ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 02:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Size

839KB
MD5

803f39a10c4016eac37d86cd4b5e47c9
SHA1

2f3b456b5d398c45c912a7d7240830114db31572
SHA256

ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42
SHA512

cf4354345c612c56e2aac2719199fdeddda8f8c98556280aede08a40601fbda46d87a05ec96bbaa2bb06ee120a77adacc3ce87b82eb85607d23a7cf83696b932
SSDEEP

12288:E8kxNhOZElO5kkWjhD4AI/GtAtScw3qEKBaGtAtScw3qEKB:7qEkfFP145J145

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2916	JVRZX.EXE

Loads dropped DLL 2 IoCs

pid	Process
2108	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
2108	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	JVRZX.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\ACKP.EXE \"%1\" %*"	JVRZX.EXE

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2108-0-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/files/0x00080000000164cf-10.dat	upx
behavioral1/files/0x000a000000012029-20.dat	upx
behavioral1/memory/2108-22-0x0000000000350000-0x00000000003C0000-memory.dmp	upx
behavioral1/memory/2108-29-0x0000000000400000-0x0000000000470000-memory.dmp	upx
behavioral1/memory/2916-30-0x0000000000400000-0x0000000000470000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AOAW.EXE = "C:\\Users\\TCXMUFV.EXE"	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\O:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\Q:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\O:	JVRZX.EXE
File opened (read-only)	\??\R:	JVRZX.EXE
File opened (read-only)	\??\S:	JVRZX.EXE
File opened (read-only)	\??\G:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\R:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\P:	JVRZX.EXE
File opened (read-only)	\??\L:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\E:	JVRZX.EXE
File opened (read-only)	\??\M:	JVRZX.EXE
File opened (read-only)	\??\V:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\I:	JVRZX.EXE
File opened (read-only)	\??\J:	JVRZX.EXE
File opened (read-only)	\??\S:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\J:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\K:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\K:	JVRZX.EXE
File opened (read-only)	\??\V:	JVRZX.EXE
File opened (read-only)	\??\E:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\G:	JVRZX.EXE
File opened (read-only)	\??\H:	JVRZX.EXE
File opened (read-only)	\??\U:	JVRZX.EXE
File opened (read-only)	\??\U:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\P:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\T:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\N:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\M:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened (read-only)	\??\L:	JVRZX.EXE
File opened (read-only)	\??\N:	JVRZX.EXE
File opened (read-only)	\??\Q:	JVRZX.EXE
File opened (read-only)	\??\T:	JVRZX.EXE
File opened (read-only)	\??\H:	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\IZVN.EXE	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened for modification	C:\Program Files\IZVN.EXE	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File created	C:\Program Files\ACKP.EXE	JVRZX.EXE
File created	C:\Program Files (x86)\JVRZX.EXE	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
File opened for modification	C:\Program Files (x86)\JVRZX.EXE	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\BNSDSCI.EXE	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JVRZX.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\IZVN.EXE \"%1\" %*"	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Program Files\\IZVN.EXE %1"	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Program Files\\ACKP.EXE \"%1\" %*"	JVRZX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Program Files\\IZVN.EXE \"%1\""	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	JVRZX.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Windows\\BNSDSCI.EXE %1"	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\Program Files\\IZVN.EXE %1"	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2916	JVRZX.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2108 wrote to memory of 2916	2108	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe	30
PID 2108 wrote to memory of 2916	2108	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe	30
PID 2108 wrote to memory of 2916	2108	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe	30
PID 2108 wrote to memory of 2916	2108	ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe	30

C:\Users\Admin\AppData\Local\Temp\ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe
"C:\Users\Admin\AppData\Local\Temp\ea0c6c5e07e4f64c44585840c33813b643d9560d2caf584b9d6962e60e1e6f42.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108
- C:\Program Files (x86)\JVRZX.EXE
  "C:\Program Files (x86)\JVRZX.EXE"
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\IZVN.EXE

Filesize
839KB

MD5
f3f30a183132353a9276ebfb914998df

SHA1
7300d4f3463c7915f87be9b4aee65915c9b08844

SHA256
df99beebb19643e82afdaea0dc3f6e641bc6f93bba10bacc2c8e1a20691a9f20

SHA512
2da08c7fc93dd4e8ed4342355f31c7f8a633030975d44f2615a7d86888937f7477b977cbcc7267928fcb4d386ff02de50a5d4f581323f0ff68da25363cefcae8

Download Submit
\??\c:\filedebug

Filesize
276B

MD5
2b88a9887dc926923d5411848e6ac198

SHA1
d21b70f60c5fc12621ac1b1f1e4238689e00c25a

SHA256
3ee007b010e77aedde465a1ff9e9962624c5b40e902651820318588259a48c22

SHA512
eac11a6c57ef6471ec10e85ca2cd52f0acf93cc79509cdd17d09d324a5447216c45453c586abd4ad1fb34ea992df109f15aa15d26c2e4cadec80dbf171f43950

Download Submit
\Program Files (x86)\JVRZX.EXE

Filesize
839KB

MD5
d2a2ed2af6b3f85e7459552c175f9250

SHA1
ddc3634193e682f8d9bb2daf19a1ed234df73a94

SHA256
b364e9999be15f46cdbbfe776cf4e858f11cc46006b4a9504b31696ae500fa18

SHA512
0a1bf4cf4441a3bd3dc8ded22e9789dcc7c3dee0ad88f4e236f4d7a514da13047cb8afc49ea2d1ddbc2824414b9d7e48f4ff28d2b5a62859485cc5b035b3b6e7

Download Submit
memory/2108-0-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2108-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2108-22-0x0000000000350000-0x00000000003C0000-memory.dmp

Filesize
448KB

Download
memory/2108-29-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2916-28-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2916-30-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads