deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590

General

Target

deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe
Size

48KB
MD5

f3194cd1dfe52a3b1ddae58272aaedd8
SHA1

d1ef93df2deb8983b65d3e8e72f91b4e1bcae879
SHA256

deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590
SHA512

d787655af0d3a39ff9d8f6b5077962763be5f6eed851019d45c15171f805ae6b7d1dcf09c60bf0daa4ecf2c49bafe1ae9fc3c9b83d4d435ae44925954137916d
SSDEEP

768:6buDiv3N+KjGgZCH6yku7oGeZsQT6rd/tjtP19DWsWqFUUEhJJMXLSi2uF2uh:hiPMIGIdtCo0Ftpt3yZzJJoLSs

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
316	juupdate.exe

Loads dropped DLL 4 IoCs

pid	Process
1572	deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe
316	juupdate.exe
316	juupdate.exe
316	juupdate.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\taoy.i	deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.kvh	deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.kvh\ = "JSEFile"	deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 316	1572	deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe	28
PID 1572 wrote to memory of 316	1572	deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe	28
PID 1572 wrote to memory of 316	1572	deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe	28
PID 1572 wrote to memory of 316	1572	deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe	28
PID 1572 wrote to memory of 316	1572	deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe	28
PID 1572 wrote to memory of 316	1572	deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe	28
PID 1572 wrote to memory of 316	1572	deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe	28

C:\Users\Admin\AppData\Local\Temp\deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe
"C:\Users\Admin\AppData\Local\Temp\deedb59bcec2385234447ea66347b59f8b0aa8464f8cbb7d2eea5a28b1b25590.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\juupdate.exe
  "C:\Users\Admin\AppData\Local\Temp\juupdate.exe" "C:\Users\Admin\AppData\Local\Temp\master.kvh"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:316

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\juupdate.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
C:\Users\Admin\AppData\Local\Temp\juupdate.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
C:\Users\Admin\AppData\Local\Temp\master.kvh

Filesize
9KB

MD5
e710026dda5d338a696475ccdad2eef1

SHA1
79985f4bc32adab9d1133846ac50445ff9e2c5da

SHA256
2adb4fdd59322c08222c6c73b6ae69dd22390b30d3ba50f869bf939e560c72f9

SHA512
e4f6c2acff673f6c0ca8d193000fe37cd000f9f2ebd7f480220d5c93629cbf1e2129fe73ffac47b2a6cc52132ced3650fece0937e086ca9f3ffb331b5d8e4490

Download Submit
\Users\Admin\AppData\Local\Temp\juupdate.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
\Users\Admin\AppData\Local\Temp\juupdate.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
\Users\Admin\AppData\Local\Temp\juupdate.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
\Users\Admin\AppData\Local\Temp\juupdate.exe

Filesize
138KB

MD5
d1ab72db2bedd2f255d35da3da0d4b16

SHA1
860265276b29b42b8c4b077e5c651def9c81b6e9

SHA256
047f3c5a7ab0ea05f35b2ca8037bf62dd4228786d07707064dbd0d46569305d0

SHA512
b46830742eebc85e731c14f7dc72cc6734fcc79aab46f6080c95589c438c4cca0a069027badc0a8a78e4deeb31cdf38df3d63db679b793212a32efdad7bb8185

Download Submit
memory/1572-54-0x00000000758C1000-0x00000000758C3000-memory.dmp

Filesize
8KB

Download
memory/1572-55-0x0000000000400000-0x00000000007AC02D-memory.dmp

Filesize
3.7MB

Download
memory/1572-60-0x0000000000400000-0x00000000007AC02D-memory.dmp

Filesize
3.7MB

Download

Analysis

Sharing