7f476edf87a76837dbc2289279378f2abbfe6f8f742b6bc8b5c1d2f68e593e24

Analysis

max time kernel
161s
max time network
162s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
08/01/2024, 20:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c6bd983a379e9c220909e6fcde99a53.exe
Size

152KB
MD5

4c6bd983a379e9c220909e6fcde99a53
SHA1

407d281368e62a49de3c57d6fd690983af814a66
SHA256

7f476edf87a76837dbc2289279378f2abbfe6f8f742b6bc8b5c1d2f68e593e24
SHA512

d1a249c399d7db4c7c619084532beb7bea1a80313b37188927c0e2cb5193138686ddf2a9ce9e800b92fcb4567de6ddc5155f247dc0a501d892ccbf88656cfced
SSDEEP

3072:3MGRPYYh0ZoY+7DxNUbaxIcz93bOButK+Fov:Q+7DxVh3bHiv

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4c6bd983a379e9c220909e6fcde99a53.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	juenuay.exe

Executes dropped EXE 1 IoCs

pid	Process
2720	juenuay.exe

Loads dropped DLL 2 IoCs

pid	Process
2200	4c6bd983a379e9c220909e6fcde99a53.exe
2200	4c6bd983a379e9c220909e6fcde99a53.exe

Adds Run key to start application 2 TTPs 51 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /m"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /J"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /q"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /a"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /n"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /i"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /T"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /b"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /K"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /j"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /t"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /z"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /M"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /f"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /R"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /m"	4c6bd983a379e9c220909e6fcde99a53.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /B"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /A"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /U"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /x"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /v"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /D"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /I"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /y"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /p"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /k"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /V"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /e"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /o"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /r"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /S"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /G"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /W"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /C"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /w"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /H"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /P"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /g"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /d"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /u"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /X"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /Q"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /E"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /L"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /s"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /c"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /Z"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /l"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /O"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /F"	juenuay.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\juenuay = "C:\\Users\\Admin\\juenuay.exe /Y"	juenuay.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2200	4c6bd983a379e9c220909e6fcde99a53.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe
2720	juenuay.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2200	4c6bd983a379e9c220909e6fcde99a53.exe
2720	juenuay.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2720	2200	4c6bd983a379e9c220909e6fcde99a53.exe	28
PID 2200 wrote to memory of 2720	2200	4c6bd983a379e9c220909e6fcde99a53.exe	28
PID 2200 wrote to memory of 2720	2200	4c6bd983a379e9c220909e6fcde99a53.exe	28
PID 2200 wrote to memory of 2720	2200	4c6bd983a379e9c220909e6fcde99a53.exe	28

C:\Users\Admin\AppData\Local\Temp\4c6bd983a379e9c220909e6fcde99a53.exe
"C:\Users\Admin\AppData\Local\Temp\4c6bd983a379e9c220909e6fcde99a53.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\juenuay.exe
  "C:\Users\Admin\juenuay.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\juenuay.exe

Filesize
80KB

MD5
60cbb0bed172aabc6e348496acdb6fe0

SHA1
e637241fa9fe45a70aa9e2977f7b6481e2756db5

SHA256
18272412261e2de1cab412a9c59848ca71af66f2fd3d428767385f62b5da4be0

SHA512
636d778a0c087bdc546eaf605034ecf675d966e4521d72e37b4b8afdcb83a5786c1a68641067625a73116af382419d85576fbb35cf87542c4d5a13c3716a716a

Download Submit
C:\Users\Admin\juenuay.exe

Filesize
43KB

MD5
c5ab59e7b3cf152d6ad7dd0460d2d9af

SHA1
915f5d3ea1ad6d7c2eb7d6d8b09cf7962366e5fe

SHA256
6af88c4e82672b4898a8bc2d05c8bae95893e9f78206ebbdc9385411718af87b

SHA512
125b04766f507c1e4d946df663f6aa41a558ed0d4afa569ff24dff518fe88008e5a131625e0928f14ab58a1591d3d93df9ca47ba4c2e9252246c43a3b0dad56e

Download Submit
C:\Users\Admin\juenuay.exe

Filesize
60KB

MD5
a9a9310fed16aab485634b82d5028771

SHA1
9087cdad041b461fb3f5e8d1b9894b78c233dc73

SHA256
072d2b0ca0b81af54526dbf64c0b0ca5c53c617e4f9a2254de3dbe24e753637d

SHA512
214a4b1af243993c963bb264a02405ce0394685a8455fe4e206bc878bdb96f385e04bb50a8a591966a2b7e8a876b3cbb4182426dee395980399e66a89e7524b0

Download Submit
\Users\Admin\juenuay.exe

Filesize
27KB

MD5
e89b1b2f6b9313fc037dce5936656ad9

SHA1
3fc6e2a850ee9ea97c4e09b7f80b29086131f0fb

SHA256
77b16f8cf569fa96ae0b3f787927b0d9ca690b3af1c683d4b5eb7a0924b6bef1

SHA512
0bddb21be511c67b806d55a9499c5e4e2673a267df370645adf2e91eed6602b7784a695fec1c53e2551aca36a2f71903c23d27633b14a81004c9c79fb32d2bd4

Download Submit
\Users\Admin\juenuay.exe

Filesize
97KB

MD5
96d77ed8ca7969d12370068abc2cf2c7

SHA1
fdc710cc8460c2c3d106e121cc97e592a44428d9

SHA256
9b8aa31628e7e699cc85eaeea61fab89a8861fa376ecfc7e7fe370fe701d6473

SHA512
175c31a40acc67509ae6a2dbe06694ae181889cfced9cf996e021677d57b02514bc969d267865d0439e1db929a2ae3d50c687116aa9e4f598b2505d02acc78ca

Download Submit