9e94c81411ee69a270cfe21b55a01f60aa2d92e4201176b0d5d350f36da952d5

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
14/07/2023, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

281939d356a61aexeexe_JC.exe
Size

23.3MB
MD5

281939d356a61a4af961baf67fe00b67
SHA1

a3a558cc01c4aa0422edbc83fa748da60d447706
SHA256

9e94c81411ee69a270cfe21b55a01f60aa2d92e4201176b0d5d350f36da952d5
SHA512

7f110bce02c9baa9ecb06d7ff6c446d4e4fc1cf629c1627b4c5ba87785e3c0e93ebfa6c9056dcfefdb847dfe97cc43aaddd64bb6edd35fd2ab716051c7f6191f
SSDEEP

196608:gkxu3s3TehREvQlrB3ytPqVxUQVmBDTSWhi:M3cT7vs0PqbsBDTs

Score

8^/10

persistence ransomware

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\drivers\spo0lve.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	281939d356a61aexeexe_JC.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\AppData\\Local\\Temp/281939d356a61aexeexe_JC.exe"	281939d356a61aexeexe_JC.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pigdesk.bmp"	281939d356a61aexeexe_JC.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	281939d356a61aexeexe_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\fontconfig.properties.src	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoia.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	281939d356a61aexeexe_JC.exe
File created	C:\Program Files\Internet Explorer\ExtExport.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	281939d356a61aexeexe_JC.exe
File created	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	281939d356a61aexeexe_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoasb.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	281939d356a61aexeexe_JC.exe
File created	C:\Program Files\Windows Mail\wab.exe	281939d356a61aexeexe_JC.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	281939d356a61aexeexe_JC.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fontconfig.properties.src	281939d356a61aexeexe_JC.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	281939d356a61aexeexe_JC.exe
File created	C:\Program Files\Windows Media Player\wmlaunch.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe	281939d356a61aexeexe_JC.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoev.exe	281939d356a61aexeexe_JC.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	281939d356a61aexeexe_JC.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\Desktop\WallpaperStyle = "2"	281939d356a61aexeexe_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\Control Panel\Desktop\TileWallpaper = "2"	281939d356a61aexeexe_JC.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2864	281939d356a61aexeexe_JC.exe
2864	281939d356a61aexeexe_JC.exe

C:\Users\Admin\AppData\Local\Temp\281939d356a61aexeexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\281939d356a61aexeexe_JC.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies Control Panel
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Uninstall.exe

Filesize
23.4MB

MD5
52af0c89d9861b820c17112b3dded720

SHA1
93ac13690f76d96219eb340ebb55d2bafeed694d

SHA256
e2739c41d089bb8e467a4bac7e1cdf6416a5ddd63c9c663ed4c015dfb38022f0

SHA512
85b4d75cabeb04c8964c7a8ec68a758bc9d7b9103fe1c1de1dfadaeb7e2f0813af8e944a674428e0755eaa5d8cf55945abcefb9fe499fe92fed9ee7e8adce9b4

Download Submit