00d785bad69f12e0838413acebeb6bf9b1784a9d004b61698b27c69f6b174bdc

Analysis

max time kernel
155s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2023, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

093735edf11dac4f8ec9a7c61d959ad6.exe
Size

195KB
MD5

093735edf11dac4f8ec9a7c61d959ad6
SHA1

8eec2dde0b66f59fd6cc2206d9b6f3511c46689a
SHA256

00d785bad69f12e0838413acebeb6bf9b1784a9d004b61698b27c69f6b174bdc
SHA512

4ea6a46568c45be21f7393bf2160afc0ec2e7b9b7f6b2fc0d8d300cc9d3dde58e2aca1d3faede156fadbda8d3534eec010fc766352f3fac15aab709be69de1df
SSDEEP

6144:AE06JW+MfwCQUkyBDsQprPSkrRUdKB5Ki45QlcN:AF6bMjmyBAGbX2Yf45YcN

Score

10^/10

persistence upx

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe"	093735edf11dac4f8ec9a7c61d959ad6.exe

Executes dropped EXE 1 IoCs

pid	Process
4424	jhv.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2716-0-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/2716-1-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/memory/2716-2-0x0000000000400000-0x0000000000478000-memory.dmp	upx
behavioral2/files/0x000200000001e7f0-14.dat	upx
behavioral2/memory/4424-15-0x0000000000400000-0x000000000041E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSConfig = "C:\\Users\\Admin\\jhv.exe \\u"	093735edf11dac4f8ec9a7c61d959ad6.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\secupdat.dat	093735edf11dac4f8ec9a7c61d959ad6.exe
File created	C:\Windows\SysWOW64\secupdat.dat	093735edf11dac4f8ec9a7c61d959ad6.exe
File opened for modification	C:\Windows\SysWOW64\secupdat.dat	jhv.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4424 set thread context of 1464	4424	jhv.exe	100

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3664	2716	WerFault.exe	68
2100	1464	WerFault.exe	100

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 4424	2716	093735edf11dac4f8ec9a7c61d959ad6.exe	98
PID 2716 wrote to memory of 4424	2716	093735edf11dac4f8ec9a7c61d959ad6.exe	98
PID 2716 wrote to memory of 4424	2716	093735edf11dac4f8ec9a7c61d959ad6.exe	98
PID 2716 wrote to memory of 3664	2716	093735edf11dac4f8ec9a7c61d959ad6.exe	99
PID 2716 wrote to memory of 3664	2716	093735edf11dac4f8ec9a7c61d959ad6.exe	99
PID 2716 wrote to memory of 3664	2716	093735edf11dac4f8ec9a7c61d959ad6.exe	99
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100
PID 4424 wrote to memory of 1464	4424	jhv.exe	100

C:\Users\Admin\AppData\Local\Temp\093735edf11dac4f8ec9a7c61d959ad6.exe
"C:\Users\Admin\AppData\Local\Temp\093735edf11dac4f8ec9a7c61d959ad6.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Users\Admin\jhv.exe
  \u
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4424
- - C:\Windows\SysWOW64\svchost.exe
    svchost.exe
    3⤵
    PID:1464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1464 -s 268
      4⤵
      Program crash
      PID:2100
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 500
  2⤵
  - Program crash
  PID:3664

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2716 -ip 2716
1⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2716 -ip 2716
1⤵
PID:1976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1464 -ip 1464
1⤵
PID:1896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jhv.exe

Filesize
18KB

MD5
37a74e95fd4ecaaa3048e1f05dc55280

SHA1
d8bc42cb8b9c04a9b993f7b98b43251d107bff59

SHA256
dfbe244d8100090dcac04b6f254381f2a322814281f27b1ac1da326634421f83

SHA512
337de5a38fff8dc2ee46d7c68fa5afbd50e69154d446ddad7acabe0270c56d1bd26146151922a804990b12f3ab983ebe6f747d947135cfb1ceb9e83fbe5e2530

Download Submit
C:\Windows\SysWOW64\secupdat.dat

Filesize
44KB

MD5
d3e60058140956006eb1b5fc7a16aadb

SHA1
859ce6612957d444c4799aadc96053db929ce2f9

SHA256
0d441d98d8e1e0406a7794a96378a73aa6c052f32192efabc77a1c3ab72578ec

SHA512
4daf8640316aa30519b05aee4697ebd941688acfbd9f719bdcdb3377ab4cd16acd7b83b6d746c7a67cfa60e13413b78e50af5d9a1e4eadd7313c699047da9982

Download Submit
memory/1464-34-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/1464-33-0x0000000002610000-0x0000000002611000-memory.dmp

Filesize
4KB

Download
memory/1464-32-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/1464-20-0x0000000009900000-0x000000000990E000-memory.dmp

Filesize
56KB

Download
memory/2716-3-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2716-17-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2716-11-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2716-0-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2716-2-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/2716-1-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/4424-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4424-15-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/4424-28-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads