6e30c75a6182b710c3e656b112fb7941c9856612310fc5a90f7505a0768a426b

General

Target

Trainer_JoU4uh4CUd.exe
Size

7.9MB
MD5

624b884e8a23afe3a79a0e432e1335b7
SHA1

1b21d61b6c431720d568a07398e9a376106a2171
SHA256

6e30c75a6182b710c3e656b112fb7941c9856612310fc5a90f7505a0768a426b
SHA512

caef4002424f87a36e603582bc73e50ceeedf43bc615ec9ff6515059fec1ee342a179814869c9304c43e512c48f549b3b3325c453abac7beba5a01ff672d4cfb
SSDEEP

98304:/QVzXhUDWBZ5sxAdqiCkI3QLvX7NwXbZmZFBCPue1CJ/W4NuKaKKwlMCjO1bcOFE:kQWDGxRWPN9CGeQJt3KwjjO1/tNud

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2740	Trainer_JoU4uh4CUd.tmp
408	jseditboxcontrol.exe

Loads dropped DLL 3 IoCs

pid	Process
2740	Trainer_JoU4uh4CUd.tmp
2740	Trainer_JoU4uh4CUd.tmp
2740	Trainer_JoU4uh4CUd.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Program crash 12 IoCs

pid	pid_target	Process	procid_target
4540	408	WerFault.exe	76
3996	408	WerFault.exe	76
4576	408	WerFault.exe	76
4776	408	WerFault.exe	76
3468	408	WerFault.exe	76
4488	408	WerFault.exe	76
4464	408	WerFault.exe	76
5004	408	WerFault.exe	76
4644	408	WerFault.exe	76
4328	408	WerFault.exe	76
96	408	WerFault.exe	76
3884	408	WerFault.exe	76

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2740	Trainer_JoU4uh4CUd.tmp
2740	Trainer_JoU4uh4CUd.tmp
408	jseditboxcontrol.exe
408	jseditboxcontrol.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2740	Trainer_JoU4uh4CUd.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 2740	4600	Trainer_JoU4uh4CUd.exe	72
PID 4600 wrote to memory of 2740	4600	Trainer_JoU4uh4CUd.exe	72
PID 4600 wrote to memory of 2740	4600	Trainer_JoU4uh4CUd.exe	72
PID 2740 wrote to memory of 932	2740	Trainer_JoU4uh4CUd.tmp	73
PID 2740 wrote to memory of 932	2740	Trainer_JoU4uh4CUd.tmp	73
PID 2740 wrote to memory of 932	2740	Trainer_JoU4uh4CUd.tmp	73
PID 2740 wrote to memory of 4024	2740	Trainer_JoU4uh4CUd.tmp	74
PID 2740 wrote to memory of 4024	2740	Trainer_JoU4uh4CUd.tmp	74
PID 2740 wrote to memory of 4024	2740	Trainer_JoU4uh4CUd.tmp	74
PID 2740 wrote to memory of 408	2740	Trainer_JoU4uh4CUd.tmp	76
PID 2740 wrote to memory of 408	2740	Trainer_JoU4uh4CUd.tmp	76
PID 2740 wrote to memory of 408	2740	Trainer_JoU4uh4CUd.tmp	76

C:\Users\Admin\AppData\Local\Temp\Trainer_JoU4uh4CUd.exe
"C:\Users\Admin\AppData\Local\Temp\Trainer_JoU4uh4CUd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Users\Admin\AppData\Local\Temp\is-9NIOP.tmp\Trainer_JoU4uh4CUd.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9NIOP.tmp\Trainer_JoU4uh4CUd.tmp" /SL5="$50234,8054080,54272,C:\Users\Admin\AppData\Local\Temp\Trainer_JoU4uh4CUd.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /Query
    3⤵
    PID:932
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\atl.dll"
    3⤵
    PID:4024
- - C:\Users\Admin\AppData\Local\JS Edit Box Control\jseditboxcontrol.exe
    "C:\Users\Admin\AppData\Local\JS Edit Box Control\jseditboxcontrol.exe" e3d601d77ff0aa6bec2709c7669adcf0
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:408
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 852
      4⤵
      Program crash
      PID:4540
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 828
      4⤵
      Program crash
      PID:3996
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 896
      4⤵
      Program crash
      PID:4576
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1000
      4⤵
      Program crash
      PID:4776
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1036
      4⤵
      Program crash
      PID:3468
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1080
      4⤵
      Program crash
      PID:4488
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1124
      4⤵
      Program crash
      PID:4464
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1108
      4⤵
      Program crash
      PID:5004
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1148
      4⤵
      Program crash
      PID:4644
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1212
      4⤵
      Program crash
      PID:4328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1160
      4⤵
      Program crash
      PID:96
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 408 -s 1176
      4⤵
      Program crash
      PID:3884

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\JS Edit Box Control\jseditboxcontrol.exe

Filesize
4.2MB

MD5
98a2d4864b9e69974e9f0745d62d9e2a

SHA1
948cd6bc6fda1ce3381a77c55a9925576a8a0a8e

SHA256
0c7432fb6075af761a0e1c3ce123e4486cafd5bef0915bf78ce10649b4fb0e37

SHA512
c15e5297cfaead1caa5fcad818e9c13d6e4a3b2287a29848dd606f30171facee8281a84cda2913d2592b935e923a1df0f4aec127b18f59010ae6c925f50a52d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9NIOP.tmp\Trainer_JoU4uh4CUd.tmp

Filesize
687KB

MD5
b7eae8fc15fa2065beed9a656ee73669

SHA1
eaf258c23bca86a0a4c8e12db4581b7fa65795e7

SHA256
3a03e165d1f7a6bce12a2647d8a7e49acd6f6be7e19c36bdfbd8a0a687445a92

SHA512
0a96a994febc284d7d2869d148d7ac57620e928f8d2683d41d3d90302e7da3baabb3da40f54c36900ba59bc8c2733910610016f09acc6280189ea7558bcabfda

Download Submit
\Users\Admin\AppData\Local\Temp\is-4OR7J.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-4OR7J.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
memory/408-69-0x0000000000400000-0x0000000000CA2000-memory.dmp

Filesize
8.6MB

Download
memory/408-80-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/408-128-0x0000000000400000-0x0000000000CA2000-memory.dmp

Filesize
8.6MB

Download
memory/408-68-0x0000000000400000-0x0000000000CA2000-memory.dmp

Filesize
8.6MB

Download
memory/408-70-0x0000000000400000-0x0000000000CA2000-memory.dmp

Filesize
8.6MB

Download
memory/408-71-0x0000000003990000-0x0000000003991000-memory.dmp

Filesize
4KB

Download
memory/408-125-0x0000000000400000-0x0000000000CA2000-memory.dmp

Filesize
8.6MB

Download
memory/408-74-0x0000000000400000-0x0000000000CA2000-memory.dmp

Filesize
8.6MB

Download
memory/408-78-0x0000000000400000-0x0000000000CA2000-memory.dmp

Filesize
8.6MB

Download
memory/2740-7-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2740-73-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2740-75-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4600-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4600-72-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4600-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download

Resubmissions

Analysis

Sharing