8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c

General

Target

8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe
Size

983KB
MD5

e869ad846639738812a1cb901f801120
SHA1

730e00adff312d1232ea7279926b4018cf0d853b
SHA256

8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c
SHA512

d8bd53d5e82a3bdcdb0cb0fa5e928e476be87450ad0e4bb03046f5231f5d4f45b2457820cb918122daabf3f9d3737c2e70ed71c74dea85fdbc70ddc2d8732b08
SSDEEP

24576:9GiQdsdzTxXMQCMDtUrbtoKXhn7Hu+tjqUx+kchEvoU:87gxcrNbuK0+tWOchE3

Score

8^/10

defense_evasion discovery persistence privilege_escalation upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1932	netsh.exe
2700	netsh.exe

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/memory/2320-22-0x0000000074AD0000-0x0000000074AD9000-memory.dmp	acprotect
behavioral1/files/0x00070000000190c9-20.dat	acprotect

Deletes itself 1 IoCs

pid	Process
2888	explorer.exe

Executes dropped EXE 1 IoCs

pid	Process
1492	hapjyaj.exe

Loads dropped DLL 4 IoCs

pid	Process
2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe
2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe
2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe
2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2320 set thread context of 2888	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	35

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2320-22-0x0000000074AD0000-0x0000000074AD9000-memory.dmp	upx
behavioral1/files/0x00070000000190c9-20.dat	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hapjyaj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1492	hapjyaj.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1492	hapjyaj.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1492	hapjyaj.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1932	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	30
PID 2320 wrote to memory of 1932	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	30
PID 2320 wrote to memory of 1932	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	30
PID 2320 wrote to memory of 1932	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	30
PID 2320 wrote to memory of 2700	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	32
PID 2320 wrote to memory of 2700	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	32
PID 2320 wrote to memory of 2700	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	32
PID 2320 wrote to memory of 2700	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	32
PID 2320 wrote to memory of 1492	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	34
PID 2320 wrote to memory of 1492	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	34
PID 2320 wrote to memory of 1492	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	34
PID 2320 wrote to memory of 1492	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	34
PID 2320 wrote to memory of 2888	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	35
PID 2320 wrote to memory of 2888	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	35
PID 2320 wrote to memory of 2888	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	35
PID 2320 wrote to memory of 2888	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	35
PID 2320 wrote to memory of 2888	2320	8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe	35

C:\Users\Admin\AppData\Local\Temp\8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe
"C:\Users\Admin\AppData\Local\Temp\8fa98d104bb8fcfe1a6200ece1c02faf9e8d12e31d0c6fbc6bbf3d3882b7fd3c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=hapjyaj dir=in action=allow program="C:\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\hapjyaj.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1932
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name=hapjyaj dir=out action=allow program="C:\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\hapjyaj.exe" enable=yes profile=public,private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\hapjyaj.exe
  "C:\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\hapjyaj.exe" "http://www.marvburris.click" "C:\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\8197"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1492
- C:\Windows\SysWOW64\explorer.exe
  C:\Windows\system32\explorer.exe
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Event Triggered Execution

1

T1546

Netsh Helper DLL

1

T1546.007

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\hapjyaj.exe.config

Filesize
257B

MD5
441f5c5c7933c16068a03d99bc8837c4

SHA1
76d1de63216c2c1218cf47a5d768a18952a1dcb3

SHA256
f1cac503709c2acd9ab0a7d0e48a4abf2777d16052fee68830260a78359ec72f

SHA512
5b8fa02b827993541841a2fd07a50e5d2c5a7f5ba35e0b282ed3a453e3f919d63f1c9432d922cc364027351c57d2b78f99f5f1469c86b581cc53acb76fdfc366

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\SelfDel.dll

Filesize
5KB

MD5
e5786e8703d651bc8bd4bfecf46d3844

SHA1
fee5aa4b325deecbf69ccb6eadd89bd5ae59723f

SHA256
d115bce0a787b4f895e700efe943695c8f1087782807d91d831f6015b0f98774

SHA512
d14ad43a01db19428cd8ccd2fe101750860933409b5be2eb85a3e400efcd37b1b6425ce84e87a7fe46ecabc7b91c4b450259e624c178b86e194ba7da97957ba3

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\hapjyaj.exe

Filesize
10KB

MD5
9916cd804c030ab91eabab4c3d1f39f6

SHA1
d01995ac1f61a17211b0c942d38504e35ac89c1a

SHA256
6920bf36c100c838c5fcc48b3665f660e0c158449ed1a42f64cb1c054cf90eef

SHA512
db60ef4e82328841153114c002c7d7664c5f7b7e5a916ea106912a0fe5a9f86a4ffc0a8f062f3cc974982efbc9b0ee7ff56582efe77e34dca001fc8b79d8ccc4

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC8DC.tmp\nsExec.dll

Filesize
7KB

MD5
11092c1d3fbb449a60695c44f9f3d183

SHA1
b89d614755f2e943df4d510d87a7fc1a3bcf5a33

SHA256
2cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77

SHA512
c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a

Download Submit
memory/1492-40-0x0000000000E60000-0x0000000000E68000-memory.dmp

Filesize
32KB

Download
memory/2320-22-0x0000000074AD0000-0x0000000074AD9000-memory.dmp

Filesize
36KB

Download
memory/2888-38-0x0000000000050000-0x0000000000090000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads