275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917

Analysis

max time kernel
149s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/04/2024, 20:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe
Size

156KB
MD5

a7789f6ab2e04587ccc913b99c863c98
SHA1

b0a6c6534b10361bdbe74a63fc366d9784661e4d
SHA256

275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917
SHA512

fd22b26f09a37f06a2da1c9f36ee4e2a7b24821c1499b30feb87c3f775f33f5a364808340e543b96aebec28c850133e6acbb62f882242fd2bf03f8e3dbaa38b4
SSDEEP

3072:7ACcTATe0pBI1xkaGU0vBpT8k/QvbawuxtUYqBd5hAmamQAMHfhRvuWxx0h4oQZa:79c4e0pBI1xkaH0vBpT8kltDr8L5DMHU

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	jaeuk.exe

Executes dropped EXE 1 IoCs

pid	Process
2096	jaeuk.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe
2420	275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe

Adds Run key to start application 2 TTPs 49 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /O"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /M"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /H"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /h"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /k"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /U"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /P"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /b"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /K"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /e"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /u"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /A"	275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /E"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /o"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /m"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /w"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /S"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /D"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /F"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /W"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /T"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /d"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /f"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /c"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /l"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /A"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /G"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /L"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /n"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /x"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /v"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /J"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /q"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /N"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /s"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /V"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /t"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /y"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /C"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /i"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /I"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /X"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /g"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /B"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /j"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /a"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /p"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /Y"	jaeuk.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\jaeuk = "C:\\Users\\Admin\\jaeuk.exe /Q"	jaeuk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2420	275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe
2096	jaeuk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2420	275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe
2096	jaeuk.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2096	2420	275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe	28
PID 2420 wrote to memory of 2096	2420	275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe	28
PID 2420 wrote to memory of 2096	2420	275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe	28
PID 2420 wrote to memory of 2096	2420	275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe	28

C:\Users\Admin\AppData\Local\Temp\275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe
"C:\Users\Admin\AppData\Local\Temp\275858824cd80e8d3e7b35204eb63dee71cbc0cc9103d130c630373bbf332917.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\jaeuk.exe
  "C:\Users\Admin\jaeuk.exe"
  2⤵
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\jaeuk.exe

Filesize
156KB

MD5
da41b4966ef4c03cc6a397de933186f6

SHA1
7a37098198f0618ded9fcb3511d9438bed283efe

SHA256
c8016c7b7ab16d1114829bd3b8795dddd47add787f02eb88f8d43bf0aa794521

SHA512
d736d140a56bcfd19bb049a024cc461ea8c8027b23ed3b864a9ec5e8a1cf3cd05dde959d7414a3a7d31b627dce7f8b71bd95a9a46575c59782383f31a3d7cff1

Download Submit