c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138

General

Target

c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
Size

476KB
MD5

9075c89769ea746773b3ae9db06d47d9
SHA1

3d0d989a44e89f44071487a179762cac54708b88
SHA256

c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138
SHA512

2db55d4b971bbc6180e5ca9ce2ffa2f88fb7aeba3c3cdd1973b4072b562e15e8e53417633b7dab7abd7cac3c0a2a3e140ea502c51a899f2be82c913601e0a4cd
SSDEEP

3072:Jin8r+coP2W0XgEU5IuY2R8FD8edLhb9x4CuSqhAp08FkGRnNrdf45AjqKnoem:23P0KPsvKhAp081nNVjqKoe

Score

9^/10

persistence upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 7 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3576-7-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3576-9-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3576-11-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3576-21-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3576-38-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3576-58-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/732-60-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe

Executes dropped EXE 2 IoCs

Processes:

JREUPD7.exeJREUPD7.exe

pid process

4364 JREUPD7.exe
732 JREUPD7.exe

pid	process
4364	JREUPD7.exe
732	JREUPD7.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3576-7-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3576-9-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3576-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3576-21-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3576-38-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3576-58-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/732-60-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JREsp7 = "C:\\Users\\Admin\\AppData\\Roaming\\SunJavaJREupdate7\\JREUPD7.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exeJREUPD7.exe

description	pid	process	target process
PID 4908 set thread context of 3576	4908	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 4364 set thread context of 732	4364	JREUPD7.exe	JREUPD7.exe
PID 4364 set thread context of 4984	4364	JREUPD7.exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

JREUPD7.exe

description	pid	process
Token: SeDebugPrivilege	732	JREUPD7.exe
Token: SeDebugPrivilege	732	JREUPD7.exe
Token: SeDebugPrivilege	732	JREUPD7.exe
Token: SeDebugPrivilege	732	JREUPD7.exe
Token: SeDebugPrivilege	732	JREUPD7.exe
Token: SeDebugPrivilege	732	JREUPD7.exe
Token: SeDebugPrivilege	732	JREUPD7.exe
Token: SeDebugPrivilege	732	JREUPD7.exe
Token: SeDebugPrivilege	732	JREUPD7.exe
Token: SeDebugPrivilege	732	JREUPD7.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exec5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exeJREUPD7.exeJREUPD7.exe

pid	process
4908	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
3576	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
4364	JREUPD7.exe
732	JREUPD7.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exec5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.execmd.exeJREUPD7.exe

description	pid	process	target process
PID 4908 wrote to memory of 3576	4908	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 4908 wrote to memory of 3576	4908	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 4908 wrote to memory of 3576	4908	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 4908 wrote to memory of 3576	4908	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 4908 wrote to memory of 3576	4908	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 4908 wrote to memory of 3576	4908	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 4908 wrote to memory of 3576	4908	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 4908 wrote to memory of 3576	4908	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
PID 3576 wrote to memory of 4464	3576	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	cmd.exe
PID 3576 wrote to memory of 4464	3576	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	cmd.exe
PID 3576 wrote to memory of 4464	3576	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	cmd.exe
PID 4464 wrote to memory of 1084	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 1084	4464	cmd.exe	reg.exe
PID 4464 wrote to memory of 1084	4464	cmd.exe	reg.exe
PID 3576 wrote to memory of 4364	3576	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	JREUPD7.exe
PID 3576 wrote to memory of 4364	3576	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	JREUPD7.exe
PID 3576 wrote to memory of 4364	3576	c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe	JREUPD7.exe
PID 4364 wrote to memory of 732	4364	JREUPD7.exe	JREUPD7.exe
PID 4364 wrote to memory of 732	4364	JREUPD7.exe	JREUPD7.exe
PID 4364 wrote to memory of 732	4364	JREUPD7.exe	JREUPD7.exe
PID 4364 wrote to memory of 732	4364	JREUPD7.exe	JREUPD7.exe
PID 4364 wrote to memory of 732	4364	JREUPD7.exe	JREUPD7.exe
PID 4364 wrote to memory of 732	4364	JREUPD7.exe	JREUPD7.exe
PID 4364 wrote to memory of 732	4364	JREUPD7.exe	JREUPD7.exe
PID 4364 wrote to memory of 732	4364	JREUPD7.exe	JREUPD7.exe
PID 4364 wrote to memory of 4984	4364	JREUPD7.exe	svchost.exe
PID 4364 wrote to memory of 4984	4364	JREUPD7.exe	svchost.exe
PID 4364 wrote to memory of 4984	4364	JREUPD7.exe	svchost.exe
PID 4364 wrote to memory of 4984	4364	JREUPD7.exe	svchost.exe
PID 4364 wrote to memory of 4984	4364	JREUPD7.exe	svchost.exe
PID 4364 wrote to memory of 4984	4364	JREUPD7.exe	svchost.exe
PID 4364 wrote to memory of 4984	4364	JREUPD7.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
"C:\Users\Admin\AppData\Local\Temp\c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4908

C:\Users\Admin\AppData\Local\Temp\c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe
"C:\Users\Admin\AppData\Local\Temp\c5c2adc772d9d886de7207b7b3ea130f81a769764312924845aa0ea0de5cf138.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3576

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BOKIY.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JREsp7" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe" /f
4⤵
- Adds Run key to start application
PID:1084

C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe
"C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4364

C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe
"C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:732

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
4⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3808 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\BOKIY.txt

Filesize
153B

MD5
a5ab6d6b7f03c59f02ebde6e2834fe42

SHA1
567e8e08dcb41c365116e5806676d89e2b9f522a

SHA256
2dfac769e0e863a3f534444566bbc908edb7fed1981feed55a8f402cc7a3e506

SHA512
271f94ed4f69eb40012e26aae164a0332bc3695d08f119e82096a4a14e15631e8a6ee7c8095d047ba5e2ae03e364c010b873a5f3191ab88a835ae2227ddc30bd

Download Submit
C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe

Filesize
476KB

MD5
b5e8f4fbee35fd21c3f93d853b70e3fb

SHA1
0e8b56d38587ba0d2e4a1e73fbcb8b0c01476a0c

SHA256
508abf032682a96961fe92154a2ba5e5dc1ba2adad7ee0500cfb8e0a34469f92

SHA512
7bb1b881a14b45fe9d6e912f748f16784c75e4deb0e75c39704ee18dcd31a4a60238c4d477db408b83679645dae395328e76843368205235c83e65ed2315e9f1

Download Submit
memory/732-60-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3576-21-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3576-58-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3576-38-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3576-7-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3576-9-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3576-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/4364-41-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4364-47-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4364-55-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4908-6-0x0000000002C90000-0x0000000002C91000-memory.dmp

Filesize
4KB

Download
memory/4908-5-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/4908-3-0x0000000002C70000-0x0000000002C71000-memory.dmp

Filesize
4KB

Download
memory/4908-4-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/4908-2-0x0000000002C10000-0x0000000002C11000-memory.dmp

Filesize
4KB

Download
memory/4984-50-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/4984-54-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads