c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138

General

Target

c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
Size

476KB
MD5

9075c89769ea746773b3ae9db06d47d9
SHA1

3d0d989a44e89f44071487a179762cac54708b88
SHA256

c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138
SHA512

2db55d4b971bbc6180e5ca9ce2ffa2f88fb7aeba3c3cdd1973b4072b562e15e8e53417633b7dab7abd7cac3c0a2a3e140ea502c51a899f2be82c913601e0a4cd
SSDEEP

3072:Jin8r+coP2W0XgEU5IuY2R8FD8edLhb9x4CuSqhAp08FkGRnNrdf45AjqKnoem:23P0KPsvKhAp081nNVjqKoe

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/11224-26759-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/11224-26758-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/11224-26757-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/11224-26754-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/11224-26801-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral1/memory/11224-53540-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

Executes dropped EXE 2 IoCs

Processes:

JREUPD7.exeJREUPD7.exe

pid process

11412 JREUPD7.exe
29868 JREUPD7.exe

pid	process
11412	JREUPD7.exe
29868	JREUPD7.exe

Loads dropped DLL 5 IoCs

Processes:

c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe

pid	process
11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/11224-26759-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/11224-26758-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/11224-26757-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/11224-26754-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/11224-26752-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/11224-26801-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/11224-53540-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\JREsp7 = "C:\\Users\\Admin\\AppData\\Roaming\\SunJavaJREupdate7\\JREUPD7.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exeJREUPD7.exe

description	pid	process	target process
PID 2320 set thread context of 11224	2320	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 11412 set thread context of 29868	11412	JREUPD7.exe	JREUPD7.exe
PID 11412 set thread context of 29932	11412	JREUPD7.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

JREUPD7.exe

description pid process

Token: SeDebugPrivilege 29868 JREUPD7.exe
Token: SeDebugPrivilege 29868 JREUPD7.exe

description	pid	process
Token: SeDebugPrivilege	29868	JREUPD7.exe
Token: SeDebugPrivilege	29868	JREUPD7.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exec5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exeJREUPD7.exeJREUPD7.exe

pid	process
2320	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
11412	JREUPD7.exe
29868	JREUPD7.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exec5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.execmd.exeJREUPD7.exe

description	pid	process	target process
PID 2320 wrote to memory of 11224	2320	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 2320 wrote to memory of 11224	2320	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 2320 wrote to memory of 11224	2320	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 2320 wrote to memory of 11224	2320	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 2320 wrote to memory of 11224	2320	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 2320 wrote to memory of 11224	2320	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 2320 wrote to memory of 11224	2320	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 2320 wrote to memory of 11224	2320	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 11224 wrote to memory of 11328	11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	cmd.exe
PID 11224 wrote to memory of 11328	11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	cmd.exe
PID 11224 wrote to memory of 11328	11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	cmd.exe
PID 11224 wrote to memory of 11328	11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	cmd.exe
PID 11328 wrote to memory of 11384	11328	cmd.exe	reg.exe
PID 11328 wrote to memory of 11384	11328	cmd.exe	reg.exe
PID 11328 wrote to memory of 11384	11328	cmd.exe	reg.exe
PID 11328 wrote to memory of 11384	11328	cmd.exe	reg.exe
PID 11224 wrote to memory of 11412	11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	JREUPD7.exe
PID 11224 wrote to memory of 11412	11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	JREUPD7.exe
PID 11224 wrote to memory of 11412	11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	JREUPD7.exe
PID 11224 wrote to memory of 11412	11224	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	JREUPD7.exe
PID 11412 wrote to memory of 29868	11412	JREUPD7.exe	JREUPD7.exe
PID 11412 wrote to memory of 29868	11412	JREUPD7.exe	JREUPD7.exe
PID 11412 wrote to memory of 29868	11412	JREUPD7.exe	JREUPD7.exe
PID 11412 wrote to memory of 29868	11412	JREUPD7.exe	JREUPD7.exe
PID 11412 wrote to memory of 29868	11412	JREUPD7.exe	JREUPD7.exe
PID 11412 wrote to memory of 29868	11412	JREUPD7.exe	JREUPD7.exe
PID 11412 wrote to memory of 29868	11412	JREUPD7.exe	JREUPD7.exe
PID 11412 wrote to memory of 29868	11412	JREUPD7.exe	JREUPD7.exe
PID 11412 wrote to memory of 29932	11412	JREUPD7.exe	svchost.exe
PID 11412 wrote to memory of 29932	11412	JREUPD7.exe	svchost.exe
PID 11412 wrote to memory of 29932	11412	JREUPD7.exe	svchost.exe
PID 11412 wrote to memory of 29932	11412	JREUPD7.exe	svchost.exe
PID 11412 wrote to memory of 29932	11412	JREUPD7.exe	svchost.exe
PID 11412 wrote to memory of 29932	11412	JREUPD7.exe	svchost.exe
PID 11412 wrote to memory of 29932	11412	JREUPD7.exe	svchost.exe
PID 11412 wrote to memory of 29932	11412	JREUPD7.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
"C:\Users\Admin\AppData\Local\Temp\c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320

C:\Users\Admin\AppData\Local\Temp\c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
"C:\Users\Admin\AppData\Local\Temp\c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:11224

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\GMYLT.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:11328

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JREsp7" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe" /f
4⤵
- Adds Run key to start application
PID:11384

C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe
"C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:11412

C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe
"C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:29868

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
PID:29932

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GMYLT.bat
Filesize
153B

MD5
a5ab6d6b7f03c59f02ebde6e2834fe42

SHA1
567e8e08dcb41c365116e5806676d89e2b9f522a

SHA256
2dfac769e0e863a3f534444566bbc908edb7fed1981feed55a8f402cc7a3e506

SHA512
271f94ed4f69eb40012e26aae164a0332bc3695d08f119e82096a4a14e15631e8a6ee7c8095d047ba5e2ae03e364c010b873a5f3191ab88a835ae2227ddc30bd

Download Submit
\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe
Filesize
476KB

MD5
8dc118351ff2d6d6904eb4154672c4b1

SHA1
4e82e649fc5c4bed902e6f140c3f8ff2283ffb91

SHA256
32d60b346d1108fdc2cb7227e91fed2eb7e58cb5eace936b122735e169754b4d

SHA512
bee4cea351037230db1385ea54e4162f831c74fb6648a4ca39cd6c4e9178b2c5d93836d5593e2f91790d9581c733d3cbb22f9cc9e2fd7f060e23341851609b77

Download Submit
memory/2320-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/2320-100-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/2320-99-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/2320-101-0x0000000002660000-0x0000000002661000-memory.dmp

Filesize
4KB

Download
memory/11224-26757-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/11224-26756-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/11224-26754-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/11224-26752-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/11224-26750-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/11224-26758-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/11224-26759-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/11224-26801-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/11224-53540-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads