Analysis
-
max time kernel
150s -
max time network
180s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
10/05/2022, 05:40
Static task
static1
Behavioral task
behavioral1
Sample
Cjryjsra.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Cjryjsra.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
Cjryjsra.exe
-
Size
3.2MB
-
MD5
04b92d276e5e29aaef5069087a1d25d3
-
SHA1
b3c133b9a56767f934b0bac585c7e6f7dcb92d9a
-
SHA256
fc31934152ea6e5d60c4ee949140d28b2cfe30764451f0c6d62ee2945490656d
-
SHA512
c70b4f7ef2ae8c9533d6b464f367d15e38e03df080f06b024134ee7f3f566d6dc209aec205f796bac7acd0bcee629eb676c80695b35cbff4c229faf4295afb83
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
212.193.30.54:3680
Attributes
-
communication_password
46821e93230f353d5c46240b0462a0fe
-
tor_process
tor
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dqpbp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Vaqdsknoc\\Dqpbp.exe\"" Cjryjsra.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 1956 InstallUtil.exe 1956 InstallUtil.exe 1956 InstallUtil.exe 1956 InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1840 set thread context of 1956 1840 Cjryjsra.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 1172 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 1840 Cjryjsra.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 1840 Cjryjsra.exe Token: SeDebugPrivilege 1956 InstallUtil.exe Token: SeShutdownPrivilege 1956 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1956 InstallUtil.exe 1956 InstallUtil.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 1840 wrote to memory of 1208 1840 Cjryjsra.exe 28 PID 1840 wrote to memory of 1208 1840 Cjryjsra.exe 28 PID 1840 wrote to memory of 1208 1840 Cjryjsra.exe 28 PID 1840 wrote to memory of 1208 1840 Cjryjsra.exe 28 PID 1208 wrote to memory of 1172 1208 cmd.exe 30 PID 1208 wrote to memory of 1172 1208 cmd.exe 30 PID 1208 wrote to memory of 1172 1208 cmd.exe 30 PID 1208 wrote to memory of 1172 1208 cmd.exe 30 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31 PID 1840 wrote to memory of 1956 1840 Cjryjsra.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cjryjsra.exe"C:\Users\Admin\AppData\Local\Temp\Cjryjsra.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 362⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\timeout.exetimeout 363⤵
- Delays execution with timeout.exe
PID:1172
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1956
-