4ac4b8cd40a3955fa6876a1865cd7c56399b26670469d559588799434b43a9b6

General

Target

9f273f59ffaf82c65485ac3ea2108b50N.exe
Size

1.0MB
MD5

9f273f59ffaf82c65485ac3ea2108b50
SHA1

459756f0bf0f5fd1008e074439b8faa4114b17a1
SHA256

4ac4b8cd40a3955fa6876a1865cd7c56399b26670469d559588799434b43a9b6
SHA512

128b15cc0853a0f2a9ef4e97d35d1522674608206a66fc51e17486c2ce489243385059d8aa99bbcaca921826736638c3d76facd97d1a94effc5e46c68ad8b84f
SSDEEP

12288:M8kxNhOZElO5kkWjhD4AyCGtAtScw3qEKZGtAtScw3qEKBYGtAtScw3qEK:jqEkfFa1456145v145

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2740	REXPX.EXE

Loads dropped DLL 2 IoCs

pid	Process
2728	9f273f59ffaf82c65485ac3ea2108b50N.exe
2728	9f273f59ffaf82c65485ac3ea2108b50N.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	REXPX.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\ILKXVWA.EXE \"%1\" %*"	REXPX.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2728-4-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/files/0x0008000000015db6-10.dat	upx
behavioral1/files/0x000a000000012029-26.dat	upx
behavioral1/memory/2740-29-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2728-30-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2740-36-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CJGIA.EXE = "C:\\Program Files (x86)\\CJGIA.EXE"	9f273f59ffaf82c65485ac3ea2108b50N.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\I:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\S:	REXPX.EXE
File opened (read-only)	\??\V:	REXPX.EXE
File opened (read-only)	\??\K:	REXPX.EXE
File opened (read-only)	\??\N:	REXPX.EXE
File opened (read-only)	\??\E:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\L:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\N:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\R:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\H:	REXPX.EXE
File opened (read-only)	\??\J:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\T:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\G:	REXPX.EXE
File opened (read-only)	\??\K:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\P:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\Q:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\S:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\U:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\O:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\P:	REXPX.EXE
File opened (read-only)	\??\Q:	REXPX.EXE
File opened (read-only)	\??\G:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\M:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\J:	REXPX.EXE
File opened (read-only)	\??\L:	REXPX.EXE
File opened (read-only)	\??\M:	REXPX.EXE
File opened (read-only)	\??\V:	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened (read-only)	\??\R:	REXPX.EXE
File opened (read-only)	\??\U:	REXPX.EXE
File opened (read-only)	\??\E:	REXPX.EXE
File opened (read-only)	\??\I:	REXPX.EXE
File opened (read-only)	\??\O:	REXPX.EXE
File opened (read-only)	\??\T:	REXPX.EXE

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\REXPX.EXE	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened for modification	C:\Program Files (x86)\REXPX.EXE	9f273f59ffaf82c65485ac3ea2108b50N.exe
File created	C:\Program Files (x86)\CJGIA.EXE	9f273f59ffaf82c65485ac3ea2108b50N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\QGFIIIC.EXE	9f273f59ffaf82c65485ac3ea2108b50N.exe
File opened for modification	C:\Windows\QGFIIIC.EXE	9f273f59ffaf82c65485ac3ea2108b50N.exe
File created	C:\Windows\ILKXVWA.EXE	REXPX.EXE

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	REXPX.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	9f273f59ffaf82c65485ac3ea2108b50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Windows\\QGFIIIC.EXE \"%1\" %*"	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	9f273f59ffaf82c65485ac3ea2108b50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Windows\\QGFIIIC.EXE %1"	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	9f273f59ffaf82c65485ac3ea2108b50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Windows\\QGFIIIC.EXE %1"	9f273f59ffaf82c65485ac3ea2108b50N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\ILKXVWA.EXE \"%1\" %*"	REXPX.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\QGFIIIC.EXE %1"	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	REXPX.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Windows\\QGFIIIC.EXE \"%1\""	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	9f273f59ffaf82c65485ac3ea2108b50N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	9f273f59ffaf82c65485ac3ea2108b50N.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2740	REXPX.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2740	2728	9f273f59ffaf82c65485ac3ea2108b50N.exe	30
PID 2728 wrote to memory of 2740	2728	9f273f59ffaf82c65485ac3ea2108b50N.exe	30
PID 2728 wrote to memory of 2740	2728	9f273f59ffaf82c65485ac3ea2108b50N.exe	30
PID 2728 wrote to memory of 2740	2728	9f273f59ffaf82c65485ac3ea2108b50N.exe	30

C:\Users\Admin\AppData\Local\Temp\9f273f59ffaf82c65485ac3ea2108b50N.exe
"C:\Users\Admin\AppData\Local\Temp\9f273f59ffaf82c65485ac3ea2108b50N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Program Files (x86)\REXPX.EXE
  "C:\Program Files (x86)\REXPX.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Enumerates connected drives
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Event Triggered Execution

1

T1546

Change Default File Association

1

T1546.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\REXPX.EXE

Filesize
1.0MB

MD5
922d0823f7fcacc5821ccb51e0cac575

SHA1
9ef8181c0a49202cc5591130851c8691fd6b5683

SHA256
7620e49ca89e7f83dff694b6609a89ca1d2917e5250d75cb1074f90942300822

SHA512
fa3b6de0c9c5147036e400434910b8002d13cb4a86bdd43b54745da079c4642290decfd9f24b0945d88d3aeedfe101a2e66e781e35859683cb9bce1543183a07

Download Submit
C:\Windows\QGFIIIC.EXE

Filesize
1.0MB

MD5
ff51e80b28bb4e2c2cd72e73e2248efb

SHA1
b7d43ecf6020f337fa148add703fd8f52f2c9fe4

SHA256
c56bcfb2d34ec7560ec027d8f7f13f4950940149a02ac75040da06dcae68739d

SHA512
e1598cf1e0af45d76915b41796a67e465dd74b461e510b5da4d7ee0a70e8e007ace167d4676a8ca8a3e1b451659ac6b99d8b9b0257861550f62a6cd3926c8980

Download Submit
C:\filedebug

Filesize
246B

MD5
f9021a04ac1d3ad40ba4b666fe299d7f

SHA1
8c69600817d71c26101352b2940b1a3e19d19f8d

SHA256
1bdedbdccde1cad64035ac33874fb38bf3e866c1150512946710ddbe50787d35

SHA512
ca17f0b1cd3aa0c4adef9e1eb0b32030b67ee78fd1468d41fe8a638b9bdfe9a41eb3cbf8e4fe7ad756a3398228b14c2fb98f68d025884f3aa4b6caf1d9b75132

Download Submit
\??\c:\filedebug

Filesize
270B

MD5
3785395f8c00cc3b36afb981feba97ce

SHA1
3ae92290be6a62a4b4bd4812f8a940998ea6346a

SHA256
74ba962352a9d9507c1128d93c8ac2c8ad679dc07b06c0614453fe15db6e435b

SHA512
b5f620a4b724abcef9ac85fba44f46c45c3b0144163bc94d4fe213c8bd87f5aee32e3897e8c67179fd6b14d71f00db1ff70660ae2e9a5218fc26794659bf8fdc

Download Submit
memory/2728-28-0x00000000020C0000-0x0000000002130000-memory.dmp

Filesize
448KB

Download
memory/2728-5-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2728-27-0x00000000020C0000-0x0000000002130000-memory.dmp

Filesize
448KB

Download
memory/2728-30-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2728-4-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2740-29-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2740-31-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2740-36-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2740-37-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads