Analysis
-
max time kernel
316s -
max time network
373s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
New PO-RJ-IN-003 - Knauf Queimados.exe
Resource
win7-20220901-en
General
-
Target
New PO-RJ-IN-003 - Knauf Queimados.exe
-
Size
396KB
-
MD5
244fc9610f75225aa3dc09958195beb1
-
SHA1
ef0d6103d27090fc9d25e3ef3de2e1b6d9670d9c
-
SHA256
05cdda3567b913d99627f8e41336404d5830816df65e1001d6b2ad05bd9ed18d
-
SHA512
5e37d34becf476a92c2b14917819c9f9366d99313e971554b4a94d4fe09e05a761355033b5bb59faf3d0a1e34621c31891ff4e5656a379aa581792a7ecc82f16
-
SSDEEP
6144:hBn7A5jMUCoQUg+p1vrgTr+H9I/LKUsBdVyXMLCMT5u9AG7Nmf:vrZ+1v0TSdcLKj0MLtlu9VNG
Malware Config
Extracted
formbook
m9ae
nWTQpX6TYm6dfT3Lcw==
7JaBLgMm8EKn2AlTy5Ksj4Jq
yWRJIhE3viQgqEpZS3o=
ES9dFo0bytF8vlvRcg==
aX/aBZn29pD+cg==
lU64sYOZV7ZVpUy1ag==
9BpOCYAPv8L8TyIFAiTp2PSqLg==
uEJ2RyQ1BcBXfFr8kT5Z1KV0
oVM42Ury9pD+cg==
0Zl3VkcuKaY+
OjZeGI8dw67Z6eWtnOoBfoI=
ytwFn9j4i+N8nKYRSgcfh3xn5LU=
xMb1+YkOyxmbxJ53JsP7Pg==
HODQpzTBS1gVoi4X0hStKQ==
fQ417ycwD+ziKt1u0hStKQ==
nsApOqE62sA8uS735uCXVP+YcrQ=
4aobG3oZ3AHqTPs=
P2LEwJatZbQZUTayTW0=
/bopO7NR6clCfT3Lcw==
bBxRRkFY01R+20pZS3o=
enylSY//R0Euo5Hc
s3hoHGn+blzIzLD2XcWsj4Jq
MvZlcWyHEnNHRGHB
qDJgM38Zlp2BriDZBnI=
JlaRDbpPJo43fT3Lcw==
aZgM/YERpLJOfT3Lcw==
dgcdTgcuKaY+
N12TQ5X0uI7/dA==
85d5Cn4gEuXNHOY=
XGyjNRUvzkzpFEb98NiZYf+YcrQ=
nUc1kamtJHlHRGHB
M+1WZ6NvT6VHRGHB
k1iSQqU6E3biHW3Ev1x/
yoeZZ9suKaY+
yiqErKzdOA==
I8FYQ4Mx9pD+cg==
e3sMggibmaRHRGHB
YBxPTjVYD4c2WVRYdfxP9f/w5W+IU0g=
A6GFXmNsA4y3ByPuEXU=
RkSck9R+79lCe5vEv1x/
c4Hf8OWx18LuWN4pPnA=
IK6UOZcpvKTL2/PbBHI=
dpbLY0FV8mxHRGHB
RoTt48Dgi/aZtJ/Ev1x/
4/FRPhpH3TPGD0uYB7Yf2PSqLg==
5A5CBZYyzanG52lgk7V7K8G4gdDu5w==
p8IpCMzdxqyj2UpZS3o=
cToa+3QRpLJOfT3Lcw==
Lat9/Yk19pD+cg==
CrjklYWQN6tXfIjEv1x/
SfQyB+TxpJSt20pZS3o=
eTEdrAOeVYJ4Cx6WSxqnYGgz01Yv7w==
NP7rnOJz7QXxQfk=
hrYdLa1V+exp20UX0hStKQ==
R+gl+MvhTQHqTPs=
CC6YqK+3hWJYpEseExvt2PSqLg==
VmybWD1f6EIreDUVP47Yw5la3rI=
Sgv5moChVKcQSZYjwYWyvbeuMw==
rtxt7QYo5mxHRGHB
cH/l/4Ecn61OfT3Lcw==
T4iddmuQEGhd1NwMviZm
cyH/sQGRb8s6e5vEv1x/
Y3DL3M3XS86ftJ7Ev1x/
U2jGyqnCYcDDJt3mAjZDxf+YcrQ=
spirituallyzen.com
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
jaxdij.exejaxdij.exepid process 3596 jaxdij.exe 1256 jaxdij.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
jaxdij.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation jaxdij.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
jaxdij.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aekkvxebyca = "C:\\Users\\Admin\\AppData\\Roaming\\fqkyib\\rubthqnwyfue.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\jaxdij.exe\" C:\\Users\\Admin\\AppData\\Local" jaxdij.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
jaxdij.exejaxdij.exenetsh.exedescription pid process target process PID 3596 set thread context of 1256 3596 jaxdij.exe jaxdij.exe PID 1256 set thread context of 3052 1256 jaxdij.exe Explorer.EXE PID 1256 set thread context of 3052 1256 jaxdij.exe Explorer.EXE PID 3132 set thread context of 3052 3132 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
jaxdij.exenetsh.exepid process 1256 jaxdij.exe 1256 jaxdij.exe 1256 jaxdij.exe 1256 jaxdij.exe 1256 jaxdij.exe 1256 jaxdij.exe 1256 jaxdij.exe 1256 jaxdij.exe 1256 jaxdij.exe 1256 jaxdij.exe 3132 netsh.exe 3132 netsh.exe 3132 netsh.exe 3132 netsh.exe -
Suspicious behavior: MapViewOfSection 7 IoCs
Processes:
jaxdij.exejaxdij.exenetsh.exepid process 3596 jaxdij.exe 1256 jaxdij.exe 1256 jaxdij.exe 1256 jaxdij.exe 1256 jaxdij.exe 3132 netsh.exe 3132 netsh.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
jaxdij.exenetsh.exedescription pid process Token: SeDebugPrivilege 1256 jaxdij.exe Token: SeDebugPrivilege 3132 netsh.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
New PO-RJ-IN-003 - Knauf Queimados.exejaxdij.exeExplorer.EXEdescription pid process target process PID 3200 wrote to memory of 3596 3200 New PO-RJ-IN-003 - Knauf Queimados.exe jaxdij.exe PID 3200 wrote to memory of 3596 3200 New PO-RJ-IN-003 - Knauf Queimados.exe jaxdij.exe PID 3200 wrote to memory of 3596 3200 New PO-RJ-IN-003 - Knauf Queimados.exe jaxdij.exe PID 3596 wrote to memory of 1256 3596 jaxdij.exe jaxdij.exe PID 3596 wrote to memory of 1256 3596 jaxdij.exe jaxdij.exe PID 3596 wrote to memory of 1256 3596 jaxdij.exe jaxdij.exe PID 3596 wrote to memory of 1256 3596 jaxdij.exe jaxdij.exe PID 3052 wrote to memory of 3132 3052 Explorer.EXE netsh.exe PID 3052 wrote to memory of 3132 3052 Explorer.EXE netsh.exe PID 3052 wrote to memory of 3132 3052 Explorer.EXE netsh.exe PID 3052 wrote to memory of 2020 3052 Explorer.EXE netsh.exe PID 3052 wrote to memory of 2020 3052 Explorer.EXE netsh.exe PID 3052 wrote to memory of 2020 3052 Explorer.EXE netsh.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\New PO-RJ-IN-003 - Knauf Queimados.exe"C:\Users\Admin\AppData\Local\Temp\New PO-RJ-IN-003 - Knauf Queimados.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jaxdij.exe"C:\Users\Admin\AppData\Local\Temp\jaxdij.exe" C:\Users\Admin\AppData\Local\Temp\uqnwrddys.k3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\jaxdij.exe"C:\Users\Admin\AppData\Local\Temp\jaxdij.exe" C:\Users\Admin\AppData\Local\Temp\uqnwrddys.k4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\eojsm.wxFilesize
185KB
MD58c5e7c152ed8f18a0b9de322e94a3ce2
SHA135c05fa705dc9e6c1998f53f248e0332bc4fb0e2
SHA256b0950ec5415dcfc9bf3394770c2071fad57b1a02e28416e5e41c3b13266a720a
SHA5120a42dac7f56cf6b765a52f230c3f1539940f0d507d8ce1c928d89d12bf675f3c41b7b9d9fa10a693ece96a281dbd8e83d481d310f5ca57812fb979df34a69ca2
-
C:\Users\Admin\AppData\Local\Temp\jaxdij.exeFilesize
144KB
MD52dd6c8b13ae7d028b0047435ff0dcb8a
