2b9db0575a69f1e773d5dbf501329df921358d3a8291bcc90af4a580b8cf043a

Analysis

max time kernel
149s
max time network
172s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 14:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOCS01739990010 jpg.exe
Size

183KB
MD5

ef415a7591025b4370cab76beab1c956
SHA1

2118bb041699b85e96a670295a8708fca4d3aac1
SHA256

e5f05ae22cc0c8f9cf133127dde3e0ba142865e5d0ea7913df7574244f22b384
SHA512

6ec70beaeb5d8e1d905a33a0388e743f847e2c41dbe5a160745c38a068d943c922b74f2168bf523280f01897eec8148990f6c9046e9581eacd38a275b50bbf6d
SSDEEP

3072:BhoYsBN8xo+Oioug/bzwPVPEC0+mFH2YAhx3rSuCh6FlJpwmwf7LdyGpVch1ZfSB:BLsBN8xoIWUPVPz0+mFHCx7Lesrwf7Lv

Score

7^/10

discovery

Malware Config

Signatures

Checks QEMU agent file 2 TTPs 2 IoCs

Checks presence of QEMU agent, possibly to detect virtualization.

Query Registry

T1012

System Information Discovery

T1082

Processes:

DOCS01739990010 jpg.execaspol.exe

description	ioc	process
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	DOCS01739990010 jpg.exe
File opened (read-only)	C:\Program Files\Qemu-ga\qemu-ga.exe	caspol.exe

Loads dropped DLL 1 IoCs

Processes:

DOCS01739990010 jpg.exe

pid process

4296 DOCS01739990010 jpg.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

DOCS01739990010 jpg.execaspol.exe

pid process

4296 DOCS01739990010 jpg.exe
3572 caspol.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

DOCS01739990010 jpg.exe

description pid process target process

PID 4296 set thread context of 3572 4296 DOCS01739990010 jpg.exe caspol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

DOCS01739990010 jpg.exe

pid process

4296 DOCS01739990010 jpg.exe
4296 DOCS01739990010 jpg.exe

pid	process
4296	DOCS01739990010 jpg.exe

pid	process
4296	DOCS01739990010 jpg.exe
3572	caspol.exe

description	pid	process	target process
PID 4296 set thread context of 3572	4296	DOCS01739990010 jpg.exe	caspol.exe

pid	process
4296	DOCS01739990010 jpg.exe
4296	DOCS01739990010 jpg.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

DOCS01739990010 jpg.exe

description	pid	process	target process
PID 4296 wrote to memory of 3352	4296	DOCS01739990010 jpg.exe	caspol.exe
PID 4296 wrote to memory of 3352	4296	DOCS01739990010 jpg.exe	caspol.exe
PID 4296 wrote to memory of 3352	4296	DOCS01739990010 jpg.exe	caspol.exe
PID 4296 wrote to memory of 3572	4296	DOCS01739990010 jpg.exe	caspol.exe
PID 4296 wrote to memory of 3572	4296	DOCS01739990010 jpg.exe	caspol.exe
PID 4296 wrote to memory of 3572	4296	DOCS01739990010 jpg.exe	caspol.exe
PID 4296 wrote to memory of 3572	4296	DOCS01739990010 jpg.exe	caspol.exe

C:\Users\Admin\AppData\Local\Temp\DOCS01739990010 jpg.exe
"C:\Users\Admin\AppData\Local\Temp\DOCS01739990010 jpg.exe"
1⤵
- Checks QEMU agent file
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4296

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\DOCS01739990010 jpg.exe"
2⤵
PID:3352

C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
"C:\Users\Admin\AppData\Local\Temp\DOCS01739990010 jpg.exe"
2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
PID:3572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyD1AD.tmp\System.dll

Filesize
11KB

MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
memory/3572-140-0x0000000000E00000-0x0000000000F00000-memory.dmp

Filesize
1024KB

Download
memory/3572-144-0x00000000773F0000-0x0000000077593000-memory.dmp

Filesize
1.6MB

Download
memory/3572-143-0x00007FFA8CAD0000-0x00007FFA8CCC5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-142-0x00000000773F0000-0x0000000077593000-memory.dmp

Filesize
1.6MB

Download
memory/3572-137-0x0000000000000000-mapping.dmp

Download
memory/3572-141-0x00007FFA8CAD0000-0x00007FFA8CCC5000-memory.dmp

Filesize
2.0MB

Download
memory/3572-139-0x0000000000E00000-0x0000000000F00000-memory.dmp

Filesize
1024KB

Download
memory/4296-135-0x00007FFA8CAD0000-0x00007FFA8CCC5000-memory.dmp

Filesize
2.0MB

Download
memory/4296-138-0x00000000773F0000-0x0000000077593000-memory.dmp

Filesize
1.6MB

Download
memory/4296-136-0x00000000773F0000-0x0000000077593000-memory.dmp

Filesize
1.6MB

Download
memory/4296-134-0x0000000002CD0000-0x0000000002DAB000-memory.dmp

Filesize
876KB

Download
memory/4296-133-0x0000000002CD0000-0x0000000002DAB000-memory.dmp

Filesize
876KB

Download
memory/4296-145-0x00000000773F0000-0x0000000077593000-memory.dmp

Filesize
1.6MB

Download