08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2

General

Target

08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe
Size

336KB
MD5

d96339e43ff5ba6eece388ea5207dc1a
SHA1

50d4869e77c69f26baf059340ba118cabba62224
SHA256

08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2
SHA512

b47ab476dcd7694586a55fa48d4470d9b1173b05138b6249ccf5758de52fb82618b10dd3286a623cd4aeeb0920bff992169cb917c4af5e5a659b63988f70c2bf
SSDEEP

6144:d3naj96sWrnc/ZKBgwioSPrzq1UUiGjoSiA5bmd:9naM8EBVSPvqJiGjoSi86d

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral1/memory/1752-0-0x0000000000400000-0x00000000005B3000-memory.dmp	UPX
behavioral1/files/0x002a000000015c0f-27.dat	UPX
behavioral1/memory/1752-42-0x0000000002F50000-0x0000000003103000-memory.dmp	UPX
behavioral1/memory/1752-46-0x0000000000400000-0x00000000005B3000-memory.dmp	UPX
behavioral1/memory/2696-53-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral1/memory/2696-56-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral1/memory/2696-57-0x0000000000400000-0x0000000000409000-memory.dmp	UPX
behavioral1/memory/2624-54-0x0000000000400000-0x00000000005B3000-memory.dmp	UPX
behavioral1/memory/2696-60-0x0000000000400000-0x0000000000409000-memory.dmp	UPX

Executes dropped EXE 2 IoCs

pid	Process
2624	jusched121.exe
2696	jusched121.exe

Loads dropped DLL 6 IoCs

pid	Process
1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe
1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe
1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe
1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe
1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe
2624	jusched121.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1752-0-0x0000000000400000-0x00000000005B3000-memory.dmp	upx
behavioral1/files/0x002a000000015c0f-27.dat	upx
behavioral1/memory/1752-42-0x0000000002F50000-0x0000000003103000-memory.dmp	upx
behavioral1/memory/1752-46-0x0000000000400000-0x00000000005B3000-memory.dmp	upx
behavioral1/memory/2696-53-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2696-56-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2696-57-0x0000000000400000-0x0000000000409000-memory.dmp	upx
behavioral1/memory/2624-54-0x0000000000400000-0x00000000005B3000-memory.dmp	upx
behavioral1/memory/2696-60-0x0000000000400000-0x0000000000409000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\849753894 = "C:\\Users\\Admin\\AppData\\Roaming\\jusched121.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2624 set thread context of 0	2624	jusched121.exe
PID 2624 set thread context of 2696	2624	jusched121.exe	32

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	jusched121.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe
2624	jusched121.exe
2696	jusched121.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 3000	1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe	28
PID 1752 wrote to memory of 3000	1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe	28
PID 1752 wrote to memory of 3000	1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe	28
PID 1752 wrote to memory of 3000	1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe	28
PID 3000 wrote to memory of 2672	3000	cmd.exe	30
PID 3000 wrote to memory of 2672	3000	cmd.exe	30
PID 3000 wrote to memory of 2672	3000	cmd.exe	30
PID 3000 wrote to memory of 2672	3000	cmd.exe	30
PID 1752 wrote to memory of 2624	1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe	31
PID 1752 wrote to memory of 2624	1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe	31
PID 1752 wrote to memory of 2624	1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe	31
PID 1752 wrote to memory of 2624	1752	08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe	31
PID 2624 wrote to memory of 0	2624	jusched121.exe
PID 2624 wrote to memory of 0	2624	jusched121.exe
PID 2624 wrote to memory of 0	2624	jusched121.exe
PID 2624 wrote to memory of 0	2624	jusched121.exe
PID 2624 wrote to memory of 0	2624	jusched121.exe
PID 2624 wrote to memory of 2696	2624	jusched121.exe	32
PID 2624 wrote to memory of 2696	2624	jusched121.exe	32
PID 2624 wrote to memory of 2696	2624	jusched121.exe	32
PID 2624 wrote to memory of 2696	2624	jusched121.exe	32
PID 2624 wrote to memory of 2696	2624	jusched121.exe	32
PID 2624 wrote to memory of 2696	2624	jusched121.exe	32
PID 2624 wrote to memory of 2696	2624	jusched121.exe	32
PID 2624 wrote to memory of 2696	2624	jusched121.exe	32
PID 2624 wrote to memory of 2696	2624	jusched121.exe	32

C:\Users\Admin\AppData\Local\Temp\08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe
"C:\Users\Admin\AppData\Local\Temp\08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zWBuy.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "849753894" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\jusched121.exe" /f
    3⤵
    - Adds Run key to start application
    PID:2672
- C:\Users\Admin\AppData\Roaming\jusched121.exe
  "C:\Users\Admin\AppData\Roaming\jusched121.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Users\Admin\AppData\Roaming\jusched121.exe
    C:\Users\Admin\AppData\Roaming\jusched121.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zWBuy.bat

Filesize
141B

MD5
f29af156d2290b132c12fc7a52b915e7

SHA1
de5dd6043c236ef9306ff49b7fbf262610f22f24

SHA256
e9f28b9b7c75824f287698650968b9812525409ac5e5095b5d49247da3ffa99b

SHA512
bd9fca2bb4c609cb6887b9d8532a51611a090b2234dbcd2f4c735e3040bf10128fd5e26fd9d9e4afe47518b12d66e26e35db7802ef00f15ebf232cf2a634e7aa

Download Submit
C:\Users\Admin\AppData\Roaming\jusched121.exe

Filesize
336KB

MD5
1aac6636051d27d2b57c099552ed1275

SHA1
dbacfece65ac788ab4dac287032e08cb06d15196

SHA256
5b3f9085ffeefe09b79b6bebca5a0479618fede2cc76183b731507617b57e49e

SHA512
df4019142bfaa21795c2ffe39530885a263da7fc01fca89e611d4b639ed3738f03240cb719f0bd53e7d49a65b61cdee2de35aa6df5a4c7bc7fdbdd961d96f04b

Download Submit
memory/1752-0-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/1752-43-0x0000000002F50000-0x0000000003103000-memory.dmp

Filesize
1.7MB

Download
memory/1752-42-0x0000000002F50000-0x0000000003103000-memory.dmp

Filesize
1.7MB

Download
memory/1752-46-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/2624-54-0x0000000000400000-0x00000000005B3000-memory.dmp

Filesize
1.7MB

Download
memory/2696-53-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2696-56-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2696-57-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2696-60-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads