704c5fbb5766bca421e96cbfe0b4670a05fb2f09680983c2a681d45354d1421f

Analysis

max time kernel
136s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
10/03/2022, 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

704c5fbb5766bca421e96cbfe0b4670a05fb2f09680983c2a681d45354d1421f.exe
Size

1.8MB
MD5

66a22d6297647aa45056ce1410befd39
SHA1

05d13a6b47f13fa9e49e9bc95291562afa46c2a6
SHA256

704c5fbb5766bca421e96cbfe0b4670a05fb2f09680983c2a681d45354d1421f
SHA512

212efaa509f2e70c68236ce6a484ec43e804cdda902fc33c70b3e872061c56d2620c0ab164b74157c1d8cfe06a8fe0a89e67d5b84a48265329d08a9f524efda1

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
868	JLEGIO~1.EXE
2096	UtilitesFree.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	JLEGIO~1.EXE

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	704c5fbb5766bca421e96cbfe0b4670a05fb2f09680983c2a681d45354d1421f.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	704c5fbb5766bca421e96cbfe0b4670a05fb2f09680983c2a681d45354d1421f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: 33	868	JLEGIO~1.EXE
Token: SeIncBasePriorityPrivilege	868	JLEGIO~1.EXE
Token: SeDebugPrivilege	2096	UtilitesFree.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 5116 wrote to memory of 868	5116	704c5fbb5766bca421e96cbfe0b4670a05fb2f09680983c2a681d45354d1421f.exe	79
PID 5116 wrote to memory of 868	5116	704c5fbb5766bca421e96cbfe0b4670a05fb2f09680983c2a681d45354d1421f.exe	79
PID 5116 wrote to memory of 868	5116	704c5fbb5766bca421e96cbfe0b4670a05fb2f09680983c2a681d45354d1421f.exe	79
PID 868 wrote to memory of 2096	868	JLEGIO~1.EXE	80
PID 868 wrote to memory of 2096	868	JLEGIO~1.EXE	80
PID 868 wrote to memory of 2096	868	JLEGIO~1.EXE	80
PID 868 wrote to memory of 2096	868	JLEGIO~1.EXE	80
PID 868 wrote to memory of 2096	868	JLEGIO~1.EXE	80
PID 868 wrote to memory of 2096	868	JLEGIO~1.EXE	80
PID 868 wrote to memory of 2096	868	JLEGIO~1.EXE	80

C:\Users\Admin\AppData\Local\Temp\704c5fbb5766bca421e96cbfe0b4670a05fb2f09680983c2a681d45354d1421f.exe
"C:\Users\Admin\AppData\Local\Temp\704c5fbb5766bca421e96cbfe0b4670a05fb2f09680983c2a681d45354d1421f.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5116
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JLEGIO~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\JLEGIO~1.EXE
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Users\Admin\AppData\Local\Spoon\Sandbox\UtilitesFree by JLeGioH\1.0.0.1\local\stubexe\0xAD1D2C5578541929\UtilitesFree.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UtilitesFree.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/868-157-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-156-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-137-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-138-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-139-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-140-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-142-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-141-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-143-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-144-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-145-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-146-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-147-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-148-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-149-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-151-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-150-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-152-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-153-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-154-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-155-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-175-0x0000000000790000-0x0000000000791000-memory.dmp

Filesize
4KB

Download
memory/868-135-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-134-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-159-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-174-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-136-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/868-170-0x00000000571A0000-0x00000000571A1000-memory.dmp

Filesize
4KB

Download
memory/868-132-0x0000000000590000-0x000000000064A000-memory.dmp

Filesize
744KB

Download
memory/868-133-0x00000000571D0000-0x00000000571D1000-memory.dmp

Filesize
4KB

Download
memory/2096-182-0x00000000706C0000-0x0000000070ED8000-memory.dmp

Filesize
8.1MB

Download
memory/2096-173-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/2096-169-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/2096-161-0x00000000005A0000-0x000000000065A000-memory.dmp

Filesize
744KB

Download
memory/2096-164-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2096-166-0x00000000736F0000-0x0000000073742000-memory.dmp

Filesize
328KB

Download
memory/2096-171-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/2096-178-0x0000000072EB0000-0x0000000073660000-memory.dmp

Filesize
7.7MB

Download
memory/2096-180-0x0000000070EE0000-0x0000000071937000-memory.dmp

Filesize
10.3MB

Download
memory/2096-167-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/2096-168-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2096-163-0x0000000000400000-0x0000000000494000-memory.dmp

Filesize
592KB

Download
memory/2096-172-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/2096-177-0x00000000719D0000-0x0000000072DDE000-memory.dmp

Filesize
20.1MB

Download
memory/2096-179-0x0000000004B90000-0x0000000005134000-memory.dmp

Filesize
5.6MB

Download
memory/2096-176-0x0000000000770000-0x0000000000771000-memory.dmp

Filesize
4KB

Download
memory/2096-181-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/2096-165-0x00000000778E0000-0x0000000077A83000-memory.dmp

Filesize
1.6MB

Download
memory/2096-183-0x00000000705B0000-0x00000000706B5000-memory.dmp

Filesize
1.0MB

Download
memory/2096-184-0x000000006FE30000-0x00000000705A4000-memory.dmp

Filesize
7.5MB

Download
memory/2096-185-0x0000000005230000-0x000000000523A000-memory.dmp

Filesize
40KB

Download
memory/2096-186-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2096-187-0x00000000053D3000-0x00000000053D5000-memory.dmp

Filesize
8KB

Download