Analysis
-
max time kernel
153s -
max time network
182s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
10/05/2022, 05:40
Static task
static1
Behavioral task
behavioral1
Sample
Cjryjsra.exe
Resource
win7-20220414-en
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Cjryjsra.exe
Resource
win10v2004-20220414-en
0 signatures
0 seconds
General
-
Target
Cjryjsra.exe
-
Size
3.2MB
-
MD5
04b92d276e5e29aaef5069087a1d25d3
-
SHA1
b3c133b9a56767f934b0bac585c7e6f7dcb92d9a
-
SHA256
fc31934152ea6e5d60c4ee949140d28b2cfe30764451f0c6d62ee2945490656d
-
SHA512
c70b4f7ef2ae8c9533d6b464f367d15e38e03df080f06b024134ee7f3f566d6dc209aec205f796bac7acd0bcee629eb676c80695b35cbff4c229faf4295afb83
Score
10/10
Malware Config
Extracted
Family
bitrat
Version
1.38
C2
212.193.30.54:3680
Attributes
-
communication_password
46821e93230f353d5c46240b0462a0fe
-
tor_process
tor
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation Cjryjsra.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dqpbp = "\"C:\\Users\\Admin\\AppData\\Roaming\\Vaqdsknoc\\Dqpbp.exe\"" Cjryjsra.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
pid Process 608 InstallUtil.exe 608 InstallUtil.exe 608 InstallUtil.exe 608 InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4356 set thread context of 608 4356 Cjryjsra.exe 95 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
pid Process 3516 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4356 Cjryjsra.exe 4356 Cjryjsra.exe 4356 Cjryjsra.exe 4356 Cjryjsra.exe 4356 Cjryjsra.exe 4356 Cjryjsra.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4356 Cjryjsra.exe Token: SeShutdownPrivilege 608 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 608 InstallUtil.exe 608 InstallUtil.exe -
Suspicious use of WriteProcessMemory 20 IoCs
description pid Process procid_target PID 4356 wrote to memory of 1920 4356 Cjryjsra.exe 86 PID 4356 wrote to memory of 1920 4356 Cjryjsra.exe 86 PID 4356 wrote to memory of 1920 4356 Cjryjsra.exe 86 PID 1920 wrote to memory of 3516 1920 cmd.exe 88 PID 1920 wrote to memory of 3516 1920 cmd.exe 88 PID 1920 wrote to memory of 3516 1920 cmd.exe 88 PID 4356 wrote to memory of 376 4356 Cjryjsra.exe 94 PID 4356 wrote to memory of 376 4356 Cjryjsra.exe 94 PID 4356 wrote to memory of 376 4356 Cjryjsra.exe 94 PID 4356 wrote to memory of 608 4356 Cjryjsra.exe 95 PID 4356 wrote to memory of 608 4356 Cjryjsra.exe 95 PID 4356 wrote to memory of 608 4356 Cjryjsra.exe 95 PID 4356 wrote to memory of 608 4356 Cjryjsra.exe 95 PID 4356 wrote to memory of 608 4356 Cjryjsra.exe 95 PID 4356 wrote to memory of 608 4356 Cjryjsra.exe 95 PID 4356 wrote to memory of 608 4356 Cjryjsra.exe 95 PID 4356 wrote to memory of 608 4356 Cjryjsra.exe 95 PID 4356 wrote to memory of 608 4356 Cjryjsra.exe 95 PID 4356 wrote to memory of 608 4356 Cjryjsra.exe 95 PID 4356 wrote to memory of 608 4356 Cjryjsra.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\Cjryjsra.exe"C:\Users\Admin\AppData\Local\Temp\Cjryjsra.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4356 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 362⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\timeout.exetimeout 363⤵
- Delays execution with timeout.exe
PID:3516
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵PID:376
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:608
-