Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28-04-2021 21:17
Static task
static1
Behavioral task
behavioral1
Sample
2876db1b_by_Libranalysis.exe
Resource
win7v20210410
General
-
Target
2876db1b_by_Libranalysis.exe
-
Size
91KB
-
MD5
2876db1b03b557351668cd577bf09c52
-
SHA1
39dea8fbb9eeb2d5e6de5af3eda87f33a857dc12
-
SHA256
dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5
-
SHA512
398ca451179d3800a654108bc3c9556dc5bee649fdcd2ec73133ca822c46a02c676f65f7d2cd8e4625121558bf4d68b851d5c8e723c527ed89fe0207ed490e39
Malware Config
Extracted
systembc
185.33.84.190:4124
45.79.237.92:4124
Signatures
-
Executes dropped EXE 4 IoCs
Processes:
jewjv.exejewjv.exejewjv.exejewjv.exepid process 1932 jewjv.exe 572 jewjv.exe 1160 jewjv.exe 1468 jewjv.exe -
Loads dropped DLL 3 IoCs
Processes:
2876db1b_by_Libranalysis.exejewjv.exejewjv.exepid process 2000 2876db1b_by_Libranalysis.exe 1932 jewjv.exe 1160 jewjv.exe -
Drops file in System32 directory 4 IoCs
Processes:
jewjv.exejewjv.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu jewjv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini jewjv.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\147201902 jewjv.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\147201902 jewjv.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
2876db1b_by_Libranalysis.exejewjv.exejewjv.exedescription pid process target process PID 2000 set thread context of 1080 2000 2876db1b_by_Libranalysis.exe 2876db1b_by_Libranalysis.exe PID 1932 set thread context of 572 1932 jewjv.exe jewjv.exe PID 1160 set thread context of 1468 1160 jewjv.exe jewjv.exe -
Drops file in Windows directory 2 IoCs
Processes:
2876db1b_by_Libranalysis.exedescription ioc process File created C:\Windows\Tasks\jewjv.job 2876db1b_by_Libranalysis.exe File opened for modification C:\Windows\Tasks\jewjv.job 2876db1b_by_Libranalysis.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 10 IoCs
Processes:
resource yara_rule C:\ProgramData\ihlpmj\jewjv.exe nsis_installer_1 C:\ProgramData\ihlpmj\jewjv.exe nsis_installer_2 C:\ProgramData\ihlpmj\jewjv.exe nsis_installer_1 C:\ProgramData\ihlpmj\jewjv.exe nsis_installer_2 C:\ProgramData\ihlpmj\jewjv.exe nsis_installer_1 C:\ProgramData\ihlpmj\jewjv.exe nsis_installer_2 C:\ProgramData\ihlpmj\jewjv.exe nsis_installer_1 C:\ProgramData\ihlpmj\jewjv.exe nsis_installer_2 C:\ProgramData\ihlpmj\jewjv.exe nsis_installer_1 C:\ProgramData\ihlpmj\jewjv.exe nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2876db1b_by_Libranalysis.exepid process 1080 2876db1b_by_Libranalysis.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
2876db1b_by_Libranalysis.exejewjv.exejewjv.exepid process 2000 2876db1b_by_Libranalysis.exe 1932 jewjv.exe 1160 jewjv.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
2876db1b_by_Libranalysis.exetaskeng.exejewjv.exejewjv.exedescription pid process target process PID 2000 wrote to memory of 1080 2000 2876db1b_by_Libranalysis.exe 2876db1b_by_Libranalysis.exe PID 2000 wrote to memory of 1080 2000 2876db1b_by_Libranalysis.exe 2876db1b_by_Libranalysis.exe PID 2000 wrote to memory of 1080 2000 2876db1b_by_Libranalysis.exe 2876db1b_by_Libranalysis.exe PID 2000 wrote to memory of 1080 2000 2876db1b_by_Libranalysis.exe 2876db1b_by_Libranalysis.exe PID 2000 wrote to memory of 1080 2000 2876db1b_by_Libranalysis.exe 2876db1b_by_Libranalysis.exe PID 1780 wrote to memory of 1932 1780 taskeng.exe jewjv.exe PID 1780 wrote to memory of 1932 1780 taskeng.exe jewjv.exe PID 1780 wrote to memory of 1932 1780 taskeng.exe jewjv.exe PID 1780 wrote to memory of 1932 1780 taskeng.exe jewjv.exe PID 1932 wrote to memory of 572 1932 jewjv.exe jewjv.exe PID 1932 wrote to memory of 572 1932 jewjv.exe jewjv.exe PID 1932 wrote to memory of 572 1932 jewjv.exe jewjv.exe PID 1932 wrote to memory of 572 1932 jewjv.exe jewjv.exe PID 1932 wrote to memory of 572 1932 jewjv.exe jewjv.exe PID 1780 wrote to memory of 1160 1780 taskeng.exe jewjv.exe PID 1780 wrote to memory of 1160 1780 taskeng.exe jewjv.exe PID 1780 wrote to memory of 1160 1780 taskeng.exe jewjv.exe PID 1780 wrote to memory of 1160 1780 taskeng.exe jewjv.exe PID 1160 wrote to memory of 1468 1160 jewjv.exe jewjv.exe PID 1160 wrote to memory of 1468 1160 jewjv.exe jewjv.exe PID 1160 wrote to memory of 1468 1160 jewjv.exe jewjv.exe PID 1160 wrote to memory of 1468 1160 jewjv.exe jewjv.exe PID 1160 wrote to memory of 1468 1160 jewjv.exe jewjv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2876db1b_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\2876db1b_by_Libranalysis.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\2876db1b_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\2876db1b_by_Libranalysis.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:1080
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {8B3F59F3-A4CD-4B47-AD7A-CF982D313E7A} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\ProgramData\ihlpmj\jewjv.exeC:\ProgramData\ihlpmj\jewjv.exe start2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\ProgramData\ihlpmj\jewjv.exeC:\ProgramData\ihlpmj\jewjv.exe start3⤵
- Executes dropped EXE
PID:572
-
-
-
C:\ProgramData\ihlpmj\jewjv.exeC:\ProgramData\ihlpmj\jewjv.exe start2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\ProgramData\ihlpmj\jewjv.exeC:\ProgramData\ihlpmj\jewjv.exe start3⤵
- Executes dropped EXE
PID:1468
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
2876db1b03b557351668cd577bf09c52
SHA139dea8fbb9eeb2d5e6de5af3eda87f33a857dc12
SHA256dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5
SHA512398ca451179d3800a654108bc3c9556dc5bee649fdcd2ec73133ca822c46a02c676f65f7d2cd8e4625121558bf4d68b851d5c8e723c527ed89fe0207ed490e39
-
MD5
2876db1b03b557351668cd577bf09c52
SHA139dea8fbb9eeb2d5e6de5af3eda87f33a857dc12
SHA256dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5
SHA512398ca451179d3800a654108bc3c9556dc5bee649fdcd2ec73133ca822c46a02c676f65f7d2cd8e4625121558bf4d68b851d5c8e723c527ed89fe0207ed490e39
-
MD5
2876db1b03b557351668cd577bf09c52
SHA139dea8fbb9eeb2d5e6de5af3eda87f33a857dc12
SHA256dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5
SHA512398ca451179d3800a654108bc3c9556dc5bee649fdcd2ec73133ca822c46a02c676f65f7d2cd8e4625121558bf4d68b851d5c8e723c527ed89fe0207ed490e39
-
MD5
2876db1b03b557351668cd577bf09c52
SHA139dea8fbb9eeb2d5e6de5af3eda87f33a857dc12
SHA256dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5
SHA512398ca451179d3800a654108bc3c9556dc5bee649fdcd2ec73133ca822c46a02c676f65f7d2cd8e4625121558bf4d68b851d5c8e723c527ed89fe0207ed490e39
-
MD5
2876db1b03b557351668cd577bf09c52
SHA139dea8fbb9eeb2d5e6de5af3eda87f33a857dc12
SHA256dbeae60f2dbf75d9340775ee02002e0400bc646f9d35dc41bdef73be4da82ac5
SHA512398ca451179d3800a654108bc3c9556dc5bee649fdcd2ec73133ca822c46a02c676f65f7d2cd8e4625121558bf4d68b851d5c8e723c527ed89fe0207ed490e39
-
MD5
8e51f75f1b5717edc90d925f866c7688
SHA10825984a36dae7647e6050c1368b61aa77606817
SHA2568e39a3a07028b4325599b15a4f6e9a4fd4ff2aacdcd949ead03ce1752fbc669e
SHA5120c61424127ffe81aa68dacc612198fd21dba2885075e7697d5211571e1630df08d738fa63faf9b75bffaad0fb15429af9a9088dd80fec2e699c71b0472bbce84
-
MD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
MD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
MD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c