Overview
overview
10Static
static
Jack Move.exe
windows7_x64
1Jack Move.exe
windows10-2004_x64
7freebl3.dll
windows7_x64
1freebl3.dll
windows10-2004_x64
4mozglue.dll
windows7_x64
3mozglue.dll
windows10-2004_x64
10msvcp140.dll
windows7_x64
3msvcp140.dll
windows10-2004_x64
10nss3.dll
windows7_x64
1nss3.dll
windows10-2004_x64
10softokn3.dll
windows7_x64
3softokn3.dll
windows10-2004_x64
10sqlite3.dll
windows7_x64
3sqlite3.dll
windows10-2004_x64
10vcruntime140.dll
windows7_x64
1vcruntime140.dll
windows10-2004_x64
10Analysis
-
max time kernel
133s -
max time network
206s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
19-02-2022 07:40
Static task
static1
Behavioral task
behavioral1
Sample
Jack Move.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
Jack Move.exe
Resource
win10v2004-en-20220113
Behavioral task
behavioral3
Sample
freebl3.dll
Resource
win7-en-20211208
Behavioral task
behavioral4
Sample
freebl3.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral5
Sample
mozglue.dll
Resource
win7-en-20211208
Behavioral task
behavioral6
Sample
mozglue.dll
Resource
win10v2004-en-20220112
Behavioral task
behavioral7
Sample
msvcp140.dll
Resource
win7-en-20211208
Behavioral task
behavioral8
Sample
msvcp140.dll
Resource
win10v2004-en-20220112
Behavioral task
behavioral9
Sample
nss3.dll
Resource
win7-en-20211208
Behavioral task
behavioral10
Sample
nss3.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral11
Sample
softokn3.dll
Resource
win7-en-20211208
Behavioral task
behavioral12
Sample
softokn3.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral13
Sample
sqlite3.dll
Resource
win7-en-20211208
Behavioral task
behavioral14
Sample
sqlite3.dll
Resource
win10v2004-en-20220113
Behavioral task
behavioral15
Sample
vcruntime140.dll
Resource
win7-en-20211208
Behavioral task
behavioral16
Sample
vcruntime140.dll
Resource
win10v2004-en-20220112
General
-
Target
freebl3.dll
-
Size
326KB
-
MD5
ef2834ac4ee7d6724f255beaf527e635
-
SHA1
5be8c1e73a21b49f353c2ecfa4108e43a883cb7b
-
SHA256
a770ecba3b08bbabd0a567fc978e50615f8b346709f8eb3cfacf3faab24090ba
-
SHA512
c6ea0e4347cbd7ef5e80ae8c0afdca20ea23ac2bdd963361dfaf562a9aed58dcbc43f89dd826692a064d76c3f4b3e92361af7b79a6d16a75d9951591ae3544d2
Malware Config
Signatures
-
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 2364 svchost.exe Token: SeCreatePagefilePrivilege 2364 svchost.exe Token: SeShutdownPrivilege 2364 svchost.exe Token: SeCreatePagefilePrivilege 2364 svchost.exe Token: SeShutdownPrivilege 2364 svchost.exe Token: SeCreatePagefilePrivilege 2364 svchost.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 4596 wrote to memory of 4880 4596 rundll32.exe rundll32.exe PID 4596 wrote to memory of 4880 4596 rundll32.exe rundll32.exe PID 4596 wrote to memory of 4880 4596 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\freebl3.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\freebl3.dll,#12⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken