6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0

Analysis

max time kernel
111s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/11/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Size

457KB
MD5

e3d480a39eacd6bb9656520c5bb779b2
SHA1

532c5cc229e3d76528455a855d3b3c7d4eae2b13
SHA256

6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0
SHA512

9a4b19b80e5e85811a6fd1e1e6d35c330347d6b87de85e94ffa77ebabe9bfd59e2f6d0cbea2c88eebbcf9c227cd01909b51bbba20af3af481bd1826025eb9c09
SSDEEP

6144:9bpGtfoVtScw2RCgrzItQB0bpGtfoVtScw2RCgrzItQBUbpGtfoT:TGtAtScw3qEKBWGtAtScw3qEKB2Gt2

Score

7^/10

discovery persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4976	JAIXII.EXE

Modifies system executable filetype association 2 TTPs 2 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\EYC.EXE \"%1\" %*"	JAIXII.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	JAIXII.EXE

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CPMGKL.EXE = "C:\\Users\\CPMGKL.EXE"	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe

Enumerates connected drives 3 TTPs 34 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\V:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\I:	JAIXII.EXE
File opened (read-only)	\??\P:	JAIXII.EXE
File opened (read-only)	\??\K:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\L:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\M:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\S:	JAIXII.EXE
File opened (read-only)	\??\U:	JAIXII.EXE
File opened (read-only)	\??\E:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\J:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\G:	JAIXII.EXE
File opened (read-only)	\??\K:	JAIXII.EXE
File opened (read-only)	\??\H:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\O:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\R:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\O:	JAIXII.EXE
File opened (read-only)	\??\Q:	JAIXII.EXE
File opened (read-only)	\??\R:	JAIXII.EXE
File opened (read-only)	\??\T:	JAIXII.EXE
File opened (read-only)	\??\I:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\P:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\V:	JAIXII.EXE
File opened (read-only)	\??\N:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\J:	JAIXII.EXE
File opened (read-only)	\??\L:	JAIXII.EXE
File opened (read-only)	\??\M:	JAIXII.EXE
File opened (read-only)	\??\U:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\E:	JAIXII.EXE
File opened (read-only)	\??\H:	JAIXII.EXE
File opened (read-only)	\??\N:	JAIXII.EXE
File opened (read-only)	\??\G:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\Q:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
File opened (read-only)	\??\T:	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1156-0-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-10.dat	upx
behavioral2/files/0x000b000000023b92-21.dat	upx
behavioral2/memory/1156-25-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4976-26-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4976-27-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4976-32-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4976-33-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4976-34-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4976-35-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4976-36-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4976-37-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4976-38-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4976-39-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4976-40-0x0000000000400000-0x000000000046E000-memory.dmp	upx
behavioral2/memory/4976-41-0x0000000000400000-0x000000000046E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JAIXII.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\JAIXII.EXE %1"	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\PerfLogs\\EYC.EXE \"%1\" %*"	JAIXII.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\Users\\CPMGKL.EXE \"%1\" %*"	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	JAIXII.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQ.file\shell\open\command\ = "C:\\Users\\JAIXII.EXE %1"	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QQQfile\shell\open\command\ = "C:\\PerfLogs\\QML.EXE \"%1\""	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\open\command\ = "C:\\PerfLogs\\QML.EXE %1"	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4976	JAIXII.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 4976	1156	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe	83
PID 1156 wrote to memory of 4976	1156	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe	83
PID 1156 wrote to memory of 4976	1156	6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe	83

C:\Users\Admin\AppData\Local\Temp\6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe
"C:\Users\Admin\AppData\Local\Temp\6667fc3eb4dba95a444982ae196e462664a997781acd48b615e2db526184b8a0.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Users\JAIXII.EXE
  C:\Users\JAIXII.EXE
  2⤵
  - Executes dropped EXE
  - Modifies system executable filetype association
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PerfLogs\QML.EXE

Filesize
64KB

MD5
68010e30171693eb88610dc8cc254c28

SHA1
bcd7da2682f2f2554d9d39b0acc722376bd232c6

SHA256
68d8651990932c622ba01c6c8f4d43ceac9261512137068b1942d2ac30d2398c

SHA512
1c3f4ae0831b7e3145e250a4a3f331899d35ffd9a5061bb63cb10ed1251e51a136561f1a92423cf00ce73de205fdfa81209fe7dd088e5e04e447bb452d243e65

Download Submit
C:\Users\JAIXII.EXE

Filesize
458KB

MD5
70ef4807f3c9425f0270b1cd052d56f4

SHA1
328160de4a796f70d20d6708bf06447c78377319

SHA256
65cd8edfc5922ac7ce79734fc31386dbf55be6c06b967fad8b3a7f72099a17b2

SHA512
8e15abc2c973bfe32cad692de0569db2617913591c8e5de24042db2c219b6e8404ad2c6b553cd7d14d96e95ebbe7861d22524c604a247d03691b7122bb30ca8a

Download Submit
\??\c:\filedebug

Filesize
210B

MD5
fa5b4c880e842bcd14a152dddc9f6df8

SHA1
29785c3f6eb0dbdafac67a974d7be8aa3f423104

SHA256
9e81d820ad41a2fb05225cbc2dcfcf345202854de14eb626c62426e60ad988f2

SHA512
6be8211090720084c2d3926f25a66979c8ede0ea17ded65f8b5da5892eb1d0f138b6c09f358e5167a70bbebaec9ebefbb064298e5ccda08b40a8e7bb1aff9500

Download Submit
memory/1156-1-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/1156-0-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/1156-25-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4976-32-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4976-35-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4976-27-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4976-26-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4976-23-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4976-33-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4976-34-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4976-28-0x0000000000640000-0x0000000000641000-memory.dmp

Filesize
4KB

Download
memory/4976-36-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4976-37-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4976-38-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4976-39-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4976-40-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download
memory/4976-41-0x0000000000400000-0x000000000046E000-memory.dmp

Filesize
440KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads