Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
19/03/2024, 13:00
Static task
static1
Behavioral task
behavioral1
Sample
d62d8635dc16c516f51561c5a2d533f9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
d62d8635dc16c516f51561c5a2d533f9.exe
Resource
win10v2004-20240226-en
General
-
Target
d62d8635dc16c516f51561c5a2d533f9.exe
-
Size
48KB
-
MD5
d62d8635dc16c516f51561c5a2d533f9
-
SHA1
ad536823ee9ecb7c121d6782fe11fe6b42925374
-
SHA256
a0081fb0791d0535db30af5e892918390c12cf0cad0b33276ea952878d31829e
-
SHA512
f11adb6c64f73fe1965f02689d09793c32b9d0ddb80ec3d9a69aa92f80cf26ef8a05b459a58bf9e0c50475e70d1dd130b63434a061bfdcbb10cd2752823fc359
-
SSDEEP
768:6buDiv3N+KjGgZCH6yku7oGeZsQT6rd/tjtP19DWsWqFUUEhJJMXLSi2uJ2uh:hiPMIGIdtCo0Ftpt3yZzJJoLS0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4768 juupdate.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\taoy.i d62d8635dc16c516f51561c5a2d533f9.exe File created C:\Windows\SysWOW64\taoy.icO d62d8635dc16c516f51561c5a2d533f9.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.kvh d62d8635dc16c516f51561c5a2d533f9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.kvh\ = "JSEFile" d62d8635dc16c516f51561c5a2d533f9.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 232 wrote to memory of 4768 232 d62d8635dc16c516f51561c5a2d533f9.exe 91 PID 232 wrote to memory of 4768 232 d62d8635dc16c516f51561c5a2d533f9.exe 91 PID 232 wrote to memory of 4768 232 d62d8635dc16c516f51561c5a2d533f9.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\d62d8635dc16c516f51561c5a2d533f9.exe"C:\Users\Admin\AppData\Local\Temp\d62d8635dc16c516f51561c5a2d533f9.exe"1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:232 -
C:\Users\Admin\AppData\Local\Temp\juupdate.exe"C:\Users\Admin\AppData\Local\Temp\juupdate.exe" "C:\Users\Admin\AppData\Local\Temp\master.kvh"2⤵
- Executes dropped EXE
PID:4768
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD5ff00e0480075b095948000bdc66e81f0
SHA1c2326cc50a739d3bc512bb65a24d42f1cde745c9
SHA2568c767077bb410f95b1db237b31f4f6e1512c78c1f0120de3f215b501f6d1c7ea
SHA5123a38e62dcb925411bc037335e46dfdd895c12a52ac43c47ef38db42d41d8358dfc2b1081a361367911d60ec5a3350ca734cf70ad57b21d39b23cfdec35b0aced
-
Filesize
9KB
MD5e710026dda5d338a696475ccdad2eef1
SHA179985f4bc32adab9d1133846ac50445ff9e2c5da
SHA2562adb4fdd59322c08222c6c73b6ae69dd22390b30d3ba50f869bf939e560c72f9
SHA512e4f6c2acff673f6c0ca8d193000fe37cd000f9f2ebd7f480220d5c93629cbf1e2129fe73ffac47b2a6cc52132ced3650fece0937e086ca9f3ffb331b5d8e4490
-
Filesize
12KB
MD5c73de7f78a8746668d005fd41cf91aab
SHA1917075a7e2ab88a0ca7240229457fbfe4faa41e1
SHA2566a6e21b03acf3762e18891a1cdd96907aec74c4a6049ab3265c2c7aa57163263
SHA512a7a787ee68cad08677180d5f683c89d42bceba25b30096b7797f427fac06c83425e0378fdf49e5f18cc9c47e8102c1a2c6f04567bbce1748c344b113eadb01ff