Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
18-02-2021 15:05
Static task
static1
Behavioral task
behavioral1
Sample
_J812.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
_J812.exe
Resource
win10v20201028
General
-
Target
_J812.exe
-
Size
900KB
-
MD5
1474bd3eda2e087560754241a0b92991
-
SHA1
e1e66d856800dbb5ef5bf9c8e937b6514b9f02d7
-
SHA256
c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc
-
SHA512
ca2cbc155cef666c46e6e4c07cc2e9a61bd15cef8f8f1902d06c6178a1968487fc2ad78e018621a09836755c524215aa9fcb6e62d52b210deec10162edcc9b7f
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
J812.exe~J812.exepid process 1684 J812.exe 1812 ~J812.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1400 cmd.exe -
Loads dropped DLL 1 IoCs
Processes:
J812.exepid process 1684 J812.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
J812.exedescription ioc process File opened for modification \??\PhysicalDrive0 J812.exe -
Drops file in System32 directory 9 IoCs
Processes:
J812.exedescription ioc process File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\FPI91A0H.txt J812.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\D86NWOPM.txt J812.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\TOYX0D1C.txt J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\TOYX0D1C.txt J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\CD82KIX3.txt J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\FPI91A0H.txt J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\D86NWOPM.txt J812.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\CD82KIX3.txt J812.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 28 IoCs
Processes:
J812.exewmic.exe~J812.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" J812.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionTime = 00cb64090706d701 J812.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadNetworkName = "Network" J812.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 00cb64090706d701 J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" J812.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD} J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecisionReason = "1" J812.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 J812.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\32-e2-17-db-d2-77 J812.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" ~J812.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 J812.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad J812.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" J812.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ~J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" ~J812.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C88B0D75-95D7-40B2-89BD-4A3AD4DC11FD}\WpadDecision = "0" J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" J812.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections J812.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 J812.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a070056000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 J812.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings J812.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix J812.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" J812.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 1608 PING.EXE 1320 PING.EXE 912 PING.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
wmic.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 572 wmic.exe Token: SeIncreaseQuotaPrivilege 572 wmic.exe Token: SeSecurityPrivilege 572 wmic.exe Token: SeTakeOwnershipPrivilege 572 wmic.exe Token: SeLoadDriverPrivilege 572 wmic.exe Token: SeSystemtimePrivilege 572 wmic.exe Token: SeBackupPrivilege 572 wmic.exe Token: SeRestorePrivilege 572 wmic.exe Token: SeShutdownPrivilege 572 wmic.exe Token: SeSystemEnvironmentPrivilege 572 wmic.exe Token: SeUndockPrivilege 572 wmic.exe Token: SeManageVolumePrivilege 572 wmic.exe Token: SeAssignPrimaryTokenPrivilege 572 wmic.exe Token: SeIncreaseQuotaPrivilege 572 wmic.exe Token: SeSecurityPrivilege 572 wmic.exe Token: SeTakeOwnershipPrivilege 572 wmic.exe Token: SeLoadDriverPrivilege 572 wmic.exe Token: SeSystemtimePrivilege 572 wmic.exe Token: SeBackupPrivilege 572 wmic.exe Token: SeRestorePrivilege 572 wmic.exe Token: SeShutdownPrivilege 572 wmic.exe Token: SeSystemEnvironmentPrivilege 572 wmic.exe Token: SeUndockPrivilege 572 wmic.exe Token: SeManageVolumePrivilege 572 wmic.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
_J812.execmd.exeJ812.execmd.exe~J812.execmd.exedescription pid process target process PID 1152 wrote to memory of 1400 1152 _J812.exe cmd.exe PID 1152 wrote to memory of 1400 1152 _J812.exe cmd.exe PID 1152 wrote to memory of 1400 1152 _J812.exe cmd.exe PID 1152 wrote to memory of 1400 1152 _J812.exe cmd.exe PID 1400 wrote to memory of 1320 1400 cmd.exe PING.EXE PID 1400 wrote to memory of 1320 1400 cmd.exe PING.EXE PID 1400 wrote to memory of 1320 1400 cmd.exe PING.EXE PID 1400 wrote to memory of 1320 1400 cmd.exe PING.EXE PID 1684 wrote to memory of 572 1684 J812.exe wmic.exe PID 1684 wrote to memory of 572 1684 J812.exe wmic.exe PID 1684 wrote to memory of 572 1684 J812.exe wmic.exe PID 1684 wrote to memory of 572 1684 J812.exe wmic.exe PID 1684 wrote to memory of 1812 1684 J812.exe ~J812.exe PID 1684 wrote to memory of 1812 1684 J812.exe ~J812.exe PID 1684 wrote to memory of 1812 1684 J812.exe ~J812.exe PID 1684 wrote to memory of 1812 1684 J812.exe ~J812.exe PID 1684 wrote to memory of 304 1684 J812.exe cmd.exe PID 1684 wrote to memory of 304 1684 J812.exe cmd.exe PID 1684 wrote to memory of 304 1684 J812.exe cmd.exe PID 1684 wrote to memory of 304 1684 J812.exe cmd.exe PID 304 wrote to memory of 912 304 cmd.exe PING.EXE PID 304 wrote to memory of 912 304 cmd.exe PING.EXE PID 304 wrote to memory of 912 304 cmd.exe PING.EXE PID 304 wrote to memory of 912 304 cmd.exe PING.EXE PID 1812 wrote to memory of 1272 1812 ~J812.exe cmd.exe PID 1812 wrote to memory of 1272 1812 ~J812.exe cmd.exe PID 1812 wrote to memory of 1272 1812 ~J812.exe cmd.exe PID 1812 wrote to memory of 1272 1812 ~J812.exe cmd.exe PID 1272 wrote to memory of 1608 1272 cmd.exe PING.EXE PID 1272 wrote to memory of 1608 1272 cmd.exe PING.EXE PID 1272 wrote to memory of 1608 1272 cmd.exe PING.EXE PID 1272 wrote to memory of 1608 1272 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\_J812.exe"C:\Users\Admin\AppData\Local\Temp\_J812.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\Admin\AppData\Local\Temp\_J812.exe2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\J812.exeC:\Users\Admin\AppData\Local\Temp\J812.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~J812.exe"C:\Users\Admin\AppData\Local\Temp\~J812.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\Admin\AppData\Local\Temp\~J812.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\Admin\AppData\Local\Temp\J812.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\J812.exeMD5
1474bd3eda2e087560754241a0b92991
SHA1e1e66d856800dbb5ef5bf9c8e937b6514b9f02d7
SHA256c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc
SHA512ca2cbc155cef666c46e6e4c07cc2e9a61bd15cef8f8f1902d06c6178a1968487fc2ad78e018621a09836755c524215aa9fcb6e62d52b210deec10162edcc9b7f
-
C:\Users\Admin\AppData\Local\Temp\J812.exeMD5
1474bd3eda2e087560754241a0b92991
SHA1e1e66d856800dbb5ef5bf9c8e937b6514b9f02d7
SHA256c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc
SHA512ca2cbc155cef666c46e6e4c07cc2e9a61bd15cef8f8f1902d06c6178a1968487fc2ad78e018621a09836755c524215aa9fcb6e62d52b210deec10162edcc9b7f
-
C:\Users\Admin\AppData\Local\Temp\~J812.exeMD5
1474bd3eda2e087560754241a0b92991
SHA1e1e66d856800dbb5ef5bf9c8e937b6514b9f02d7
SHA256c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc
SHA512ca2cbc155cef666c46e6e4c07cc2e9a61bd15cef8f8f1902d06c6178a1968487fc2ad78e018621a09836755c524215aa9fcb6e62d52b210deec10162edcc9b7f
-
C:\Users\Admin\AppData\Local\Temp\~J812.exeMD5
1474bd3eda2e087560754241a0b92991
SHA1e1e66d856800dbb5ef5bf9c8e937b6514b9f02d7
SHA256c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc
SHA512ca2cbc155cef666c46e6e4c07cc2e9a61bd15cef8f8f1902d06c6178a1968487fc2ad78e018621a09836755c524215aa9fcb6e62d52b210deec10162edcc9b7f
-
\Users\Admin\AppData\Local\Temp\~J812.exeMD5
1474bd3eda2e087560754241a0b92991
SHA1e1e66d856800dbb5ef5bf9c8e937b6514b9f02d7
SHA256c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc
SHA512ca2cbc155cef666c46e6e4c07cc2e9a61bd15cef8f8f1902d06c6178a1968487fc2ad78e018621a09836755c524215aa9fcb6e62d52b210deec10162edcc9b7f
-
memory/304-13-0x0000000000000000-mapping.dmp
-
memory/572-7-0x0000000000000000-mapping.dmp
-
memory/912-15-0x0000000000000000-mapping.dmp
-
memory/1152-2-0x00000000760C1000-0x00000000760C3000-memory.dmpFilesize
8KB
-
memory/1272-16-0x0000000000000000-mapping.dmp
-
memory/1320-6-0x0000000000000000-mapping.dmp
-
memory/1400-5-0x0000000000000000-mapping.dmp
-
memory/1608-17-0x0000000000000000-mapping.dmp
-
memory/1684-14-0x0000000000320000-0x0000000000321000-memory.dmpFilesize
4KB
-
memory/1812-10-0x0000000000000000-mapping.dmp