e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862

General

Target

e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Size

476KB
MD5

078969e157a835a3bc5fbc251d33de40
SHA1

d42716771c08079b3cde046a21e0533092342639
SHA256

e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862
SHA512

f958584f008fa94b6b3d0dccf582b13bc650335f3498358ab9b924c1c827fa2edd605bbd1b8bd7d1bc621560043413d5300a3165b0d13801667ee3bd2647f868
SSDEEP

6144:UdspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70NqH:S8kxNhOZElO5kkWjhD4AOWDLpt

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\$Recycle.Bin\\DJP.EXE \"%1\" %*"	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WXMJH.EXE

Executes dropped EXE 1 IoCs

pid	Process
1852	WXMJH.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000022dea-133.dat	upx
behavioral2/files/0x000a000000022dea-134.dat	upx
behavioral2/memory/3236-135-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/1852-136-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/3236-137-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/1852-138-0x0000000000400000-0x0000000000478000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\PNRTJ.EXE = "C:\\Program Files\\PNRTJ.EXE"	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe

Enumerates connected drives 3 TTPs 18 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\P:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\I:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\J:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\K:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\R:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\V:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\E:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\F:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\Q:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\U:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\N:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\S:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\T:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\O:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\G:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\H:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened (read-only)	\??\M:	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WXMJH.EXE	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File opened for modification	C:\Program Files (x86)\WXMJH.EXE	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
File created	C:\Program Files\PNRTJ.EXE	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command\ = "C:\\$Recycle.Bin\\DJP.EXE \"%1\""	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\$Recycle.Bin\\DJP.EXE %1"	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\$Recycle.Bin\\DJP.EXE \"%1\" %*"	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	WXMJH.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\$Recycle.Bin\\DJP.EXE %1"	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell\open\command	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\chm.file\shell	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\scrfile\shell\open\command	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\$Recycle.Bin\\DJP.EXE \"%1\""	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1852	WXMJH.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3236 wrote to memory of 1852	3236	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe	83
PID 3236 wrote to memory of 1852	3236	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe	83
PID 3236 wrote to memory of 1852	3236	e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe	83

C:\Users\Admin\AppData\Local\Temp\e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe
"C:\Users\Admin\AppData\Local\Temp\e409628ebb040c39a1a80cf954fd176a24cc10ed6d953593f6e62d00b870e862.exe"
1⤵
- Modifies system executable filetype association
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3236
- C:\Program Files (x86)\WXMJH.EXE
  "C:\Program Files (x86)\WXMJH.EXE"
  2⤵
  - Modifies system executable filetype association
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

1

T1042

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WXMJH.EXE

Filesize
477KB

MD5
2afa6f88bad69d0c3523614e1879fbe5

SHA1
4cc1cefeef6f97eb729d864668973b1bd5774a20

SHA256
6ce0735b3d81d8c351b1af090767480a422b0e10d97c96eb7d78c7184642d935

SHA512
5c8ec3b2ea7777f66fea9eab2e3afd7b4ab7135d6951f641ff415b45eefba3e242efbbd4dc88d93b64fc663272b257dabe6ec539f88a0a2b2f1e3651b0cc9d61

Download Submit
C:\Program Files (x86)\WXMJH.EXE

Filesize
477KB

MD5
2afa6f88bad69d0c3523614e1879fbe5

SHA1
4cc1cefeef6f97eb729d864668973b1bd5774a20

SHA256
6ce0735b3d81d8c351b1af090767480a422b0e10d97c96eb7d78c7184642d935

SHA512
5c8ec3b2ea7777f66fea9eab2e3afd7b4ab7135d6951f641ff415b45eefba3e242efbbd4dc88d93b64fc663272b257dabe6ec539f88a0a2b2f1e3651b0cc9d61

Download Submit
memory/1852-136-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1852-138-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3236-135-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/3236-137-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads