Analysis
-
max time kernel
144s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
14-07-2023 15:46
General
-
Target
28c9daa374814bexeexe_JC.exe
-
Size
168KB
-
MD5
28c9daa374814bf33132f2c744793dd7
-
SHA1
495bf691c24beba4c570aad7fb9576514545b3ea
-
SHA256
7ad604c6c6cb82ae134241e4a70e69405581309dcaf5add6f2246356ebfda695
-
SHA512
63edf4af886634c521b47b8108337e3d7e7e35ab994d34fff60040bec96135e43b816061d82c6d15390c732dff82014451e9eb60f44a40005a9d4f38a95f3d80
-
SSDEEP
1536:1EGh0onlq5IRVhNJ5Qef7BudMeNzVg3Ve+rrS2:1EGh0onlqOPOe2MUVg3Ve+rX
Malware Config
Signatures
-
Modifies Installed Components in the registry 2 TTPs 22 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Drops file in Windows directory 11 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\28c9daa374814bexeexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\28c9daa374814bexeexe_JC.exe"1⤵
- Modifies Installed Components in the registry
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{BB2BE6EA-9B54-4ddd-9ACA-C5D0EBE6C0EF}.exeC:\Windows\{BB2BE6EA-9B54-4ddd-9ACA-C5D0EBE6C0EF}.exe2⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{7B790BEB-1BCE-45bf-B6A0-9E092325EA03}.exeC:\Windows\{7B790BEB-1BCE-45bf-B6A0-9E092325EA03}.exe3⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{E292724F-AA90-4f01-BFE5-7570F9226725}.exeC:\Windows\{E292724F-AA90-4f01-BFE5-7570F9226725}.exe4⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{E2927~1.EXE > nul5⤵
-
-
C:\Windows\{9D5A8393-1A2E-41fc-8E65-CB14F6DF0F12}.exeC:\Windows\{9D5A8393-1A2E-41fc-8E65-CB14F6DF0F12}.exe5⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9D5A8~1.EXE > nul6⤵
-
-
C:\Windows\{DD023B9B-E896-427a-9A03-85BFBC0E1759}.exeC:\Windows\{DD023B9B-E896-427a-9A03-85BFBC0E1759}.exe6⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{2695534C-EA50-48ed-A22A-2A82E7C3FBBF}.exeC:\Windows\{2695534C-EA50-48ed-A22A-2A82E7C3FBBF}.exe7⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{4E5BE970-2F49-48ad-8372-63366CD83DEE}.exeC:\Windows\{4E5BE970-2F49-48ad-8372-63366CD83DEE}.exe8⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\{9DE700E1-56B3-4cba-9F72-81E66EB5E1EB}.exeC:\Windows\{9DE700E1-56B3-4cba-9F72-81E66EB5E1EB}.exe9⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{BF959189-1FF1-45d7-826E-D00AB7A86F70}.exeC:\Windows\{BF959189-1FF1-45d7-826E-D00AB7A86F70}.exe10⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{6F9BBBF5-4EEC-4314-A57F-50D9FD44071C}.exeC:\Windows\{6F9BBBF5-4EEC-4314-A57F-50D9FD44071C}.exe11⤵
- Modifies Installed Components in the registry
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\{E9D269F4-F041-4b88-885C-E3D86BF148A0}.exeC:\Windows\{E9D269F4-F041-4b88-885C-E3D86BF148A0}.exe12⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{6F9BB~1.EXE > nul12⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BF959~1.EXE > nul11⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{9DE70~1.EXE > nul10⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{4E5BE~1.EXE > nul9⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{26955~1.EXE > nul8⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{DD023~1.EXE > nul7⤵
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{7B790~1.EXE > nul4⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Windows\{BB2BE~1.EXE > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\28C9DA~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
168KB
MD52af3edea5fee9a58efac6e3b96d7834f
SHA14416468668fee7b6b5ea0280748e81df78ff644b
SHA256941060411f68c41ab4026226d604fa15a4eb26a7f8e77927210e063ff0089df8
SHA512252e3a5d27e045bfe22882389669d4a85529b4fd34c6a870c09ad32fa71cb2920407e79eae2d25ec0c2a300aa04ece151d1d68c2a5159d3b65e049085b58935e
-
Filesize
168KB
MD52af3edea5fee9a58efac6e3b96d7834f
SHA14416468668fee7b6b5ea0280748e81df78ff644b
SHA256941060411f68c41ab4026226d604fa15a4eb26a7f8e77927210e063ff0089df8
SHA512252e3a5d27e045bfe22882389669d4a85529b4fd34c6a870c09ad32fa71cb2920407e79eae2d25ec0c2a300aa04ece151d1d68c2a5159d3b65e049085b58935e
-
Filesize
168KB
MD5e59d5ec87a4bbf95d95fa47cf3d705a4
SHA18972b53ce024e97aeddd305551ca196ad5fc57d1
SHA25642439203321a6830f241aa0cf3ad7c3319c69dc6686cd520e155cefd225dda34
SHA5126e793ef24d5d255a9cd9498a8afeb2395da60fac0c3e8ddcd290ff26cb57972e454e53da5f8bc6a561e614a9f031953451b75925ff0b84999617143bd70e00f8
-
Filesize
168KB
MD5e59d5ec87a4bbf95d95fa47cf3d705a4
SHA18972b53ce024e97aeddd305551ca196ad5fc57d1
SHA25642439203321a6830f241aa0cf3ad7c3319c69dc6686cd520e155cefd225dda34
SHA5126e793ef24d5d255a9cd9498a8afeb2395da60fac0c3e8ddcd290ff26cb57972e454e53da5f8bc6a561e614a9f031953451b75925ff0b84999617143bd70e00f8
-
Filesize
168KB
MD502d5612660a292189c402ceca4cc79fe
SHA15adad0ac8aaeb1ea0334444d327859d86c1c0b32
SHA25601e887e32a0a26ced802f8cfdd1c5f7010f5f12cf7d78cec1c9ca0488c22bdcf
SHA5125f5fcd910425cee0244800ff85a44b76627b93de915c636090cff41f6a8ad033234a08510df7d7490acacdb663040542703693b08b089eabf66d6e740583d220
-
Filesize
168KB
MD502d5612660a292189c402ceca4cc79fe
SHA15adad0ac8aaeb1ea0334444d327859d86c1c0b32
SHA25601e887e32a0a26ced802f8cfdd1c5f7010f5f12cf7d78cec1c9ca0488c22bdcf
SHA5125f5fcd910425cee0244800ff85a44b76627b93de915c636090cff41f6a8ad033234a08510df7d7490acacdb663040542703693b08b089eabf66d6e740583d220
-
Filesize
168KB
MD5a7b41e37dee81f8d9e7732b977e2a917
SHA1a931b119036e9e7ea6e2329f07160d8cfbbf88f2
SHA256a9364dc1f81980a40e15c97cac99832a61b2115bcaf79c461094dd663dc67eb1
SHA5122b64b1ed93af3afd4d3dbde82a4f21d16cb25d0ef7d2011499cc84f0637223a798b539ef2ddbff91e869fd36ec76e27ea3fd51da7b55dc788aaf13db2d896632
-
Filesize
168KB
MD5a7b41e37dee81f8d9e7732b977e2a917
SHA1a931b119036e9e7ea6e2329f07160d8cfbbf88f2
SHA256a9364dc1f81980a40e15c97cac99832a61b2115bcaf79c461094dd663dc67eb1
SHA5122b64b1ed93af3afd4d3dbde82a4f21d16cb25d0ef7d2011499cc84f0637223a798b539ef2ddbff91e869fd36ec76e27ea3fd51da7b55dc788aaf13db2d896632
-
Filesize
168KB
MD5f29d989f28403e307577f9ca43cdcf14
SHA1339d39399537ec22604d064cb930e3867b471654
SHA256de0e853c6aafb1c2ef13c5f3bb875f3c0496c4ac35c80b3a0c039d761c356c95
SHA5128fedaf91c0cb28715e01d4a38310a12e8ce9129cd0ef0f95592888a764c0fceb2944736f3499cac2677327596fe634eaa8576b2a5ecf839cf8a87e73536ee64c
-
Filesize
168KB
MD5f29d989f28403e307577f9ca43cdcf14
SHA1339d39399537ec22604d064cb930e3867b471654
SHA256de0e853c6aafb1c2ef13c5f3bb875f3c0496c4ac35c80b3a0c039d761c356c95
SHA5128fedaf91c0cb28715e01d4a38310a12e8ce9129cd0ef0f95592888a764c0fceb2944736f3499cac2677327596fe634eaa8576b2a5ecf839cf8a87e73536ee64c
-
Filesize
168KB
MD52d3b1f0a25ef822aa5d74a6faf2fe1ae
SHA1e78befe1a63a5f79958c48f5b72a08e44a5d14d0
SHA256735490cf5e241cab945d41b81b8cab460e01ebba4d4bf78191af91d70bc357d1
SHA51228a5459491abc6920d7375db6fe15d7824e48b013580c2d650c62fd9eb588e503698f06c3114b118b4a9a3ba83d7ca9456d3dcb1e9891d631a9f10ea152a5046
-
Filesize
168KB
MD52d3b1f0a25ef822aa5d74a6faf2fe1ae
SHA1e78befe1a63a5f79958c48f5b72a08e44a5d14d0
SHA256735490cf5e241cab945d41b81b8cab460e01ebba4d4bf78191af91d70bc357d1
SHA51228a5459491abc6920d7375db6fe15d7824e48b013580c2d650c62fd9eb588e503698f06c3114b118b4a9a3ba83d7ca9456d3dcb1e9891d631a9f10ea152a5046
-
Filesize
168KB
MD58e8a4ea5c9bc89b65d028a9355ec218b
SHA1ec835383b08cc3402bb4230d07b668fdf3626e73
SHA25611180d2f6c34f94aec32dcb504a1f452cc8e8826a486bc97af265fb8eeb8725a
SHA512785123e3f74714790a4f3bec104a67adec6a536b3ac1e05712d6354c1aaaeee7a8db8f8540ccce869e7f5f8a32bfa2213d48eef6453d09c1b87b47413f188600
-
Filesize
168KB
MD58e8a4ea5c9bc89b65d028a9355ec218b
SHA1ec835383b08cc3402bb4230d07b668fdf3626e73
SHA25611180d2f6c34f94aec32dcb504a1f452cc8e8826a486bc97af265fb8eeb8725a
SHA512785123e3f74714790a4f3bec104a67adec6a536b3ac1e05712d6354c1aaaeee7a8db8f8540ccce869e7f5f8a32bfa2213d48eef6453d09c1b87b47413f188600
-
Filesize
168KB
MD58e8a4ea5c9bc89b65d028a9355ec218b
SHA1ec835383b08cc3402bb4230d07b668fdf3626e73
SHA25611180d2f6c34f94aec32dcb504a1f452cc8e8826a486bc97af265fb8eeb8725a
SHA512785123e3f74714790a4f3bec104a67adec6a536b3ac1e05712d6354c1aaaeee7a8db8f8540ccce869e7f5f8a32bfa2213d48eef6453d09c1b87b47413f188600
-
Filesize
168KB
MD51772ed45146d7dab990ba98d9bea7b1f
SHA131dffdfc311fd13b70a80e5bd7b8a8c28aa1a738
SHA2561119a51480e1a3920e32b8fc6fa83c03013cabe6d1ad1aac15a5e1eb34cc4bf9
SHA512c9b554cfb20f3e40c0dc4fc40305ca44b818308d5a8bafd72b9533adc84e4051a9b3c3ee9e844565e57e10214aa02b127a75beb489188905d2702251247d8528
-
Filesize
168KB
MD51772ed45146d7dab990ba98d9bea7b1f
SHA131dffdfc311fd13b70a80e5bd7b8a8c28aa1a738
SHA2561119a51480e1a3920e32b8fc6fa83c03013cabe6d1ad1aac15a5e1eb34cc4bf9
SHA512c9b554cfb20f3e40c0dc4fc40305ca44b818308d5a8bafd72b9533adc84e4051a9b3c3ee9e844565e57e10214aa02b127a75beb489188905d2702251247d8528
-
Filesize
168KB
MD54b6a565f705f8f400bbbfddf6ba90d4d
SHA1d2687fcdb824947d5fe7e1615b71f726d830fb9a
SHA256299c61b3fee312c6d24958936b14107306c1ed4264a7c1afbcbcc1fbe03f5e43
SHA5129d2d6a8889fd02d343054911b0ea7aecfb7c68217f785cf3a4942141a5dc87d4ebf231204d094536bb2e3a481fe3f566fe9e28ec0df71b526e4e1ed63cef4f5f
-
Filesize
168KB
MD54b6a565f705f8f400bbbfddf6ba90d4d
SHA1d2687fcdb824947d5fe7e1615b71f726d830fb9a
SHA256299c61b3fee312c6d24958936b14107306c1ed4264a7c1afbcbcc1fbe03f5e43
SHA5129d2d6a8889fd02d343054911b0ea7aecfb7c68217f785cf3a4942141a5dc87d4ebf231204d094536bb2e3a481fe3f566fe9e28ec0df71b526e4e1ed63cef4f5f
-
Filesize
168KB
MD54d38d5fa95ebc156e3e17a799f117c4e
SHA1695f5763fae9c36c304056c0ae7affb962648184
SHA256a6ee765de99615472ee2eaaefd3953d0d8b43d34d7fd31e6d1b206419a6c6e8e
SHA512ed01d82972bcf2959e8aef8d60491acd004bba54897f1d390bdde3ee48801904da8b9c6770b53865b51f26be3cefaf2f2a59c6ec58f14ca9b0c3dea1cb3311cb
-
Filesize
168KB
MD54d38d5fa95ebc156e3e17a799f117c4e
SHA1695f5763fae9c36c304056c0ae7affb962648184
SHA256a6ee765de99615472ee2eaaefd3953d0d8b43d34d7fd31e6d1b206419a6c6e8e
SHA512ed01d82972bcf2959e8aef8d60491acd004bba54897f1d390bdde3ee48801904da8b9c6770b53865b51f26be3cefaf2f2a59c6ec58f14ca9b0c3dea1cb3311cb
-
Filesize
168KB
MD51df25c690a1cc8bd56feda4508c5f78b
SHA1d60795afbcbaad273c86b909527e5e6c5d4b8aab
SHA2567b84edd2c5b3024b42395abd7ce6e61e724b5ef51746a37cd26c1fe95e7c1e2c
SHA5125b852e89124d6c71401e4d4e8ae3acb241b18285a8b6570356d2c0abeafdc71138d6ad2fd4ae452b3266b28b9f2b69bf21e515423275922896d6fab9f85ae364