2c737c96911bd64fc1726837b03e8d34b424058af6a181e6126c6d9a6bcdfb3f

Analysis

max time kernel
143s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 18:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Size

480KB
MD5

67209864b1c1c8d0b575eee8cd0942b7
SHA1

23fe08f5119ebbb5dabe1975ea7aaa20658f4182
SHA256

2c737c96911bd64fc1726837b03e8d34b424058af6a181e6126c6d9a6bcdfb3f
SHA512

e767c6968f77a4fa1f39dc5e85ffab5af3fe1ff100e390fb4b892af8bc29b06edbef3b0bdc279d11414d08f4ad24566b26355945910412f99ce52e639e440b3e
SSDEEP

6144:2dspDeDrxkg/vrMuJIgwhEFHyOrJcX/Pgqwzm5IzkWjS4e4azExBKO1t4Kb70NqO:M8kxNhOZElO5kkWjhD4Ay

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4360	SCBSJYX.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1088-0-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/files/0x000100000000002b-10.dat	upx
behavioral2/files/0x000100000000002a-21.dat	upx
behavioral2/files/0x000100000000002a-22.dat	upx
behavioral2/memory/1088-25-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral2/memory/4360-24-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\REJLU.EXE = "C:\\Program Files (x86)\\REJLU.EXE"	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\J:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\O:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\N:	SCBSJYX.EXE
File opened (read-only)	\??\E:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\L:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\E:	SCBSJYX.EXE
File opened (read-only)	\??\O:	SCBSJYX.EXE
File opened (read-only)	\??\T:	SCBSJYX.EXE
File opened (read-only)	\??\S:	SCBSJYX.EXE
File opened (read-only)	\??\U:	SCBSJYX.EXE
File opened (read-only)	\??\I:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\M:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\S:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\G:	SCBSJYX.EXE
File opened (read-only)	\??\I:	SCBSJYX.EXE
File opened (read-only)	\??\T:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\U:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\H:	SCBSJYX.EXE
File opened (read-only)	\??\K:	SCBSJYX.EXE
File opened (read-only)	\??\V:	SCBSJYX.EXE
File opened (read-only)	\??\V:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\L:	SCBSJYX.EXE
File opened (read-only)	\??\N:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\J:	SCBSJYX.EXE
File opened (read-only)	\??\P:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\Q:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\R:	SCBSJYX.EXE
File opened (read-only)	\??\Q:	SCBSJYX.EXE
File opened (read-only)	\??\G:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\K:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\R:	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened (read-only)	\??\M:	SCBSJYX.EXE
File opened (read-only)	\??\P:	SCBSJYX.EXE

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\REJLU.EXE	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened for modification	C:\Program Files (x86)\REJLU.EXE	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File created	C:\Program Files\KWDH.EXE	SCBSJYX.EXE
File created	C:\Program Files (x86)\DGCRB.EXE	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
File opened for modification	C:\Program Files (x86)\DGCRB.EXE	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\DKAXILS.EXE	SCBSJYX.EXE

Modifies registry class 31 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	SCBSJYX.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Program Files (x86)\\DGCRB.EXE %1"	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Program Files (x86)\\DGCRB.EXE %1"	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files (x86)\\REJLU.EXE \"%1\" %*"	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Program Files (x86)\\REJLU.EXE %1"	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "F:\\$RECYCLE.BIN\\KSFBLBL.EXE \"%1\""	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open	SCBSJYX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 4360	1088	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe	85
PID 1088 wrote to memory of 4360	1088	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe	85
PID 1088 wrote to memory of 4360	1088	NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe	85

C:\Users\Admin\AppData\Local\Temp\NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.67209864b1c1c8d0b575eee8cd0942b7_JC.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088
- F:\$RECYCLE.BIN\SCBSJYX.EXE
  F:\$RECYCLE.BIN\SCBSJYX.EXE
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies registry class
  PID:4360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\$RECYCLE.BIN\KSFBLBL.EXE

Filesize
481KB

MD5
d19f51159340387685931935530de76d

SHA1
65fee225ce2858e7c44e1ef299866669fd080436

SHA256
417b8cfbb14ecaa8a880090239974cc0e08ed5bbcdcc6b92213729e91402d5ae

SHA512
e4aaf9ef0a95f4756c04aead5d5d96bf99fbaae5d043ff09fb0b65b83c257c11153dde31322201c456c0af9b7974f7fbbdb9f5c21b520868ed566d549fadbd20

Download Submit
F:\$RECYCLE.BIN\SCBSJYX.EXE

Filesize
481KB

MD5
0a5441b20f11398c93c3e371e786434a

SHA1
4e6446d691d67802ba09bc05adc834a2a0ebb121

SHA256
2871057c46d6a9422e86e3d60972da1c204e2642a1b5e348480c84dabd02dec1

SHA512
9c912f75be68af7f1576fa94e98b8e02fe39f52a86b6dfaab6819d40b6527f3f93aab8d482d094ae8c3571540721ddf2198e8e6991c00bcabfe5bb933d5cf33a

Download Submit
F:\$RECYCLE.BIN\SCBSJYX.EXE

Filesize
481KB

MD5
0a5441b20f11398c93c3e371e786434a

SHA1
4e6446d691d67802ba09bc05adc834a2a0ebb121

SHA256
2871057c46d6a9422e86e3d60972da1c204e2642a1b5e348480c84dabd02dec1

SHA512
9c912f75be68af7f1576fa94e98b8e02fe39f52a86b6dfaab6819d40b6527f3f93aab8d482d094ae8c3571540721ddf2198e8e6991c00bcabfe5bb933d5cf33a

Download Submit
memory/1088-0-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1088-1-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/1088-25-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/4360-23-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4360-24-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads