22cae23405ef1d6162fdbe9de167ed431e3585b748a38bda5f7ef1090c22087a

General

Target

DJAPPSTORE.exe
Size

1.4MB
MD5

6afc8290bc005d98203e4d28d1af8d06
SHA1

f145630a0f925865a0fb67f101b630e770f8029d
SHA256

90e14e6d711668b63a68e722abcffff1428fd82506411f1519fdd582c65d2929
SHA512

5fa0fae5d673d8735fed45ef75e1f950f8560c5d88d008ff50146643473d684a7db40eae4277eefb5f18ca87fd6e73da8ebc613711a0c4f529e5512f2e977d14
SSDEEP

3072:gKSaWbBpm3pm3pmcJdm6k8Kw2pmu64VwOAsbvjL357kuQ4wdXzsyP0ujm7pmzpR:b8byyn3mn8XEvVwOJjL357K90vS

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Deletes itself 1 IoCs

pid	Process
1124	UpdInstaller.exe

Executes dropped EXE 2 IoCs

pid	Process
2388	DJAPPSTORE.exe
2664	DJAPPSTORE.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
6	raw.githubusercontent.com
10	raw.githubusercontent.com
1	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1537126222-899333903-2037027349-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2000	DJAPPSTORE.exe
Token: SeDebugPrivilege	2388	DJAPPSTORE.exe
Token: SeDebugPrivilege	2664	DJAPPSTORE.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2476	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1124	2000	DJAPPSTORE.exe	80
PID 2000 wrote to memory of 1124	2000	DJAPPSTORE.exe	80
PID 1124 wrote to memory of 2388	1124	UpdInstaller.exe	82
PID 1124 wrote to memory of 2388	1124	UpdInstaller.exe	82
PID 2388 wrote to memory of 1832	2388	DJAPPSTORE.exe	84
PID 2388 wrote to memory of 1832	2388	DJAPPSTORE.exe	84
PID 1832 wrote to memory of 2664	1832	UpdInstaller.exe	86
PID 1832 wrote to memory of 2664	1832	UpdInstaller.exe	86

C:\Users\Admin\AppData\Local\Temp\DJAPPSTORE.exe
"C:\Users\Admin\AppData\Local\Temp\DJAPPSTORE.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Users\Admin\AppData\Local\Temp\UpdInstaller.exe
  "C:\Users\Admin\AppData\Local\Temp\UpdInstaller.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1124
- - C:\Users\Admin\AppData\Local\Temp\DJAPPSTORE.exe
    "C:\Users\Admin\AppData\Local\Temp\DJAPPSTORE.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Local\Temp\UpdInstaller.exe
      "C:\Users\Admin\AppData\Local\Temp\UpdInstaller.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1832
    - - C:\Users\Admin\AppData\Local\Temp\DJAPPSTORE.exe
        
        "C:\Users\Admin\AppData\Local\Temp\DJAPPSTORE.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0\UsageLogs\UpdInstaller.exe.log

Filesize
312B

MD5
94362876a82ea2b020cc31686fccce81

SHA1
54580aaf9e28b09ab7d65a166f4328767e143264

SHA256
a2fd92b60d00dc2281a0c8af75d76221e6e48d581e95213df4c715fd6fa0fe3f

SHA512
37b3ff098573bf00ab5e49a5fc3f66a2684691e28274282714f8137706b8aca5edd11fc50b1d8a0713e3897fe467c40d8ce60299d08b2376baf29c54f1a60687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DJAPPSTORE.exe.log

Filesize
1KB

MD5
3392533e5a911044c10543cfaf81cdcd

SHA1
7e2900a2a27fecbe81e59395690b0d8436421a4b

SHA256
b3f2d644973405253616e6aaffb35e19165c4369ba1828d82ce5c0c57c3868b5

SHA512
2c44cf950118637fc69a05e18004d7d1581e0177ab3aeb466ea533387b080cba4fd129f5493fb8ce3e14809185ddc1d916d8ee0cf99bcda9bc2258398c91127c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
327975ba2c226434c0009085b3702a06