SHA1d50bc8834758e1583aee729b6c148e4849967097
SHA25601cb657e996e468706f5c733853419678b8294e7f12669c98db23c1f0d0efc7a
SHA512b6438eafa008519cd2113fd113192f2f9f5f05ad5efbeb08542c800b7e3bd0e7d3dde83ebba8a2374e2df62fed6cc1248b41ce8cea41bee256da8a0b25fcaf2c
-
C:\Users\Admin\AppData\Local\Temp\jaxdij.exeFilesize
144KB
MD52dd6c8b13ae7d028b0047435ff0dcb8a
SHA1d50bc8834758e1583aee729b6c148e4849967097
SHA25601cb657e996e468706f5c733853419678b8294e7f12669c98db23c1f0d0efc7a
SHA512b6438eafa008519cd2113fd113192f2f9f5f05ad5efbeb08542c800b7e3bd0e7d3dde83ebba8a2374e2df62fed6cc1248b41ce8cea41bee256da8a0b25fcaf2c
-
C:\Users\Admin\AppData\Local\Temp\jaxdij.exeFilesize
144KB
MD52dd6c8b13ae7d028b0047435ff0dcb8a
SHA1d50bc8834758e1583aee729b6c148e4849967097
SHA25601cb657e996e468706f5c733853419678b8294e7f12669c98db23c1f0d0efc7a
SHA512b6438eafa008519cd2113fd113192f2f9f5f05ad5efbeb08542c800b7e3bd0e7d3dde83ebba8a2374e2df62fed6cc1248b41ce8cea41bee256da8a0b25fcaf2c
-
C:\Users\Admin\AppData\Local\Temp\uqnwrddys.kFilesize
7KB
MD5a342bd922f1907e57d17e98f522b64ef
SHA1934596a7680633634741a445c5d9e0bdcf9c3d8f
SHA2561c1ad949b639cdd656a62b398660a1ccee4a7fc40e1912bf1a5bbab78e51b176
SHA5126527a40317bc37d0e7274a3880a652e9bd0ee4e874def4478493d93bee7db4564cafec1574e8605945758963945aadc1d3219410cb877e0c331ceca6671a06ae
-
memory/1256-137-0x0000000000000000-mapping.dmp
-
memory/1256-149-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1256-139-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1256-140-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1256-141-0x00000000018A0000-0x0000000001BEA000-memory.dmpFilesize
3.3MB
-
memory/1256-142-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/1256-143-0x00000000013A0000-0x00000000013B0000-memory.dmpFilesize
64KB
-
memory/1256-150-0x0000000000401000-0x000000000042F000-memory.dmpFilesize
184KB
-
memory/1256-145-0x0000000000422000-0x0000000000424000-memory.dmpFilesize
8KB
-
memory/1256-146-0x0000000001840000-0x0000000001850000-memory.dmpFilesize
64KB
-
memory/3052-144-0x00000000082F0000-0x0000000008495000-memory.dmpFilesize
1.6MB
-
memory/3052-147-0x00000000084A0000-0x00000000085C4000-memory.dmpFilesize
1.1MB
-
memory/3052-155-0x00000000081C0000-0x000000000829C000-memory.dmpFilesize
880KB
-
memory/3052-157-0x00000000081C0000-0x000000000829C000-memory.dmpFilesize
880KB
-
memory/3132-148-0x0000000000000000-mapping.dmp
-
memory/3132-151-0x00000000016B0000-0x00000000016CE000-memory.dmpFilesize
120KB
-
memory/3132-152-0x0000000000600000-0x000000000062D000-memory.dmpFilesize
180KB
-
memory/3132-153-0x0000000000E60000-0x00000000011AA000-memory.dmpFilesize
3.3MB
-
memory/3132-154-0x0000000000CC0000-0x0000000000D4F000-memory.dmpFilesize
572KB
-
memory/3132-156-0x0000000000600000-0x000000000062D000-memory.dmpFilesize
180KB
-
memory/3596-132-0x0000000000000000-mapping.dmp