxjev.pif
PID 1768 wrote to memory of 556	1768	aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe	uxjev.pif
PID 1768 wrote to memory of 556	1768	aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe	uxjev.pif
PID 1768 wrote to memory of 556	1768	aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe	uxjev.pif
PID 1768 wrote to memory of 556	1768	aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe	uxjev.pif
PID 1768 wrote to memory of 556	1768	aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe	uxjev.pif
PID 1768 wrote to memory of 556	1768	aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe	uxjev.pif
PID 556 wrote to memory of 1276	556	uxjev.pif	uxjev.pif
PID 556 wrote to memory of 1276	556	uxjev.pif	uxjev.pif
PID 556 wrote to memory of 1276	556	uxjev.pif	uxjev.pif
PID 556 wrote to memory of 1276	556	uxjev.pif	uxjev.pif
PID 556 wrote to memory of 1276	556	uxjev.pif	uxjev.pif
PID 556 wrote to memory of 1276	556	uxjev.pif	uxjev.pif
PID 556 wrote to memory of 1276	556	uxjev.pif	uxjev.pif
PID 1276 wrote to memory of 772	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 772	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 772	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 772	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 772	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 772	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 772	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 2000	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 2000	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 2000	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 2000	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 2000	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 2000	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 2000	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1760	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1760	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1760	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1760	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1760	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1760	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1760	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1956	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1956	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1956	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1956	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1956	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1956	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1956	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1648	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1648	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1648	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1648	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1648	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1648	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1648	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1632	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1632	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1632	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1632	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1632	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1632	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1632	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1264	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1264	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1264	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1264	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1264	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1264	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1264	1276	uxjev.pif	mshta.exe
PID 1276 wrote to memory of 1740	1276	uxjev.pif	cmd.exe

C:\Users\Admin\AppData\Local\Temp\aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe
"C:\Users\Admin\AppData\Local\Temp\aad8520ed678e9d9b0893d0f74e6c1d632c8705179866f696a77a8fda56abc97.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768

C:\Users\Admin\AppData\Roaming\akllh\uxjev.pif
"C:\Users\Admin\AppData\Roaming\akllh\uxjev.pif" pjpno.xqp
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Roaming\akllh\uxjev.pif
C:\Users\Admin\AppData\Roaming\akllh\uxjev.pif C:\Users\Admin\AppData\Roaming\akllh\SYNST
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1276

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:772

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:2000

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1760

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1956

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1648

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1632

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe"
4⤵
PID:1264

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /C taskkill /f /IM mshta.exe
4⤵
PID:1740

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /IM mshta.exe
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
4⤵
- Drops file in Windows directory
PID:1616

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\akllh\SYNST
Filesize
117KB

MD5
3384979a23fbe4de79286b1901121b19

SHA1
5e69f43dcc8ed992ab17c233271712bb0bf60f13

SHA256
ae2427d833c91c213875fe7e70b05c88e949859da91b33681d598e3fd6b4f740

SHA512
0f98ff4b4c631dfc388e515dcaa3e858ed2c9581a63d9ab3ec588ea9ef17a593dc632c6f9093c13944812f273153ea0f0b37a1ca8aaa30a23d1199dcdf832fa3

Download Submit
C:\Users\Admin\AppData\Roaming\akllh\YMQGIX
Filesize
29KB

MD5
222468a27a22df04d14bd677aef4a3b5

SHA1
a1054dc0e5d1db1011ee82e2b6bdcc4a393ecad4

SHA256
46577564d05cdc49627acd16b735ca30390f8bd12c5a8426b5968f245e61ac19

SHA512
054e1efa6ad0bd61b5f6f71e54c2548df2a3e3e7b889defa3c6e807c66c15726a63d7e083ab12515778026141d566f86bdc4214da504cb4e572355bbc0a9032c

Download Submit
C:\Users\Admin\AppData\Roaming\akllh\ewwhd.rxt
Filesize
117KB

MD5
aca035c7f1ecbf8a3e664c1680881bc0

SHA1
480eff58d9f0ddd57189915c9ca821a61bcccf2b

SHA256
9ac1decd236c4def3ee73afd754f4664b04fb1562af098be1e8e1d340408e922

SHA512
5a90b633d25659d405fcf757f6005e2a5b4817b0225e9c56d7b2c1b167e75cfed3e1d9b9289e1c7403cf667124e240ec0f398f35c55e1a8658f64b4060a581eb

Download Submit
C:\Users\Admin\AppData\Roaming\akllh\orebo
Filesize
68KB

MD5
f385b2f69d6690ef589de7e7ff35fb15

SHA1
f230340e9fcb0022a50fe7d16cdc427400f009c8

SHA256
4386610da47d990bf21bf173cb7d085281dec4d8e02c653dda8c5a4697cbe580

SHA512
5b450fd65ab4c911eda22c4ff27b190eb14f64f81730903b5635bb85008bdbecc2a605d7cf76d932c55e69a8ce93339399db3b6f40eef1e5cfc8897a3fe87f35

Download Submit
C:\Users\Admin\AppData\Roaming\akllh\pjpno.xqp
Filesize
3KB

MD5
320133077eb8365d0a35a6c8bf1078c5

SHA1
31bf50ca151ee596b2fa04db5f748c2799b16b26

SHA256
a18eb74dc95cd8df63dd06561ade96d97efe753153f7e679f118be9cc3b2aad6

SHA512
f6cf82316f2562d6910690064fcb1681d1136ce902cac2f6dd8daa1b5b8877b8ebf6be8b5bd48ea00a522971fa85929340268ea69cf1f3003ebfa4af9e26da38

Download Submit
C:\Users\Admin\AppData\Roaming\akllh\uxjev.pif
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\akllh\uxjev.pif
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
C:\Users\Admin\AppData\Roaming\akllh\uxjev.pif
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\akllh\uxjev.pif
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\akllh\uxjev.pif
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\akllh\uxjev.pif
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\akllh\uxjev.pif
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\akllh\uxjev.pif
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
\Users\Admin\AppData\Roaming\akllh\uxjev.pif
Filesize
731KB

MD5
a3f4db4d9a13413af1a172eb61dfa83a

SHA1
900655e1c4b7c14ca7c92ddb7a81dbd4fbcf2ee9

SHA256
0bf1d81ebe9d6325dcbf6f6be3c2ed121c0032d692994a857e588f36df742448

SHA512
3a07cec8a8702c38d9452ecae4d5228de7a9a999cd41944e3a387cd4776725958e7b83b27bb762bd5d8da3399aedc3a43664edc7ce106612967a74f22a3ff595

Download Submit
memory/556-60-0x0000000000000000-mapping.dmp

Download
memory/772-72-0x0000000000000000-mapping.dmp

Download
memory/1112-88-0x0000000000000000-mapping.dmp

Download
memory/1264-84-0x0000000000000000-mapping.dmp

Download
memory/1276-68-0x0000000000000000-mapping.dmp

Download
memory/1616-91-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-96-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-103-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-101-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-98-0x0000000000401F8F-mapping.dmp

Download
memory/1616-97-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-94-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1616-92-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1632-82-0x0000000000000000-mapping.dmp

Download
memory/1648-80-0x0000000000000000-mapping.dmp

Download
memory/1740-86-0x0000000000000000-mapping.dmp

Download
memory/1760-76-0x0000000000000000-mapping.dmp

Download
memory/1768-54-0x0000000076961000-0x0000000076963000-memory.dmp

Filesize
8KB

Download
memory/1956-78-0x0000000000000000-mapping.dmp

Download
memory/2000-74-0x0000000000000000-mapping.dmp

Download