Analysis
-
max time kernel
99s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-02-2021 15:05
Static task
static1
Behavioral task
behavioral1
Sample
_J812.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
_J812.exe
Resource
win10v20201028
General
-
Target
_J812.exe
-
Size
900KB
-
MD5
1474bd3eda2e087560754241a0b92991
-
SHA1
e1e66d856800dbb5ef5bf9c8e937b6514b9f02d7
-
SHA256
c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc
-
SHA512
ca2cbc155cef666c46e6e4c07cc2e9a61bd15cef8f8f1902d06c6178a1968487fc2ad78e018621a09836755c524215aa9fcb6e62d52b210deec10162edcc9b7f
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
J812.exe~J812.exepid process 3232 J812.exe 896 ~J812.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
J812.exedescription ioc process File opened for modification \??\PhysicalDrive0 J812.exe -
Drops file in System32 directory 13 IoCs
Processes:
J812.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\419BIC54.cookie J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\counters2.dat J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 J812.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\IVC96PK6.cookie J812.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\419BIC54.cookie J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\EDMU3OTO.cookie J812.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\G1102N99.cookie J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\G1102N99.cookie J812.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\IVC96PK6.cookie J812.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\EDMU3OTO.cookie J812.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 14 IoCs
Processes:
J812.exe~J812.exewmic.exedescription ioc process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" ~J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" J812.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ ~J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" ~J812.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ~J812.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" J812.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" J812.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" J812.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ wmic.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" ~J812.exe -
Runs ping.exe 1 TTPs 3 IoCs
Processes:
PING.EXEPING.EXEPING.EXEpid process 3572 PING.EXE 3740 PING.EXE 904 PING.EXE -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
wmic.exedescription pid process Token: SeAssignPrimaryTokenPrivilege 2300 wmic.exe Token: SeIncreaseQuotaPrivilege 2300 wmic.exe Token: SeSecurityPrivilege 2300 wmic.exe Token: SeTakeOwnershipPrivilege 2300 wmic.exe Token: SeLoadDriverPrivilege 2300 wmic.exe Token: SeSystemtimePrivilege 2300 wmic.exe Token: SeBackupPrivilege 2300 wmic.exe Token: SeRestorePrivilege 2300 wmic.exe Token: SeShutdownPrivilege 2300 wmic.exe Token: SeSystemEnvironmentPrivilege 2300 wmic.exe Token: SeUndockPrivilege 2300 wmic.exe Token: SeManageVolumePrivilege 2300 wmic.exe Token: SeAssignPrimaryTokenPrivilege 2300 wmic.exe Token: SeIncreaseQuotaPrivilege 2300 wmic.exe Token: SeSecurityPrivilege 2300 wmic.exe Token: SeTakeOwnershipPrivilege 2300 wmic.exe Token: SeLoadDriverPrivilege 2300 wmic.exe Token: SeSystemtimePrivilege 2300 wmic.exe Token: SeBackupPrivilege 2300 wmic.exe Token: SeRestorePrivilege 2300 wmic.exe Token: SeShutdownPrivilege 2300 wmic.exe Token: SeSystemEnvironmentPrivilege 2300 wmic.exe Token: SeUndockPrivilege 2300 wmic.exe Token: SeManageVolumePrivilege 2300 wmic.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
_J812.execmd.exeJ812.execmd.exe~J812.execmd.exedescription pid process target process PID 728 wrote to memory of 504 728 _J812.exe cmd.exe PID 728 wrote to memory of 504 728 _J812.exe cmd.exe PID 728 wrote to memory of 504 728 _J812.exe cmd.exe PID 504 wrote to memory of 3572 504 cmd.exe PING.EXE PID 504 wrote to memory of 3572 504 cmd.exe PING.EXE PID 504 wrote to memory of 3572 504 cmd.exe PING.EXE PID 3232 wrote to memory of 2300 3232 J812.exe wmic.exe PID 3232 wrote to memory of 2300 3232 J812.exe wmic.exe PID 3232 wrote to memory of 2300 3232 J812.exe wmic.exe PID 3232 wrote to memory of 896 3232 J812.exe ~J812.exe PID 3232 wrote to memory of 896 3232 J812.exe ~J812.exe PID 3232 wrote to memory of 896 3232 J812.exe ~J812.exe PID 3232 wrote to memory of 4012 3232 J812.exe cmd.exe PID 3232 wrote to memory of 4012 3232 J812.exe cmd.exe PID 3232 wrote to memory of 4012 3232 J812.exe cmd.exe PID 4012 wrote to memory of 3740 4012 cmd.exe PING.EXE PID 4012 wrote to memory of 3740 4012 cmd.exe PING.EXE PID 4012 wrote to memory of 3740 4012 cmd.exe PING.EXE PID 896 wrote to memory of 3144 896 ~J812.exe cmd.exe PID 896 wrote to memory of 3144 896 ~J812.exe cmd.exe PID 896 wrote to memory of 3144 896 ~J812.exe cmd.exe PID 3144 wrote to memory of 904 3144 cmd.exe PING.EXE PID 3144 wrote to memory of 904 3144 cmd.exe PING.EXE PID 3144 wrote to memory of 904 3144 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\_J812.exe"C:\Users\Admin\AppData\Local\Temp\_J812.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\Admin\AppData\Local\Temp\_J812.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Temp\J812.exeC:\Users\Admin\AppData\Local\Temp\J812.exe1⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic BaseBoard get SerialNumber2⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\~J812.exe"C:\Users\Admin\AppData\Local\Temp\~J812.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\Admin\AppData\Local\Temp\~J812.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.14⤵
- Runs ping.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping -n 3 127.1 >nul & del /q C:\Users\Admin\AppData\Local\Temp\J812.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 3 127.13⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\J812.exeMD5
1474bd3eda2e087560754241a0b92991
SHA1e1e66d856800dbb5ef5bf9c8e937b6514b9f02d7
SHA256c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc
SHA512ca2cbc155cef666c46e6e4c07cc2e9a61bd15cef8f8f1902d06c6178a1968487fc2ad78e018621a09836755c524215aa9fcb6e62d52b210deec10162edcc9b7f
-
C:\Users\Admin\AppData\Local\Temp\J812.exeMD5
1474bd3eda2e087560754241a0b92991
SHA1e1e66d856800dbb5ef5bf9c8e937b6514b9f02d7
SHA256c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc
SHA512ca2cbc155cef666c46e6e4c07cc2e9a61bd15cef8f8f1902d06c6178a1968487fc2ad78e018621a09836755c524215aa9fcb6e62d52b210deec10162edcc9b7f
-
C:\Users\Admin\AppData\Local\Temp\~J812.exeMD5
1474bd3eda2e087560754241a0b92991
SHA1e1e66d856800dbb5ef5bf9c8e937b6514b9f02d7
SHA256c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc
SHA512ca2cbc155cef666c46e6e4c07cc2e9a61bd15cef8f8f1902d06c6178a1968487fc2ad78e018621a09836755c524215aa9fcb6e62d52b210deec10162edcc9b7f
-
C:\Users\Admin\AppData\Local\Temp\~J812.exeMD5
1474bd3eda2e087560754241a0b92991
SHA1e1e66d856800dbb5ef5bf9c8e937b6514b9f02d7
SHA256c83e6b96ee3aa1a580157547eae88d112d2202d710218f2ed496f7fe3d861abc
SHA512ca2cbc155cef666c46e6e4c07cc2e9a61bd15cef8f8f1902d06c6178a1968487fc2ad78e018621a09836755c524215aa9fcb6e62d52b210deec10162edcc9b7f
-
memory/504-4-0x0000000000000000-mapping.dmp
-
memory/896-7-0x0000000000000000-mapping.dmp
-
memory/904-13-0x0000000000000000-mapping.dmp
-
memory/2300-6-0x0000000000000000-mapping.dmp
-
memory/3144-12-0x0000000000000000-mapping.dmp
-
memory/3572-5-0x0000000000000000-mapping.dmp
-
memory/3740-11-0x0000000000000000-mapping.dmp
-
memory/4012-10-0x0000000000000000-mapping.dmp