Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
21/03/2023, 10:06
Static task
static1
Behavioral task
behavioral1
Sample
BG000896543.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
BG000896543.exe
Resource
win10v2004-20230220-en
General
-
Target
BG000896543.exe
-
Size
469KB
-
MD5
bf77e106994c623f8b5c1747e97ba97e
-
SHA1
d66c2fc3c47cd4f60924cf863c43d1d8c28929d8
-
SHA256
1fcf39f27164b5bfee7f234220f5cd10f73932d72794cafd678a0dac1297707f
-
SHA512
1929159c8fed9205e0b37eeae899db58bf66159ac7c05fd810c0305d12a9377292e45a6d6f59b6438aee4c6532d7d8c871834072ab52c9451736bfff3caecb54
-
SSDEEP
3072:IfY/TU9fE9PEtuoNbGi7KV6WBp9aHRhFDCPuu+CANvDZ23ykOnp3l7JO/:+Ya68G1p9aHRhd2+CANvDZ2CkI3dJy
Malware Config
Signatures
-
Async RAT payload 2 IoCs
resource yara_rule behavioral2/memory/2608-146-0x0000000000400000-0x0000000000426000-memory.dmp asyncrat behavioral2/memory/2608-148-0x0000000000400000-0x0000000000426000-memory.dmp asyncrat -
Executes dropped EXE 2 IoCs
pid Process 2276 jmxpydzgw.exe 2608 jmxpydzgw.exe -
resource yara_rule behavioral2/memory/2608-142-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/2608-145-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/2608-146-0x0000000000400000-0x0000000000426000-memory.dmp upx behavioral2/memory/2608-148-0x0000000000400000-0x0000000000426000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\enjsn = "C:\\Users\\Admin\\AppData\\Roaming\\uqajfoxscxhq\\mvfbkgpyu.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\jmxpydzgw.exe\" C:\\Users\\Admin\\AppData" jmxpydzgw.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2276 set thread context of 2608 2276 jmxpydzgw.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2276 jmxpydzgw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2608 jmxpydzgw.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 3736 wrote to memory of 2276 3736 BG000896543.exe 86 PID 3736 wrote to memory of 2276 3736 BG000896543.exe 86 PID 3736 wrote to memory of 2276 3736 BG000896543.exe 86 PID 2276 wrote to memory of 2608 2276 jmxpydzgw.exe 88 PID 2276 wrote to memory of 2608 2276 jmxpydzgw.exe 88 PID 2276 wrote to memory of 2608 2276 jmxpydzgw.exe 88 PID 2276 wrote to memory of 2608 2276 jmxpydzgw.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\BG000896543.exe"C:\Users\Admin\AppData\Local\Temp\BG000896543.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\AppData\Local\Temp\jmxpydzgw.exe"C:\Users\Admin\AppData\Local\Temp\jmxpydzgw.exe" C:\Users\Admin\AppData\Local\Temp\edfxh.uno2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\jmxpydzgw.exe"C:\Users\Admin\AppData\Local\Temp\jmxpydzgw.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2608
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5c7a9d72dcb4c336ed5ce3bc3f84dd1ff
SHA189e84e7a721a8de1439caac348214df6130b1d95
SHA2567d1e0ce820decb490b328f147d873cadf2cc2ff18d2f38fbe314835c0b0bce7d
SHA5122265247e034ddef51853460a2dedb66e86851912aa4169d795e53911ba63d53857c097398be7d8f7a4b94b0067c47d1ae4baad0b26f0614b07f80cbe1f8452cb
-
Filesize
82KB
MD5da5c2ace84a6bda6b77fa44cffe23637
SHA1477a8fa4732843cc3c0399cd9256d76e5c3080a9
SHA25657e9c28db872eb5a639af48bb88a59da1c2c5e8af4832c444ef812162b311181
SHA51220beee6e71d55a9da667f7d5db2d5480a8a82053a3fbcbe0b0e0d84ac952b120bb52ab424d35a75650d28901a4791d56f4f7520f5138f0da3353040c6344bea1
-
Filesize
93KB
MD541fcc8ea93e353c03f86c4f7f47fb8bf
SHA137766be6029410e596c103fa5aa660d4e7de5cb4
SHA256328f8c311bc7c17bc544d83665216ef125a5ebf1d4acc87423352c9346ded93d
SHA512ae70ff237246e03ab6836aa6c594a3904be6e9cdc9990618f626622f213a54aabd29e86c3bba8ada3ceaba74f86379facd3172ce04f7405a225e4e11058c1dae
-
Filesize
93KB
MD541fcc8ea93e353c03f86c4f7f47fb8bf
SHA137766be6029410e596c103fa5aa660d4e7de5cb4
SHA256328f8c311bc7c17bc544d83665216ef125a5ebf1d4acc87423352c9346ded93d
SHA512ae70ff237246e03ab6836aa6c594a3904be6e9cdc9990618f626622f213a54aabd29e86c3bba8ada3ceaba74f86379facd3172ce04f7405a225e4e11058c1dae
-
Filesize
93KB
MD541fcc8ea93e353c03f86c4f7f47fb8bf
SHA137766be6029410e596c103fa5aa660d4e7de5cb4
SHA256328f8c311bc7c17bc544d83665216ef125a5ebf1d4acc87423352c9346ded93d
SHA512ae70ff237246e03ab6836aa6c594a3904be6e9cdc9990618f626622f213a54aabd29e86c3bba8ada3ceaba74f86379facd3172ce04f7405a225e4e11058c1dae