SHA1
b7b8b25656b3caefad9c5a657f101f06e2024bbd

SHA256
6fa9064f304b70d6dcebee643ca017c2417ff325106917058f6e11341678583c

SHA512
150a57c143fc5ff2462f496f5a9451310b8d99e32c4d570641204c8062a78590f14bed438ac981e8b0609a0c87b859a1f8502a78687bc36c3a9529d633a58e51

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
785073822344ae3813284ebc92bb596a

SHA1
96e2a933b38352ed2c8e6e34e94756b70c143214

SHA256
36ef4cbbc494deacf81f364b546281223a39bea01a32b0c4b0e2324f984d6817

SHA512
28b21e17fdf026a025503a2ae1014ea4e8ce5385e42396007a7a23aba3aecb591d225e2a90d47f6f9e02d34792d74b89547715d66899265dbf8372258ccf4498

Download Submit
C:\Users\Admin\AppData\Local\Temp\upd.exe

Filesize
14KB

MD5
47da46b9ef37e731c3bc147f894b47f6

SHA1
28fb32b8fa7b2f34cb89c35814017c8a483d22e4

SHA256
fd693f8144d95bd93d9d09a1bcc243b42106cfc86639bdfa2719d04b6695b68e

SHA512
adaf1f1b5536b652054b2ff9b4531aca16ca498a31b6f55725886090a32d9484a600d16a9833085c9aa603949064bd8146207bfa4e39e571ab35ea9241d1b84e

Download Submit
C:\Users\Admin\AppData\Local\Temp\upd.exe

Filesize
2.4MB

MD5
8809858914b74bae61d6c9739ca1cd08

SHA1
b02ccc205adb68a54cdc8112269aafd8eeb284e2

SHA256
3b6f375c9ac3fb318e4eeba80ab8d2497f20cf89005a682cf94ef37e53f56e85

SHA512
aa31075cb2e603abe18f2eb531f45d5ee6b3c95306b99f5226a380f60db1e14892b3bde8d5c7e2e1a509570f353a3292cc4b50410daae2d2e97a8a7877bb4b0a

Download Submit
memory/1124-20-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/1124-25-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/1124-21-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/2000-16-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/2000-7-0x000000001C420000-0x000000001C46C000-memory.dmp

Filesize
304KB

Download
memory/2000-11-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/2000-12-0x00007FF93C3E5000-0x00007FF93C3E6000-memory.dmp

Filesize
4KB

Download
memory/2000-13-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/2000-14-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/2000-15-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/2000-0-0x00007FF93C3E5000-0x00007FF93C3E6000-memory.dmp

Filesize
4KB

Download
memory/2000-19-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/2000-9-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/2000-8-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/2000-10-0x000000001D180000-0x000000001D2BC000-memory.dmp

Filesize
1.2MB

Download
memory/2000-6-0x0000000000F50000-0x0000000000F58000-memory.dmp

Filesize
32KB

Download
memory/2000-1-0x000000001B690000-0x000000001B736000-memory.dmp

Filesize
664KB

Download
memory/2000-2-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/2000-3-0x000000001BC10000-0x000000001C0DE000-memory.dmp

Filesize
4.8MB

Download
memory/2000-5-0x00007FF93C130000-0x00007FF93CAD1000-memory.dmp

Filesize
9.6MB

Download
memory/2000-4-0x000000001C1C0000-0x000000001C25C000-memory.dmp

Filesize
624KB

Download
memory/2388-31-0x0000020BE5640000-0x0000020BE5652000-memory.dmp

Filesize
72KB

Download
memory/2388-27-0x0000020BE3CE0000-0x0000020BE3CEA000-memory.dmp

Filesize
40KB

Download
memory/2388-26-0x0000020BE3880000-0x0000020BE388A000-memory.dmp

Filesize
40KB

Download
memory/2664-50-0x000001219AB10000-0x000001219AD72000-memory.dmp

Filesize
2.4MB

Download
memory/2664-51-0x00000121B6660000-0x00000121B6822000-memory.dmp

Filesize
1.8MB

Download
memory/2664-53-0x00000121B8100000-0x00000121B8628000-memory.dmp

Filesize
5.2MB

Download

Resubmissions

Analysis

Sharing