Analysis
-
max time kernel
35s -
max time network
55s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-02-2022 08:21
Static task
static1
Behavioral task
behavioral1
Sample
0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe
Resource
win10v2004-en-20220113
General
-
Target
0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe
-
Size
386KB
-
MD5
7bd387176c3b768d4c4c5522072f3753
-
SHA1
0ec05c75a232a16babe9e7d77d1f9165afb1aac4
-
SHA256
0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e
-
SHA512
dd9584273adbbbf9f6c8d951bb00b2930a89dd3db2cacdf8f24c7ce57b31e62469da62219c8fc0d3b366add12b3ca32b82a3e74e1463293b1159fd188da46024
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
lJBNe.exepid process 2436 lJBNe.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exelJBNe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation 0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe Key value queried \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation lJBNe.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos = "C:\\users\\Public\\lJBNe.exe" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
lJBNe.exepid process 2436 lJBNe.exe 2436 lJBNe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
lJBNe.exedescription pid process Token: SeDebugPrivilege 2436 lJBNe.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exelJBNe.execmd.exedescription pid process target process PID 1648 wrote to memory of 2436 1648 0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe lJBNe.exe PID 1648 wrote to memory of 2436 1648 0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe lJBNe.exe PID 2436 wrote to memory of 2584 2436 lJBNe.exe cmd.exe PID 2436 wrote to memory of 2584 2436 lJBNe.exe cmd.exe PID 2436 wrote to memory of 2360 2436 lJBNe.exe sihost.exe PID 2584 wrote to memory of 4824 2584 cmd.exe reg.exe PID 2584 wrote to memory of 4824 2584 cmd.exe reg.exe PID 2436 wrote to memory of 2408 2436 lJBNe.exe svchost.exe PID 2436 wrote to memory of 2688 2436 lJBNe.exe taskhostw.exe
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2408
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2360
-
C:\Users\Admin\AppData\Local\Temp\0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe"C:\Users\Admin\AppData\Local\Temp\0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\users\Public\lJBNe.exe"C:\users\Public\lJBNe.exe" C:\Users\Admin\AppData\Local\Temp\0c51ca0477a2a23eede0757f49f07891c15fe977bde5f293d05ddbce43c9531e.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C REG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\lJBNe.exe" /f3⤵
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\system32\reg.exeREG ADD "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchos" /t REG_SZ /d "C:\users\Public\lJBNe.exe" /f4⤵
- Adds Run key to start application
PID:4824
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\lJBNe.exeMD5
31bd0f224e7e74eee2847f43aae23974
SHA192e331e1e8ad30538f38dd7ba31386afafa14a58
SHA2568b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249
-
C:\users\Public\lJBNe.exeMD5
31bd0f224e7e74eee2847f43aae23974
SHA192e331e1e8ad30538f38dd7ba31386afafa14a58
SHA2568b0a5fb13309623c3518473551cb1f55d38d8450129d4a3c16b476f7b2867d7d
SHA512a13f05a12b084ef425f542ff4be824bbccb5dbdfe085af8b7e19d81a6bcba4b8c1debcc38f6b57bc9265a4db21eed70852ece8cc62b3ef14c47fca3035a55249
-
memory/2360-132-0x00007FF79CD00000-0x00007FF79D08E000-memory.dmpFilesize
3.6MB