3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db

General

Target

3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe
Size

476KB
MD5

566dcb7c5cc7df524025c3c35feafdbe
SHA1

bfc7d2e5ef315daaa18b09410f1fb9f4dc3601cb
SHA256

3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db
SHA512

4a6e1d7cc0adb4ba0b45b58da46448e3a6291164372687d195427f6e40a6fdeb4b34740970bc235f735a054271108517e1c9b91f3c6a2ec525dc8e4c35590d28
SSDEEP

3072:Jin8r+coP2W0XgEU5IuY2R8FD8edLhb9x4CuSqhAp08FkGRnNrdf45AjqKnoem:23P0KPsvKhAp081nNVjqKoe

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 6 IoCs

resource	yara_rule
behavioral2/memory/3104-5-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3104-11-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3104-10-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3104-37-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3104-51-0x0000000000400000-0x000000000040B000-memory.dmp	UPX
behavioral2/memory/3840-53-0x0000000000400000-0x000000000040B000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3104-5-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3104-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3104-10-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3104-37-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3104-51-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral2/memory/3840-53-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1544 set thread context of 3104	1544	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
836	2708	WerFault.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1544	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe
3104	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 3104	1544	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe	90
PID 1544 wrote to memory of 3104	1544	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe	90
PID 1544 wrote to memory of 3104	1544	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe	90
PID 1544 wrote to memory of 3104	1544	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe	90
PID 1544 wrote to memory of 3104	1544	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe	90
PID 1544 wrote to memory of 3104	1544	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe	90
PID 1544 wrote to memory of 3104	1544	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe	90
PID 1544 wrote to memory of 3104	1544	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe	90
PID 3104 wrote to memory of 1568	3104	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe	91
PID 3104 wrote to memory of 1568	3104	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe	91
PID 3104 wrote to memory of 1568	3104	3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe	91

C:\Users\Admin\AppData\Local\Temp\3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe
"C:\Users\Admin\AppData\Local\Temp\3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe
  "C:\Users\Admin\AppData\Local\Temp\3a5833df19607946bc8cb51577675176b6b4f55a87c1b2ec72ce9025b93f12db.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3104
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JFESI.bat" "
    3⤵
    PID:1568
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "JREsp7" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe" /f
      4⤵
      PID:3192
- - C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe
    "C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe"
    3⤵
    PID:2432
  - - C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe
      "C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe"
      4⤵
      PID:3840
  - - C:\Windows\SysWOW64\svchost.exe
      "C:\Windows\system32\svchost.exe"
      4⤵
      PID:2708
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2708 -s 20
        5⤵
        Program crash
        
        PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2708 -ip 2708
1⤵
PID:640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JFESI.txt

Filesize
153B

MD5
a5ab6d6b7f03c59f02ebde6e2834fe42

SHA1
567e8e08dcb41c365116e5806676d89e2b9f522a

SHA256
2dfac769e0e863a3f534444566bbc908edb7fed1981feed55a8f402cc7a3e506

SHA512
271f94ed4f69eb40012e26aae164a0332bc3695d08f119e82096a4a14e15631e8a6ee7c8095d047ba5e2ae03e364c010b873a5f3191ab88a835ae2227ddc30bd

Download Submit
C:\Users\Admin\AppData\Roaming\SunJavaJREupdate7\JREUPD7.exe

Filesize
476KB

MD5
f56c2830455aa933a461f69e2bf870ea

SHA1
fd961a12b5705eb1ad51683242a7ea9ce02bb846

SHA256
074ea7058cee362b62274ed07c96c4160dbabc39d8e70cf93fabcf69a76aae1b

SHA512
2282b3d2ae849c26a0224ec652470b1a2496898849e4f3459d2280c00c061060b7f8facd561493dcacebb1ff6858385810cbb715ca3aad47e50f5dcfd9267b33

Download Submit
memory/1544-8-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1544-2-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1544-4-0x0000000002AE0000-0x0000000002AE1000-memory.dmp

Filesize
4KB

Download
memory/1544-3-0x0000000002B40000-0x0000000002B41000-memory.dmp

Filesize
4KB

Download
memory/1544-9-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/2432-48-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2432-38-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2708-44-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/3104-10-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3104-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3104-37-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3104-5-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3104-51-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3840-53-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing