23ff05a360b2f185a2b94ef4c63d47d6c692c92a666d9a5d67dcc13ef75e67a9

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
28/12/2023, 21:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f7f76e16c35250221be9ce8db4f9813f.exe
Size

124KB
MD5

f7f76e16c35250221be9ce8db4f9813f
SHA1

6f5e8cfe352ac2fabad3f538a4ecf48408b85b26
SHA256

23ff05a360b2f185a2b94ef4c63d47d6c692c92a666d9a5d67dcc13ef75e67a9
SHA512

ac8e2e5da7409f1c2c3cf8078637e9108eebd7835120b7b29f8d97bc3743bd9e894a1735285d303a8c7c20bb7323eb188ac61245cb0131afe9dfd756d53fb79a
SSDEEP

1536:eeb5EF53W/67NxkiQixA+alh98r8Y9USv1jy3wo7JaS4:pb5EF53W/67gjH8ri8ewQq

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	f7f76e16c35250221be9ce8db4f9813f.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jiupuiq.exe

Executes dropped EXE 1 IoCs

pid	Process
1272	jiupuiq.exe

Loads dropped DLL 2 IoCs

pid	Process
1700	f7f76e16c35250221be9ce8db4f9813f.exe
1700	f7f76e16c35250221be9ce8db4f9813f.exe

Adds Run key to start application 2 TTPs 53 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /N"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /T"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /L"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /X"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /R"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /s"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /x"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /E"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /e"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /p"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /J"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /n"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /u"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /F"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /c"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /D"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /U"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /E"	f7f76e16c35250221be9ce8db4f9813f.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /k"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /b"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /B"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /V"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /j"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /f"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /i"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /G"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /H"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /z"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /d"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /o"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /a"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /h"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /A"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /Y"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /m"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /W"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /O"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /Q"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /l"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /I"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /w"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /q"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /K"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /M"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /S"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /P"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /Z"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /y"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /r"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /t"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /g"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /v"	jiupuiq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1268429524-3929314613-1992311491-1000\Software\Microsoft\Windows\CurrentVersion\Run\jiupuiq = "C:\\Users\\Admin\\jiupuiq.exe /C"	jiupuiq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	f7f76e16c35250221be9ce8db4f9813f.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe
1272	jiupuiq.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1700	f7f76e16c35250221be9ce8db4f9813f.exe
1272	jiupuiq.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1272	1700	f7f76e16c35250221be9ce8db4f9813f.exe	28
PID 1700 wrote to memory of 1272	1700	f7f76e16c35250221be9ce8db4f9813f.exe	28
PID 1700 wrote to memory of 1272	1700	f7f76e16c35250221be9ce8db4f9813f.exe	28
PID 1700 wrote to memory of 1272	1700	f7f76e16c35250221be9ce8db4f9813f.exe	28

C:\Users\Admin\AppData\Local\Temp\f7f76e16c35250221be9ce8db4f9813f.exe
"C:\Users\Admin\AppData\Local\Temp\f7f76e16c35250221be9ce8db4f9813f.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\jiupuiq.exe
  "C:\Users\Admin\jiupuiq.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jiupuiq.exe

Filesize
52KB

MD5
70fbbcc8d6f03358596441834592e70e

SHA1
60711bb1fe08497fda8673a4d51bd3e2ad4cd842

SHA256
4bc50a8e7728f49f17428cb98b36ed05cb54a8054742222d180b100992554259

SHA512
d1c826c5d67c91d8574cfbc7182bc5b196167013e595f2c0459a2f325f6e2f662668509c4af3bebd6eb0bdcfcdfacb0562a1757188d7a88537635d17d10a594c

Download Submit
C:\Users\Admin\jiupuiq.exe

Filesize
13KB

MD5
4b301b6e9a2272e894c265ec2727503b

SHA1
ddeb38740f7302651bbef857246d672f8384e3ce

SHA256
d2eb83d770a63e344031de0e07195174c77c05b74d447bbe81209a19ede4ff75

SHA512
53c981713628849772dd40c0d5dd07e26ac0b32459d7e9944b28fea78f600f595214f977dfaba89f5c319da4774765f7ae80eda859cfd3533d08dd829fc15ff9

Download Submit
C:\Users\Admin\jiupuiq.exe

Filesize
58KB

MD5
b5261efa16b315f8c4d745ebba93b537

SHA1
cd61abf097280b39d7be243cf010800a39a69cd7

SHA256
39b0b0f57960d1b33315768e3a28de985c8b5c3f85895c33d89e15140745ae91

SHA512
397a03a6043c15c73354dc489771ef8ec98b572b517b9621614094019a715784dab128fc4c3bef063d843ea7ced84a8356f25955426efbdaa57c5b16e8c3cfcd

Download Submit
\Users\Admin\jiupuiq.exe

Filesize
71KB

MD5
46bc9a9768f56c632b20f9d18cf85128

SHA1
2abfa91469ab6b85b75126e237ea882f500ccbb8

SHA256
687d145a0f191bce340a70ce10b65217f7137850ade6f2206912e979a533b769

SHA512
3bfe60021a1b85910447b3a7eac500102ba26bdf32fba0235b87a5b92501a9b580fc78e177b29072f186a12b0f9c7a6b74bc6d8df647fdcbeb227525642bdd0f

Download Submit
\Users\Admin\jiupuiq.exe

Filesize
45KB

MD5
91da7b4482f935f25bd6ce319a07b851

SHA1
71f85a5a9b09bfc58402fbcd62a341ae2a658ac2

SHA256
11c0e276c9b5a919f077a11db46a34cdccc93aa45d9ba9dbc3317521116ad9fa

SHA512
e8624c7372d9917562a4e878158e73b387f94d34f2338380ae8cfa14337607ff6e0f819bf212b36ec6dcba24f8d51b75c7f31a7fbf62829565766f8cb2a6b55c

Download Submit