d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774

Analysis

max time kernel
267s
max time network
365s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
05/12/2022, 23:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe
Size

140KB
MD5

325b031a3838f67b41750bc370a9d4ad
SHA1

0f549752c79680c0a170912f9957bd973f4ff2f4
SHA256

d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774
SHA512

b1d01fcbcdde47edac15afefa90a7553a41595a79ef2e9da6e33fa5da3551d6a9e1b58271ac894e5011e871cf279d245d5565fdffbac81cf742d7880f4365631
SSDEEP

3072:Pl2rgluJmkD73mQtFDPB1P85XvbM7h8bdaqmRIxqeHHNMxijYQ:Psr6uJ/72QtFDPB1P85Xvw7h8boqfqeN

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	tjpuur.exe

Executes dropped EXE 1 IoCs

pid	Process
844	tjpuur.exe

Loads dropped DLL 2 IoCs

pid	Process
1212	d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe
1212	d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe

Adds Run key to start application 2 TTPs 47 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /t"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /Y"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /w"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /K"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /p"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /N"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /a"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /L"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /G"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /W"	tjpuur.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /t"	d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe
Key created	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /j"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /m"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /c"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /T"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /e"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /r"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /b"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /P"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /D"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /S"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /z"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /g"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /X"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /I"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /y"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /q"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /l"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /d"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /k"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /R"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /F"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /o"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /x"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /M"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /C"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /V"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /n"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /v"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /J"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /B"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /A"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /O"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /u"	tjpuur.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\tjpuur = "C:\\Users\\Admin\\tjpuur.exe /U"	tjpuur.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1212	d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe
844	tjpuur.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1212	d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe
844	tjpuur.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 844	1212	d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe	27
PID 1212 wrote to memory of 844	1212	d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe	27
PID 1212 wrote to memory of 844	1212	d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe	27
PID 1212 wrote to memory of 844	1212	d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe	27

C:\Users\Admin\AppData\Local\Temp\d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe
"C:\Users\Admin\AppData\Local\Temp\d12586c68ec1f37bad5eb40c6de009533fa442d64480adcc4927aef0bdf5e774.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\tjpuur.exe
  "C:\Users\Admin\tjpuur.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:844

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\tjpuur.exe

Filesize
140KB

MD5
08587947dc578101d70735fcb5c6a08b

SHA1
a98dbde1962bb0b242d42af0b801d17a612e1efd

SHA256
5576e17c84a1c593603526c3daf6002094b458ab0865084fd29d1134b7efa7a6

SHA512
116e0f6bf7d43194724122728dce57c7c7a80fdb587dd9fa05b20708fce34b43813728e423e7af4c91482e0b8ad45f2fed5fb3674b466273d0eca36b6274d5b1

Download Submit
C:\Users\Admin\tjpuur.exe

Filesize
140KB

MD5
08587947dc578101d70735fcb5c6a08b

SHA1
a98dbde1962bb0b242d42af0b801d17a612e1efd

SHA256
5576e17c84a1c593603526c3daf6002094b458ab0865084fd29d1134b7efa7a6

SHA512
116e0f6bf7d43194724122728dce57c7c7a80fdb587dd9fa05b20708fce34b43813728e423e7af4c91482e0b8ad45f2fed5fb3674b466273d0eca36b6274d5b1

Download Submit
\Users\Admin\tjpuur.exe

Filesize
140KB

MD5
08587947dc578101d70735fcb5c6a08b

SHA1
a98dbde1962bb0b242d42af0b801d17a612e1efd

SHA256
5576e17c84a1c593603526c3daf6002094b458ab0865084fd29d1134b7efa7a6

SHA512
116e0f6bf7d43194724122728dce57c7c7a80fdb587dd9fa05b20708fce34b43813728e423e7af4c91482e0b8ad45f2fed5fb3674b466273d0eca36b6274d5b1

Download Submit
\Users\Admin\tjpuur.exe

Filesize
140KB

MD5
08587947dc578101d70735fcb5c6a08b

SHA1
a98dbde1962bb0b242d42af0b801d17a612e1efd

SHA256
5576e17c84a1c593603526c3daf6002094b458ab0865084fd29d1134b7efa7a6

SHA512
116e0f6bf7d43194724122728dce57c7c7a80fdb587dd9fa05b20708fce34b43813728e423e7af4c91482e0b8ad45f2fed5fb3674b466273d0eca36b6274d5b1

Download Submit
memory/1212-56-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download