Analysis
-
max time kernel
155s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 17:36
Static task
static1
Behavioral task
behavioral1
Sample
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
Resource
win7-20220812-en
General
-
Target
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe
-
Size
4.6MB
-
MD5
fe1de0acb3aa75f88f61a784288a32d1
-
SHA1
d973f591f56c3d53aac4e2da4a3eede185c910d9
-
SHA256
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10
-
SHA512
084770ea021d7d52b50228d1ca6277a9fb5880ae22378c297d24b4bccaca7919a207954350f3257485c010ec0c0cdc6e6548a2508bba1e090647465aa160cf7e
-
SSDEEP
98304:8SiST7jl7LSogkhoBJ96U0K2nNY0UaVnPcMf:HlSorkKd5NYJ0cq
Malware Config
Signatures
-
Babadeda Crypter 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\manual.pdf family_babadeda -
Executes dropped EXE 3 IoCs
Processes:
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpjskit.exepid process 4872 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 920 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 2336 jskit.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp -
Loads dropped DLL 1 IoCs
Processes:
jskit.exepid process 2336 jskit.exe -
HTTP links in PDF interactive object 1 IoCs
Detects HTTP links in interactive objects within PDF files.
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\manual.pdf pdf_with_link_action -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
jskit.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jskit.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jskit.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI jskit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpjskit.exepid process 920 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 920 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 2336 jskit.exe 2336 jskit.exe 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 2408 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 2408 -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
jskit.exepid process 2336 jskit.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmppid process 920 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpdescription pid process target process PID 1556 wrote to memory of 4872 1556 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp PID 1556 wrote to memory of 4872 1556 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp PID 1556 wrote to memory of 4872 1556 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp PID 4872 wrote to memory of 1300 4872 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe PID 4872 wrote to memory of 1300 4872 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe PID 4872 wrote to memory of 1300 4872 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe PID 1300 wrote to memory of 920 1300 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp PID 1300 wrote to memory of 920 1300 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp PID 1300 wrote to memory of 920 1300 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp PID 920 wrote to memory of 2336 920 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp jskit.exe PID 920 wrote to memory of 2336 920 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp jskit.exe PID 920 wrote to memory of 2336 920 79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp jskit.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe"C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-L61MH.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp"C:\Users\Admin\AppData\Local\Temp\is-L61MH.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp" /SL5="$B0028,4018938,831488,C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe"2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe"C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe" /VERYSILENT3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-RIE78.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp"C:\Users\Admin\AppData\Local\Temp\is-RIE78.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmp" /SL5="$C0028,4018938,831488,C:\Users\Admin\AppData\Local\Temp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.exe" /VERYSILENT4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exe"C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\is-L61MH.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpFilesize
3.0MB
MD5eb8e24c85edf254cf3f2c1344842b55f
SHA12da756889e7e93b4019bb91ff74cd06866a4ec86
SHA256e6bb9bb3fa48e9c1e7a74c010adf9e30ca6eb4906b0c31c8834102e7adfccc2d
SHA512e3fd05d7e827400a7b66f0545d184633bf776e7a71b95876c4c8d679fa0e74cf031ae23382ade91ff723414614f4346236c3cb767389f44b50283c51653bcb61
-
C:\Users\Admin\AppData\Local\Temp\is-RIE78.tmp\79ae89733257378139cf3bdce3a30802818ca1a12bb2343e0b9d0f51f8af1f10.tmpFilesize
3.0MB
MD5eb8e24c85edf254cf3f2c1344842b55f
SHA12da756889e7e93b4019bb91ff74cd06866a4ec86
SHA256e6bb9bb3fa48e9c1e7a74c010adf9e30ca6eb4906b0c31c8834102e7adfccc2d
SHA512e3fd05d7e827400a7b66f0545d184633bf776e7a71b95876c4c8d679fa0e74cf031ae23382ade91ff723414614f4346236c3cb767389f44b50283c51653bcb61
-
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exeFilesize
3.6MB
MD581acde2ff13a5f79e0d172f3af07d7c0
SHA1a07ce9830d50d2c3d94e7df41de032b04fe641d2
SHA256c4d0998328ce86ce10e965abd0936aa0d920abbb78fbe6a4d1e4d8072f68ad2d
SHA5129d81fa14b26f7d678b3cb1fc71b5724392f11ac399f98ad5f3d98f0caa909a6587c6b349ccc6b6eb325e8024e8fbbf642f92e0be50e626aa1495cb861c0c2bf0
-
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\jskit.exeFilesize
3.6MB
MD581acde2ff13a5f79e0d172f3af07d7c0
SHA1a07ce9830d50d2c3d94e7df41de032b04fe641d2
SHA256c4d0998328ce86ce10e965abd0936aa0d920abbb78fbe6a4d1e4d8072f68ad2d
SHA5129d81fa14b26f7d678b3cb1fc71b5724392f11ac399f98ad5f3d98f0caa909a6587c6b349ccc6b6eb325e8024e8fbbf642f92e0be50e626aa1495cb861c0c2bf0
-
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\libvorbisenc-2.dllFilesize
3.1MB
MD5958de7dd326bd45460ecb5082064df4c
SHA142e0da2a5c761641cfa2ff8d57ea21a3325f7606
SHA256f89d307fa7c880e72b2f3b5827d755943f1c7ad3a98683a22de721f1fce2e38c
SHA512dfe4d1a7c73a0ccfe505501bf7b41976616c3db61b8f44d0dda5537e1321fdc02ad9963c0e0e901020c91b6803782faf195ccdc687d9e4bd2be95c1afb78f894
-
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\libvorbisenc-2.dllFilesize
3.1MB
MD5958de7dd326bd45460ecb5082064df4c
SHA142e0da2a5c761641cfa2ff8d57ea21a3325f7606
SHA256f89d307fa7c880e72b2f3b5827d755943f1c7ad3a98683a22de721f1fce2e38c
SHA512dfe4d1a7c73a0ccfe505501bf7b41976616c3db61b8f44d0dda5537e1321fdc02ad9963c0e0e901020c91b6803782faf195ccdc687d9e4bd2be95c1afb78f894
-
C:\Users\Admin\AppData\Roaming\PhantomJS WebKit\manual.pdfFilesize
274KB
MD5bb126fef59e31540e493af1999478323
SHA12ee5422524e09b45c0bd0d7764c83febfa0e6ee7
SHA2569c082fbbd7aaddf6eff01b1cc890bd9ed1348cb59278529a25119dbdcc5c1d15
SHA512501c8c0088cec24ae33d21ffe9fa876cf1cb0cfe0f0b4b59860a32639c210fbfaa5babf79bed10020da85a7dd10c0351cfe61fcf305d65d665b6bdd5c918d32f
-
memory/920-141-0x0000000000000000-mapping.dmp
-
memory/1300-143-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1300-137-0x0000000000000000-mapping.dmp
-
memory/1300-150-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1300-138-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1556-136-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1556-132-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/1556-140-0x0000000000400000-0x00000000004D8000-memory.dmpFilesize
864KB
-
memory/2336-144-0x0000000000000000-mapping.dmp
-
memory/2336-149-0x0000000000400000-0x00000000007DD000-memory.dmpFilesize
3.9MB
-
memory/2336-152-0x0000000000400000-0x00000000007DD000-memory.dmpFilesize
3.9MB
-
memory/4872-134-0x0000000000000000-mapping.dmp