Analysis
-
max time kernel
90s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 15:30
Static task
static1
Behavioral task
behavioral1
Sample
11EAEB2EE4191C259F66302AD1C03B1E.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
11EAEB2EE4191C259F66302AD1C03B1E.exe
Resource
win10v2004-20220901-en
General
-
Target
11EAEB2EE4191C259F66302AD1C03B1E.exe
-
Size
1.8MB
-
MD5
11eaeb2ee4191c259f66302ad1c03b1e
-
SHA1
1035878efe2fce53d7414e72430756a11e1c4c04
-
SHA256
1d305787202474fcc79a210caf6cd88c7722fed5249797483817da4a04967f7b
-
SHA512
817a6724d17c7f4049163d9e774ae501c7b7122e10c782ecb4d31c0bef69134106e8d340466eddbc379b8868507ce9dc9c16d625aa30ff0396db4ef377bce969
-
SSDEEP
49152:qKVXGViAGZjn2vLDo/BeacqBfzqEP/JoX9RUW:qKpAGZjuLDo/BebqBfPBoNRUW
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jwxfloader.exepid process 3432 jwxfloader.exe -
Processes:
resource yara_rule C:\jwxfloader.exe vmprotect \??\c:\jwxfloader.exe vmprotect behavioral2/memory/3432-139-0x0000000000400000-0x0000000000916000-memory.dmp vmprotect behavioral2/memory/3432-138-0x0000000000400000-0x0000000000916000-memory.dmp vmprotect behavioral2/memory/3432-156-0x0000000000400000-0x0000000000916000-memory.dmp vmprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
11EAEB2EE4191C259F66302AD1C03B1E.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 11EAEB2EE4191C259F66302AD1C03B1E.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
jwxfloader.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum jwxfloader.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\1 jwxfloader.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
jwxfloader.exedescription pid process target process PID 3432 set thread context of 3720 3432 jwxfloader.exe svchost.exe PID 3432 set thread context of 1952 3432 jwxfloader.exe svchost.exe -
Drops file in Windows directory 2 IoCs
Processes:
svchost.exedescription ioc process File created C:\WINDOWS\loktbglc.log svchost.exe File opened for modification C:\WINDOWS\loktbglc.log svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
jwxfloader.exesvchost.exesvchost.exepid process 3432 jwxfloader.exe 3432 jwxfloader.exe 3720 svchost.exe 3720 svchost.exe 1952 svchost.exe 1952 svchost.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
11EAEB2EE4191C259F66302AD1C03B1E.execmd.exejwxfloader.exedescription pid process target process PID 4864 wrote to memory of 3140 4864 11EAEB2EE4191C259F66302AD1C03B1E.exe cmd.exe PID 4864 wrote to memory of 3140 4864 11EAEB2EE4191C259F66302AD1C03B1E.exe cmd.exe PID 4864 wrote to memory of 3140 4864 11EAEB2EE4191C259F66302AD1C03B1E.exe cmd.exe PID 3140 wrote to memory of 2412 3140 cmd.exe PING.EXE PID 3140 wrote to memory of 2412 3140 cmd.exe PING.EXE PID 3140 wrote to memory of 2412 3140 cmd.exe PING.EXE PID 3140 wrote to memory of 3432 3140 cmd.exe jwxfloader.exe PID 3140 wrote to memory of 3432 3140 cmd.exe jwxfloader.exe PID 3140 wrote to memory of 3432 3140 cmd.exe jwxfloader.exe PID 3432 wrote to memory of 3720 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 3720 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 3720 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 3720 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 3720 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 3720 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 3720 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 3720 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 3720 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 1952 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 1952 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 1952 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 1952 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 1952 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 1952 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 1952 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 1952 3432 jwxfloader.exe svchost.exe PID 3432 wrote to memory of 1952 3432 jwxfloader.exe svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\11EAEB2EE4191C259F66302AD1C03B1E.exe"C:\Users\Admin\AppData\Local\Temp\11EAEB2EE4191C259F66302AD1C03B1E.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\jw.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 123⤵
- Runs ping.exe
-
\??\c:\jwxfloader.exec:\jwxfloader.exe3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\WINDOWS\SysWOW64\svchost.exeC:\WINDOWS\system32\svchost.exe4⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\WINDOWS\SysWOW64\svchost.exeC:\WINDOWS\system32\svchost.exe Jw_Hlj_201404174⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\jw.batFilesize
56B
MD5b2e1f69fb14ec4e432843ecbc26134ef
SHA1120f2236468228c1c3c05b764b45787fd65254b7
SHA256dadcb66afa7049544f9d0fffa563ee936ea59167c31980c55208ac1cfe4b2c1a
SHA5125610bd2627f2a4800ec280dcfc2554b1bff9d13b8b497707401d395b72f5be63ec7dad0b5bbb5643d9109323983cae26c7b2bbd648fd917f1cdb15f441a36a8a
-
C:\jwxfloader.exeFilesize
1.7MB
MD5a43bb3b6c1cfc3ff41f10da4db84ab85
SHA1200dfe039b3ed1331104dbc8f59a42172f0cf868
SHA25683ef0f10d40a74aa0da8d7b6d44f0a701f982520f75b464b7f795a8d158e29a1
SHA5125243b4cd5f1f737b15d1d945a79a9544c089658b924163d06c6c2559f871267dab3387b7a2b7e9a7a94d11f800c740244e75004669e3902e415ae83ae21f6c02
-
\??\c:\jwxfloader.exeFilesize
1.7MB
MD5a43bb3b6c1cfc3ff41f10da4db84ab85
SHA1200dfe039b3ed1331104dbc8f59a42172f0cf868
SHA25683ef0f10d40a74aa0da8d7b6d44f0a701f982520f75b464b7f795a8d158e29a1
SHA5125243b4cd5f1f737b15d1d945a79a9544c089658b924163d06c6c2559f871267dab3387b7a2b7e9a7a94d11f800c740244e75004669e3902e415ae83ae21f6c02
-
\??\c:\mainpro.iniFilesize
367B
MD5c789dcf2272e43755a0fa0b58eeb8eed
SHA10ab3b84be0a987c78af85ff9e930bef53d2592ec
SHA256b468e56de0fe04b280e77ad81318e0b1980f05705b15a6650d632578deeb054e
SHA51269a07c9dee0f196f2492f78e5c267e3d5bac62b6b874f30a570260baca2cd6cfa94707d988770775c2b8c724a470a26853e1c7827cacf26a7504085f53702079
-
memory/1952-147-0x0000000000000000-mapping.dmp
-
memory/1952-155-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/1952-150-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/1952-152-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/1952-149-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/1952-151-0x0000000000400000-0x00000000004BB000-memory.dmpFilesize
748KB
-
memory/2412-134-0x0000000000000000-mapping.dmp
-
memory/3140-132-0x0000000000000000-mapping.dmp
-
memory/3432-135-0x0000000000000000-mapping.dmp
-
memory/3432-139-0x0000000000400000-0x0000000000916000-memory.dmpFilesize
5.1MB
-
memory/3432-138-0x0000000000400000-0x0000000000916000-memory.dmpFilesize
5.1MB
-
memory/3432-156-0x0000000000400000-0x0000000000916000-memory.dmpFilesize
5.1MB
-
memory/3720-145-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB
-
memory/3720-144-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB
-
memory/3720-148-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB
-
memory/3720-143-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB
-
memory/3720-142-0x0000000000400000-0x0000000000505000-memory.dmpFilesize
1.0MB
-
memory/3720-141-0x0000000000000000-mapping.dmp