4cbf0651677cdf350059dd6bb2b494a4c3217fa232d908baf478b4e2068f1568

General

Target

806536fe523674c786794af5fceb76f9.exe
Size

49KB
MD5

806536fe523674c786794af5fceb76f9
SHA1

7a2bc0245849d1d6f39ce6ef598757b0bb9c88b1
SHA256

4cbf0651677cdf350059dd6bb2b494a4c3217fa232d908baf478b4e2068f1568
SHA512

045167cfd514e603030d4d2f6276440a10e89f703f1b3553a847c61ef4ff31e3503b8b0a375b7a33fb8c68e025f5b5f877d00575c252f98865fdb35d4ea1916e
SSDEEP

1536:CALHe5uJVM5Nq6XU4wptdHwMJgfEeXlCWituaR:zLKm6XURdQMJg5XlCWqR

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1136	jahjah09.exe

Executes dropped EXE 2 IoCs

pid	Process
1136	jahjah09.exe
2436	jahjah09.exe

Loads dropped DLL 5 IoCs

pid	Process
2480	806536fe523674c786794af5fceb76f9.exe
2480	806536fe523674c786794af5fceb76f9.exe
1136	jahjah09.exe
2436	jahjah09.exe
2436	jahjah09.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2480-8-0x0000000000400000-0x0000000000620000-memory.dmp	upx
behavioral1/memory/2480-16-0x0000000000400000-0x0000000000620000-memory.dmp	upx

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\mgt09016.ocx	806536fe523674c786794af5fceb76f9.exe
File opened for modification	C:\Windows\SysWOW64\mgt99019.ocx	806536fe523674c786794af5fceb76f9.exe
File created	C:\Windows\SysWOW64\jahjah09.exe	806536fe523674c786794af5fceb76f9.exe
File opened for modification	C:\Windows\SysWOW64\jahjah09.exe	806536fe523674c786794af5fceb76f9.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\fonts\mgt09016.ttf	806536fe523674c786794af5fceb76f9.exe
File created	C:\Windows\fonts\mgt09016.ttf	806536fe523674c786794af5fceb76f9.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2480	806536fe523674c786794af5fceb76f9.exe
1136	jahjah09.exe
1136	jahjah09.exe
1136	jahjah09.exe
1136	jahjah09.exe
1136	jahjah09.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 1136	2480	806536fe523674c786794af5fceb76f9.exe	28
PID 2480 wrote to memory of 1136	2480	806536fe523674c786794af5fceb76f9.exe	28
PID 2480 wrote to memory of 1136	2480	806536fe523674c786794af5fceb76f9.exe	28
PID 2480 wrote to memory of 1136	2480	806536fe523674c786794af5fceb76f9.exe	28
PID 2480 wrote to memory of 2436	2480	806536fe523674c786794af5fceb76f9.exe	29
PID 2480 wrote to memory of 2436	2480	806536fe523674c786794af5fceb76f9.exe	29
PID 2480 wrote to memory of 2436	2480	806536fe523674c786794af5fceb76f9.exe	29
PID 2480 wrote to memory of 2436	2480	806536fe523674c786794af5fceb76f9.exe	29

C:\Users\Admin\AppData\Local\Temp\806536fe523674c786794af5fceb76f9.exe
"C:\Users\Admin\AppData\Local\Temp\806536fe523674c786794af5fceb76f9.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Windows\SysWOW64\jahjah09.exe
  C:\Windows\system32\jahjah09.exe C:\Windows\system32\mgt09016.ocx pfjaoidjglkajd C:\Users\Admin\AppData\Local\Temp\806536fe523674c786794af5fceb76f9.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:1136
- C:\Windows\SysWOW64\jahjah09.exe
  C:\Windows\system32\jahjah09.exe C:\Windows\system32\mgt99019.ocx pfjieaoidjglkajd
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2436

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\07cachefiletttppp0F76423E.rtr

Filesize
16KB

MD5
5462f70e72d2984e9b715cc92421ce60

SHA1
283f3536076deb265d229e1a8a4b1b15ba7dd30e

SHA256
fd45517e06f2a29502f6e1c7706f50e553494a3509f31438d81d811b7abc10c0

SHA512
2507cb5362f11b4978b3b935e635a981682ba52dbd3f9df642da436b8694e06ff8613e2e1a6e3ce8b985d05736fa6a05f6bcb516da3b222132373a0ab9005f79

Download Submit
C:\Windows\SysWOW64\mgt09016.ocx

Filesize
77KB

MD5
5e9873fe6ef538d09e6fbd9163de828b

SHA1
15c9e85c2462616362a1bb25a852ad294f205519

SHA256
c2455a18c36e65c5d36ec123bc65d71ab9daa14277d6c5d92e49984ab593b82f

SHA512
a23d18c87f4d5e86e1620771542fd16c76281be0c4dd377e2f6ab4e5916ccab23c6bf445c0a8b31448af21716be3fe5c5cc9306f09e404df2290cc9e95e2111e

Download Submit
C:\Windows\fonts\mgt09016.ttf

Filesize
412B

MD5
76f8a56f757566950de42677fdf75158

SHA1
145b8d4d211c01e39576758dfcd2a1fb8fd75cfb

SHA256
f47105e16e6f53575c2cb35c8ee917e4b01427f157ec34ad6ae01680daad4bff

SHA512
4a5d2ed22dbfd9f2a337fbce2d1396240d996e4af367d76514978b3bbf5d99c6b4174344b09a140dcc4c22d8ecb1f94627ccb7a6f3122abdc149c8dd2060ef82

Download Submit
\Windows\SysWOW64\jahjah09.exe

Filesize
43KB

MD5
51138beea3e2c21ec44d0932c71762a8

SHA1
8939cf35447b22dd2c6e6f443446acc1bf986d58

SHA256
5ad3c37e6f2b9db3ee8b5aeedc474645de90c66e3d95f8620c48102f1eba4124

SHA512
794f30fe452117ff2a26dc9d7086aaf82b639c2632ac2e381a81f5239caaec7c96922ba5d2d90bfd8d74f0a6cd4f79fbda63e14c6b779e5cf6834c13e4e45e7d

Download Submit
memory/1136-23-0x0000000010000000-0x000000001023F000-memory.dmp

Filesize
2.2MB

Download
memory/2436-30-0x0000000010000000-0x0000000010208000-memory.dmp

Filesize
2.0MB

Download
memory/2436-31-0x0000000001F10000-0x000000000214F000-memory.dmp

Filesize
2.2MB

Download
memory/2436-32-0x0000000010000000-0x0000000010208000-memory.dmp

Filesize
2.0MB

Download
memory/2480-8-0x0000000000400000-0x0000000000620000-memory.dmp

Filesize
2.1MB

Download
memory/2480-16-0x0000000000400000-0x0000000000620000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing