f76ae21f9c62c095f082aba23fad1b575331a19fdb1376486b7354a784632985

Resubmissions

04-04-2023 11:14

230404-nb1qhsgd3w 10

Analysis

max time kernel
9s
max time network
11s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2023 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

380KB
MD5

30b05e5b7fbc440221c4da9a84f9406d
SHA1

7d5544e825664f385d24b458b50f32c9d0212365
SHA256

f76ae21f9c62c095f082aba23fad1b575331a19fdb1376486b7354a784632985
SHA512

c934bf1cf09e8f557f5d294cbb5ae2f9bfa68cd5c2a065e9fb005ffb6804e6774a92d5c852d683ffb268d6bd18494ea7c6e0c680426402ec339a2322f6fe3f73
SSDEEP

6144:x/QiQXC2Jm+ksmpk3U9jW1U4P9bwOGBfj/WUplm6zIOYQNd28pTXdAmpCLVRZogE:pQi32s6m6URA3PhwlL//plmW9bTXeVh8

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

rt.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts rt.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

rt.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation rt.exe
Executes dropped EXE 3 IoCs

Processes:

file.tmprt.exeJizhuqolama.exe

pid process

1136 file.tmp
4484 rt.exe
1124 Jizhuqolama.exe
Loads dropped DLL 1 IoCs

Processes:

file.tmp

pid process

1136 file.tmp

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	rt.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	rt.exe

pid	process
1136	file.tmp
4484	rt.exe
1124	Jizhuqolama.exe

pid	process
1136	file.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\system recover = "\"C:\\Program Files (x86)\\Microsoft.NET\\Jizhuqolama.exe\""	rt.exe

Drops file in Program Files directory 3 IoCs

Processes:

rt.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office 15\AIEPCAVZQO\poweroff.exe	rt.exe
File created	C:\Program Files (x86)\Microsoft.NET\Jizhuqolama.exe	rt.exe
File created	C:\Program Files (x86)\Microsoft.NET\Jizhuqolama.exe.config	rt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rt.exe

description pid process

Token: SeDebugPrivilege 4484 rt.exe

description	pid	process
Token: SeDebugPrivilege	4484	rt.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

file.exefile.tmprt.exe

description	pid	process	target process
PID 4700 wrote to memory of 1136	4700	file.exe	file.tmp
PID 4700 wrote to memory of 1136	4700	file.exe	file.tmp
PID 4700 wrote to memory of 1136	4700	file.exe	file.tmp
PID 1136 wrote to memory of 4484	1136	file.tmp	rt.exe
PID 1136 wrote to memory of 4484	1136	file.tmp	rt.exe
PID 4484 wrote to memory of 1124	4484	rt.exe	Jizhuqolama.exe
PID 4484 wrote to memory of 1124	4484	rt.exe	Jizhuqolama.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4700

C:\Users\Admin\AppData\Local\Temp\is-GANMA.tmp\file.tmp
"C:\Users\Admin\AppData\Local\Temp\is-GANMA.tmp\file.tmp" /SL5="$A006E,140518,56832,C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1136

C:\Users\Admin\AppData\Local\Temp\is-OUOGH.tmp\rt.exe
"C:\Users\Admin\AppData\Local\Temp\is-OUOGH.tmp\rt.exe" /S /UID=flabs2
3⤵
- Drops file in Drivers directory
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4484

C:\Users\Admin\AppData\Local\Temp\71-5ef09-a12-5ba89-19bd4fff7f9c1\Jizhuqolama.exe
"C:\Users\Admin\AppData\Local\Temp\71-5ef09-a12-5ba89-19bd4fff7f9c1\Jizhuqolama.exe"
4⤵
- Executes dropped EXE
PID:1124

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\71-5ef09-a12-5ba89-19bd4fff7f9c1\Jizhuqolama.exe
Filesize
463KB

MD5
fba3b4b12a0c6c9924132b149147a0a2

SHA1
a776068968a89ff9503e794e4ab0c04bbee6e5f6

SHA256
7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890

SHA512
a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\71-5ef09-a12-5ba89-19bd4fff7f9c1\Jizhuqolama.exe
Filesize
463KB

MD5
fba3b4b12a0c6c9924132b149147a0a2

SHA1
a776068968a89ff9503e794e4ab0c04bbee6e5f6

SHA256
7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890

SHA512
a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\71-5ef09-a12-5ba89-19bd4fff7f9c1\Jizhuqolama.exe
Filesize
463KB

MD5
fba3b4b12a0c6c9924132b149147a0a2

SHA1
a776068968a89ff9503e794e4ab0c04bbee6e5f6

SHA256
7403a6d53688cddeb84997cf90f616a3f25e79681b9c47074b5534f4e8b45890

SHA512
a1a41956ee97b4e590795a319d357f7f1b22115f5f663211af71cb14ffae879cb0fda743c7a016bb1a479d64dacee2f865e67f29d589d30d10b928a2bbb628ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\71-5ef09-a12-5ba89-19bd4fff7f9c1\Jizhuqolama.exe.config
Filesize
1KB

MD5
98d2687aec923f98c37f7cda8de0eb19

SHA1
f6dcfcdcfe570340ecdbbd9e2a61f3cb4f281ba7

SHA256
8a94163256a722ef8cc140bcd115a5b8f8725c04fe158b129d47be81cb693465

SHA512
95c7290d59749df8df495e04789c1793265e0f34e0d091df5c0d4aefe1af4c8ac1f5460f1f198fc28c4c8c900827b8f22e2851957bbaea5914ea962b3a1d0590

Download Submit
C:\Users\Admin\AppData\Local\Temp\d2-fb076-7cf-91495-d7ff8c5827ebf\Waeqelogala.exe
Filesize
51KB

MD5
c091f48b0a1a807b2a38b0bf1ff05663

SHA1
f0a62ebcab698ea2e01cfb263f6bca5c2c7d42f1

SHA256
f91e02632980cfdb70982d91f449df5749d93137b4cf0b7c7f8e919ec4c18d4c

SHA512
525fa6385f1331da1510138e1913f034728cea579a7e2eccfdc749369e26975d1d41ff2f1bf5f5f0f916e2362a714820b09b3bb74d93ebd4b788ced5cf402dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-GANMA.tmp\file.tmp
Filesize
694KB

MD5
ffcf263a020aa7794015af0edee5df0b

SHA1
bce1eb5f0efb2c83f416b1782ea07c776666fdab

SHA256
1d07cfb7104b85fc0dffd761f6848ad176117e146bbb4079fe993efa06b94c64

SHA512
49f2b062adfb99c0c7f1012c56f0b52a8850d9f030cc32073b90025b372e4eb373f06a351e9b33264967427b8174c060c8a6110979f0eaf0872f7da6d5e4308a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OUOGH.tmp\idp.dll
Filesize
216KB

MD5
8f995688085bced38ba7795f60a5e1d3

SHA1
5b1ad67a149c05c50d6e388527af5c8a0af4343a

SHA256
203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

SHA512
043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OUOGH.tmp\rt.exe
Filesize
582KB

MD5
f6c312d7bc53140df83864221e8ebee1

SHA1
da7ad1f5fa18bf00c3352cb510554b061bbfe04f

SHA256
e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db

SHA512
38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OUOGH.tmp\rt.exe
Filesize
582KB

MD5
f6c312d7bc53140df83864221e8ebee1

SHA1
da7ad1f5fa18bf00c3352cb510554b061bbfe04f

SHA256
e119a3b5fcb628740e8313a44d312296fd03771d9ed727b10b58aae29192a2db

SHA512
38c9d9b32fd1ee096f23ee62b5e64cc962f21a85d07ea32860d45d5e8249474d28239238a635cf69db30fd3f035c7c93dcce264a9e8288dbef70ffe2a493922a

Download Submit
memory/1124-187-0x00000000003C0000-0x000000000043A000-memory.dmp

Filesize
488KB

Download
memory/1124-192-0x000000001DE60000-0x000000001DEBE000-memory.dmp

Filesize
376KB

Download
memory/1124-191-0x0000000000E90000-0x0000000000E98000-memory.dmp

Filesize
32KB

Download
memory/1124-190-0x000000001C140000-0x000000001C1DC000-memory.dmp

Filesize
624KB

Download
memory/1124-189-0x000000001BAD0000-0x000000001BF9E000-memory.dmp

Filesize
4.8MB

Download
memory/1124-184-0x0000000000EB0000-0x0000000000EC0000-memory.dmp

Filesize
64KB

Download
memory/1124-188-0x0000000000CA0000-0x0000000000D06000-memory.dmp

Filesize
408KB

Download
memory/1136-142-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/1136-183-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4484-152-0x000000001D250000-0x000000001D260000-memory.dmp

Filesize
64KB

Download
memory/4484-151-0x0000000000EF0000-0x0000000000F86000-memory.dmp

Filesize
600KB

Download
memory/4700-186-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4700-133-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download