Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
16/06/2024, 18:26
General
-
Target
08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe
-
Size
336KB
-
MD5
d96339e43ff5ba6eece388ea5207dc1a
-
SHA1
50d4869e77c69f26baf059340ba118cabba62224
-
SHA256
08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2
-
SHA512
b47ab476dcd7694586a55fa48d4470d9b1173b05138b6249ccf5758de52fb82618b10dd3286a623cd4aeeb0920bff992169cb917c4af5e5a659b63988f70c2bf
-
SSDEEP
6144:d3naj96sWrnc/ZKBgwioSPrzq1UUiGjoSiA5bmd:9naM8EBVSPvqJiGjoSi86d
Malware Config
Signatures
-
UPX dump on OEP (original entry point) 8 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 2 IoCs
-
UPX packed file 8 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe"C:\Users\Admin\AppData\Local\Temp\08eb80fefedc517ec37e3f6a10f859394283729516419a81c119d9393c5c3cf2.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yKJED.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "849753894" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\jusched121.exe" /f3⤵
- Adds Run key to start application
-
-
-
C:\Users\Admin\AppData\Roaming\jusched121.exe"C:\Users\Admin\AppData\Roaming\jusched121.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\jusched121.exeC:\Users\Admin\AppData\Roaming\jusched121.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
141B
MD5f29af156d2290b132c12fc7a52b915e7
SHA1de5dd6043c236ef9306ff49b7fbf262610f22f24
SHA256e9f28b9b7c75824f287698650968b9812525409ac5e5095b5d49247da3ffa99b
SHA512bd9fca2bb4c609cb6887b9d8532a51611a090b2234dbcd2f4c735e3040bf10128fd5e26fd9d9e4afe47518b12d66e26e35db7802ef00f15ebf232cf2a634e7aa
-
Filesize
336KB
MD5b607aa1e7def7d5ebdacd74ab6335261
SHA108da183b661e4ba076e693f4a675d72fbcfaaac4
SHA25621451bfaaaf9114f02ba650b4ff2350bdac41546289cc26c4f446d360c3958e1
SHA5127a23443c58f3838e2106bfda9a06ceae3b1aa36f3a855edf1fbff17d3f66490a3f78742183d251bd3ea7fdbd0b8030a1f990d803d31b641148c22341ec3b4c43
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
36KB
-
Filesize
1.7MB
-
Filesize
1.7MB
-
Filesize
1.7MB