9def32e5ab958f991d8a04b1dd9d094c3969dad264b8d4e60f0a0422712ef68e

General

Target

57628bd4b03cdc9077aa84f14e666692.exe
Size

3.4MB
MD5

57628bd4b03cdc9077aa84f14e666692
SHA1

c663a59f148141a7c67ea57dbb6d38892a53ea7c
SHA256

9def32e5ab958f991d8a04b1dd9d094c3969dad264b8d4e60f0a0422712ef68e
SHA512

c62a6f2176999f1e82cc320038d105a15a2bcfaa13b294849cea71c32bf8227c828478c2d3b3c9a40e61ab220466f8237b8c2655507573bc7899c322111350f4
SSDEEP

98304:H8p7eYDOlsIH60wwp2lkCOHv7uYeESYcj2:H81eTXp2lQKj

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxJsnIf.exe	57628bd4b03cdc9077aa84f14e666692.exe

Executes dropped EXE 2 IoCs

pid	Process
2668	uxJsnIf.exe
2760	uxJsnIf.exe

Loads dropped DLL 3 IoCs

pid	Process
2644	57628bd4b03cdc9077aa84f14e666692.exe
2644	57628bd4b03cdc9077aa84f14e666692.exe
2668	uxJsnIf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1732	2056	WerFault.exe	32

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2760	uxJsnIf.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe
2056	cmd.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2944 wrote to memory of 2644	2944	57628bd4b03cdc9077aa84f14e666692.exe	28
PID 2944 wrote to memory of 2644	2944	57628bd4b03cdc9077aa84f14e666692.exe	28
PID 2944 wrote to memory of 2644	2944	57628bd4b03cdc9077aa84f14e666692.exe	28
PID 2944 wrote to memory of 2644	2944	57628bd4b03cdc9077aa84f14e666692.exe	28
PID 2644 wrote to memory of 2668	2644	57628bd4b03cdc9077aa84f14e666692.exe	30
PID 2644 wrote to memory of 2668	2644	57628bd4b03cdc9077aa84f14e666692.exe	30
PID 2644 wrote to memory of 2668	2644	57628bd4b03cdc9077aa84f14e666692.exe	30
PID 2644 wrote to memory of 2668	2644	57628bd4b03cdc9077aa84f14e666692.exe	30
PID 2668 wrote to memory of 2760	2668	uxJsnIf.exe	31
PID 2668 wrote to memory of 2760	2668	uxJsnIf.exe	31
PID 2668 wrote to memory of 2760	2668	uxJsnIf.exe	31
PID 2668 wrote to memory of 2760	2668	uxJsnIf.exe	31
PID 2760 wrote to memory of 2056	2760	uxJsnIf.exe	32
PID 2760 wrote to memory of 2056	2760	uxJsnIf.exe	32
PID 2760 wrote to memory of 2056	2760	uxJsnIf.exe	32
PID 2760 wrote to memory of 2056	2760	uxJsnIf.exe	32
PID 2760 wrote to memory of 2056	2760	uxJsnIf.exe	32
PID 2760 wrote to memory of 2056	2760	uxJsnIf.exe	32
PID 2056 wrote to memory of 1732	2056	cmd.exe	34
PID 2056 wrote to memory of 1732	2056	cmd.exe	34
PID 2056 wrote to memory of 1732	2056	cmd.exe	34
PID 2056 wrote to memory of 1732	2056	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\57628bd4b03cdc9077aa84f14e666692.exe
"C:\Users\Admin\AppData\Local\Temp\57628bd4b03cdc9077aa84f14e666692.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2944
- C:\Users\Admin\AppData\Local\Temp\57628bd4b03cdc9077aa84f14e666692.exe
  "C:\Users\Admin\AppData\Local\Temp\57628bd4b03cdc9077aa84f14e666692.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxJsnIf.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxJsnIf.exe" "C:\Users\Admin\AppData\Local\Temp\57628bd4b03cdc9077aa84f14e666692.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxJsnIf.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxJsnIf.exe" "C:\Users\Admin\AppData\Local\Temp\57628bd4b03cdc9077aa84f14e666692.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\SysWOW64\cmd.exe"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2056 -s 368
        6⤵
        Program crash
        
        PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxJsnIf.exe

Filesize
932KB

MD5
2bd192e0011a9c9c99102e52d7a2c546

SHA1
0ad5117c417b454c2aa7778504fd029c1be0757e

SHA256
de99fc1152fa4ac567932c2bb4125e8c700022ec95d9020b44a0ce8e4155e76d

SHA512
ee7921c9a6ca6e0f5e37c27503416d12f09af466c4da03fead92c16feeec9a82538fdb085abf2750c4d030ed9d943ae6ad08964e245c1893eae87bdd3df43a22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxJsnIf.exe

Filesize
879KB

MD5
beebdab877a9bfbb7fe5f9b4c94692d1

SHA1
4b7dffbf3e2c03a0a7b19e929bc9852d54fe7471

SHA256
704744ff93dbd3ae315b9ba1e57351d14fcedc7974e46fed7dcb6a8e7090ae4b

SHA512
283ae75c3ce27ee47121f782509912926193f1b93605658081192b7ef5d239660cf00f8d33753a8056c05b9cb2c9077a19758a87dd0ece538ca2b2d9d2f42202

