97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078

General

Target

97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078.exe
Size

96KB
MD5

b54d4d0c6ed48be9bd6a339e820e8325
SHA1

0568f62cfcda556a0f89c85d305384aa9e940f52
SHA256

97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078
SHA512

a4b4d3caf5ea835b2c4adc2886c3bcfaa57c3c9c4e020eb510eaf56bca704851a0215d1cf8784f93a8257914e6ec2835452915deb878feeedd0f1c555b75153d
SSDEEP

384:Yyub81xJ4j8Gs/sRHSv9W705ZqSA7hyTM/0uOVlYpFUMmYPJ:YyubcCj8GsmIlAFyTqUVllXYP

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2316	jrun32.exe

Loads dropped DLL 2 IoCs

pid	Process
1624	97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078.exe
1624	97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\jrun32 = "C:\\Users\\Admin\\AppData\\Roaming\\AppData\\jrun32.exe -notray"	reg.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jrun32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2228	ipconfig.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2664	reg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1624	97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078.exe
2316	jrun32.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2316	1624	97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078.exe	30
PID 1624 wrote to memory of 2316	1624	97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078.exe	30
PID 1624 wrote to memory of 2316	1624	97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078.exe	30
PID 1624 wrote to memory of 2316	1624	97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078.exe	30
PID 2316 wrote to memory of 2228	2316	jrun32.exe	31
PID 2316 wrote to memory of 2228	2316	jrun32.exe	31
PID 2316 wrote to memory of 2228	2316	jrun32.exe	31
PID 2316 wrote to memory of 2228	2316	jrun32.exe	31
PID 2316 wrote to memory of 2228	2316	jrun32.exe	31
PID 2316 wrote to memory of 2228	2316	jrun32.exe	31
PID 2228 wrote to memory of 2744	2228	ipconfig.exe	33
PID 2228 wrote to memory of 2744	2228	ipconfig.exe	33
PID 2228 wrote to memory of 2744	2228	ipconfig.exe	33
PID 2228 wrote to memory of 2744	2228	ipconfig.exe	33
PID 2744 wrote to memory of 2664	2744	cmd.exe	35
PID 2744 wrote to memory of 2664	2744	cmd.exe	35
PID 2744 wrote to memory of 2664	2744	cmd.exe	35
PID 2744 wrote to memory of 2664	2744	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078.exe
"C:\Users\Admin\AppData\Local\Temp\97d220fabc1aa082269814eb3e61bf529e1a7ed02efd26444326eb145a2e5078.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Roaming\AppData\jrun32.exe
  C:\Users\Admin\AppData\Roaming\AppData\jrun32.exe -notray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\XQPXLLMH.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v jrun32 /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\AppData\jrun32.exe -notray" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\XQPXLLMH.bat

Filesize
146B

MD5
f43ed9d2c73208eded7959a9b78c7814

SHA1
d8f0db46acffd54bd87051ad8e46f73b8dd47961

SHA256
707c5b61af860c851e76c8173f36a852089f68985a25356b1e47711265cea7f6

SHA512
b06f43d4029e372a53b36df2fc3091b7b546c65074770da3adb88be3c96c4288cc0247fb7408804f96ddbb6df305f230f288aa30355bf7b22865216130671d0d

Download Submit
\Users\Admin\AppData\Roaming\AppData\jrun32.exe

Filesize
96KB

MD5
8c76bb050eb9b2b9f89deb7d023354a7

SHA1
295475682da60982da6699596047a848039f7b3c

SHA256
c519a7b6c8f13b503463d46aa91effa59f47a35bb65deb348f3f30c40314c67b

SHA512
203e58e6224c273b9e40810b2a2205a307a44052377bcfa3939510b7c31ed6199475558b8a777366b8e735a2067b8708ce07f76c8a6532957d633b37820d8c9b

Download Submit
memory/1624-0-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/1624-13-0x0000000001B60000-0x0000000001B78000-memory.dmp

Filesize
96KB

Download
memory/1624-12-0x0000000001B60000-0x0000000001B78000-memory.dmp

Filesize
96KB

Download
memory/1624-22-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2228-18-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2316-14-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/2316-21-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads