Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    12/02/2025, 10:25

General

  • Target

    773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe

  • Size

    604KB

  • MD5

    55cca528a03ec3a98137c46271f3f657

  • SHA1

    49a044a803a4e3c0887971b212ca69552b72275f

  • SHA256

    773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc

  • SHA512

    c3cbad0c4401ea966d9f10cff5ccc3ddceca69d95afc81183c5abc57fffcca46c5f28d7daf0d99ec8275289a82b1f2e7946e899d0971348934eac07fec780d66

  • SSDEEP

    12288:NcHg+OMkYnx+ZkeeUE9EylqAUB7ftCwYTJ0Q+iK:NJ86eUyEQ/OtI1c

Malware Config

Signatures

  • Modifies firewall policy service 3 TTPs 8 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry key 1 TTPs 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe
    "C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe
      "C:\Users\Admin\AppData\Local\Temp\773d6bf246e7c046007fb51852a91d371398819e176b764319bb1124cc5610cc.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\JAUVJ.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:668
        • C:\Windows\SysWOW64\reg.exe
          REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Jload" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Jload\Jload.exe" /f
          4⤵
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:2644
      • C:\Users\Admin\AppData\Roaming\Jload\Jload.exe
        "C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2200
        • C:\Users\Admin\AppData\Roaming\Jload\Jload.exe
          "C:\Users\Admin\AppData\Roaming\Jload\Jload.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:744
        • C:\Windows\SysWOW64\svchost.exe
          "C:\Windows\system32\svchost.exe"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2436
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2224
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2100
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1764
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Windows\SysWOW64\svchost.exe" /t REG_SZ /d "C:\Windows\SysWOW64\svchost.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2380
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1336
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:1788
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RUNE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RUNE.exe:*:Enabled:Windows Messanger" /f
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2472
            • C:\Windows\SysWOW64\reg.exe
              REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\RUNE.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\RUNE.exe:*:Enabled:Windows Messanger" /f
              6⤵
              • Modifies firewall policy service
              • System Location Discovery: System Language Discovery
              • Modifies registry key
              PID:2376

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\JAUVJ.bat

    Filesize

    138B

    MD5

    bc18986a524cd5015b00135cbf312330

    SHA1

    65c0fa726aa3b129e2d94a5518186c3cd866f3c0

    SHA256

    f27d92575749ef19cccc68a524662607f5be5ed2fb415fe7de4f4927f521709c

    SHA512

    afae8a27a1c64fedd75e9786bbeb4fc8c21795bb2cfd23a749e8de3f102977b391186597d8892cce7be71360b264b22c38a2eaf9507375c1d4e75a5586e8db2e

  • \Users\Admin\AppData\Roaming\Jload\Jload.exe

    Filesize

    604KB

    MD5

    e9675fc3fc2145e7559891b23441eeb7

    SHA1

    333021a7645a1059e967462d40b49687f073338e

    SHA256

    5e3d7553fca70c67b504edf002b5e5fc62c8c807b12cc16187c20c2a7ee56e03

    SHA512

    1fce858516d71da74b44869bb0b64ccbb6bd9dfe1ccb6bfadeffd730b55270d0ce2eab0e84df4c3f72c91039008890e776bacfacceec7a111e103b8eef0987af

  • memory/744-977-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/744-1003-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2180-2-0x00000000001C0000-0x00000000001C1000-memory.dmp

    Filesize

    4KB

  • memory/2180-207-0x00000000005E0000-0x00000000005E1000-memory.dmp

    Filesize

    4KB

  • memory/2180-206-0x0000000000590000-0x0000000000591000-memory.dmp

    Filesize

    4KB

  • memory/2180-205-0x0000000000550000-0x0000000000551000-memory.dmp

    Filesize

    4KB

  • memory/2580-432-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB

  • memory/2580-998-0x0000000000400000-0x000000000040B000-memory.dmp

    Filesize

    44KB