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxJsnIf.exe

Filesize
615KB

MD5
54a9cafdfa52f51d53afaa916af0ed76

SHA1
8e559ce385d679ffe2532b9a9bd38f1d6f728e75

SHA256
44f39a96c5dba4de1449d7d605db7a9adad2f5640df449c1f73e1f0203c0643f

SHA512
5a23f7eaa99d5515f5f73d136a4424cfc462743684ba05d15b4214fc1e4c346b4e9d90c1dbc3cf34fd5a6d4f0b9d3c60a0c262cd03e1d915d5f09bc5aa4a1028

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxJsnIf.exe

Filesize
973KB

MD5
bd628bea22ffd5d1212213d70a74dbf1

SHA1
5a05e7e1d03a0f99f4b47ef085a4dee24b72843a

SHA256
2f2b14b782fe70522747e03affcdf58bf98b7964f329c314925fb4b2959051a5

SHA512
f2556d9c5ff1743a76206d5e24a2b8121729e14e3c2a0ec17f7a9bda20e71c9361fa275549090501d0cf34bd0ff64eb5335e5497521b68ad13cad13fb33d7508

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxJsnIf.exe

Filesize
853KB

MD5
0e586aabf22430c69d6b8b5d0820a0c8

SHA1
e92fa8f6f41616e7127f1e78b4914a1a996d54bd

SHA256
49a6bf7435e7362aa39b34d87a53b471c1f9eab6bada82745a06edc86b4cd92c

SHA512
5cb6630021c54ec8b0bbb3820e6367b930f513ac295590bf7690062cb7fd31304371ef638c45c5fcfe9c9a0f217686257e7d6239956fc1344aa8564ef3f3311b

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxJsnIf.exe

Filesize
1.5MB

MD5
339a4e10299889b39777708a38651e4d

SHA1
cdedac76c2ec9c169272a840cbcb18ba2f315498

SHA256
75a1d559420c3389ec78b8571449e7f0a11631f2da64d1238e0086760fd375ff

SHA512
f8a6ca7df401c95348ea2201acaddf9ed6538f2af3cbfe036482ebabcd077454b4b428bf2ca1bb74891b40dd0c5b0fffa990ebfd3d097d2dba444662c5f497d4

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uxJsnIf.exe

Filesize
997KB

MD5
4e103cd620f26f7596c6509a6a362fd5

SHA1
91c7ccc180f786cbcd131ac47af23733af6022f0

SHA256
f5dd244a368150069c846e171250fc3c75768c68c07fd64a45ba72434c1ec90e

SHA512
7eac6a6ec14ab145d179289778d4a55fafbea755b61f76f50e4868c54fd804309569e3df36a2657031e5c5862aa9cc62f2da84691e548bbfbe34330eb4d2480e

Download Submit
memory/2056-90-0x00000000013E0000-0x000000000147E000-memory.dmp

Filesize
632KB

Download
memory/2056-92-0x00000000013E0000-0x000000000147E000-memory.dmp

Filesize
632KB

Download
memory/2056-89-0x00000000013E0000-0x000000000147E000-memory.dmp

Filesize
632KB

Download
memory/2056-27-0x0000000000780000-0x00000000013D2000-memory.dmp

Filesize
12.3MB

Download
memory/2056-87-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/2056-85-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/2056-91-0x0000000077260000-0x00000000773E0000-memory.dmp

Filesize
1.5MB

Download
memory/2056-88-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/2056-86-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2056-93-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/2056-37-0x00000000013E0000-0x000000000147E000-memory.dmp

Filesize
632KB

Download
memory/2056-35-0x0000000077260000-0x00000000773E0000-memory.dmp

Filesize
1.5MB

Download
memory/2056-30-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/2056-29-0x0000000000280000-0x0000000000319000-memory.dmp

Filesize
612KB

Download
memory/2644-16-0x0000000005410000-0x000000000580E000-memory.dmp

Filesize
4.0MB

Download
memory/2644-20-0x0000000000970000-0x0000000000A0E000-memory.dmp

Filesize
632KB

Download
memory/2644-1-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2644-3-0x0000000000970000-0x0000000000A0E000-memory.dmp

Filesize
632KB

Download
memory/2644-8-0x0000000005410000-0x000000000580E000-memory.dmp

Filesize
4.0MB

Download
memory/2644-17-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2668-18-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2668-19-0x00000000020F0000-0x00000000024EE000-memory.dmp

Filesize
4.0MB

Download
memory/2760-23-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download
memory/2760-24-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/2760-26-0x0000000077280000-0x0000000077281000-memory.dmp

Filesize
4KB

Download
memory/2760-32-0x0000000000320000-0x00000000003BE000-memory.dmp

Filesize
632KB

Download
memory/2760-31-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2760-25-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2944-0-0x0000000000400000-0x00000000007FE000-memory.dmp

Filesize
4.0MB

Download
memory/2944-2-0x0000000002060000-0x000000000245E000-memory.dmp

Filesize
4.0MB

Download

Analysis

Sharing