3ac3647f6d46ddd5220e483a90d09442b440a01bd66ec95c117ad3d3e018def8

Analysis

max time kernel
142s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2023 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jbitrt.exe
Size

350.0MB
MD5

ebc87e9cf7540ad79716397271c11e7e
SHA1

e4901173b21c903171ef7d83a92c3609ec434fd6
SHA256

3ac3647f6d46ddd5220e483a90d09442b440a01bd66ec95c117ad3d3e018def8
SHA512

5dcb19389e90bf69047e94b616f843983e3852df0a59eabbdb2d682265dd4ad16b36f60b8b15d8d611824ce25faef4ef8029bc402ec6b87dc4d911db30d800cc
SSDEEP

24576:vH9nvaEW1gTI9khgN36kdSG4nGQ5mYeA+igGNTH1YaA0TvD3H1Aza8LN1LV:f9xW1gTI9G0lS7t5mY2ig+yaDvD3CZ

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/396-139-0x0000000000A00000-0x0000000000DE4000-memory.dmp	upx
behavioral2/memory/396-141-0x0000000000A00000-0x0000000000DE4000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

Processes:

jbitrt.exe

description pid process target process

PID 3628 set thread context of 396 3628 jbitrt.exe RegAsm.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

2704 396 WerFault.exe RegAsm.exe
1656 396 WerFault.exe RegAsm.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4508 schtasks.exe

description	pid	process	target process
PID 3628 set thread context of 396	3628	jbitrt.exe	RegAsm.exe

pid	pid_target	process	target process
2704	396	WerFault.exe	RegAsm.exe
1656	396	WerFault.exe	RegAsm.exe

pid	process
4508	schtasks.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

jbitrt.execmd.exe

description	pid	process	target process
PID 3628 wrote to memory of 396	3628	jbitrt.exe	RegAsm.exe
PID 3628 wrote to memory of 396	3628	jbitrt.exe	RegAsm.exe
PID 3628 wrote to memory of 396	3628	jbitrt.exe	RegAsm.exe
PID 3628 wrote to memory of 396	3628	jbitrt.exe	RegAsm.exe
PID 3628 wrote to memory of 396	3628	jbitrt.exe	RegAsm.exe
PID 3628 wrote to memory of 396	3628	jbitrt.exe	RegAsm.exe
PID 3628 wrote to memory of 396	3628	jbitrt.exe	RegAsm.exe
PID 3628 wrote to memory of 3476	3628	jbitrt.exe	cmd.exe
PID 3628 wrote to memory of 3476	3628	jbitrt.exe	cmd.exe
PID 3628 wrote to memory of 3476	3628	jbitrt.exe	cmd.exe
PID 3628 wrote to memory of 756	3628	jbitrt.exe	cmd.exe
PID 3628 wrote to memory of 756	3628	jbitrt.exe	cmd.exe
PID 3628 wrote to memory of 756	3628	jbitrt.exe	cmd.exe
PID 3628 wrote to memory of 3560	3628	jbitrt.exe	cmd.exe
PID 3628 wrote to memory of 3560	3628	jbitrt.exe	cmd.exe
PID 3628 wrote to memory of 3560	3628	jbitrt.exe	cmd.exe
PID 756 wrote to memory of 4508	756	cmd.exe	schtasks.exe
PID 756 wrote to memory of 4508	756	cmd.exe	schtasks.exe
PID 756 wrote to memory of 4508	756	cmd.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\jbitrt.exe
"C:\Users\Admin\AppData\Local\Temp\jbitrt.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3628

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
2⤵
PID:396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 536
3⤵
- Program crash
PID:2704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 540
3⤵
- Program crash
PID:1656

C:\Windows\SysWOW64\cmd.exe
"cmd" /c mkdir "C:\Users\Admin\AppData\Local\Temp\kbitt"
2⤵
PID:3476

C:\Windows\SysWOW64\cmd.exe
"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\jbitrt.exe" "C:\Users\Admin\AppData\Local\Temp\kbitt\kbitt.exe"
2⤵
PID:3560

C:\Windows\SysWOW64\cmd.exe
"cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\kbitt\kbitt.exe'" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Local\Temp\kbitt\kbitt.exe'" /f
3⤵
- Creates scheduled task(s)
PID:4508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 396 -ip 396
1⤵
PID:3504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 396 -ip 396
1⤵
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-139-0x0000000000A00000-0x0000000000DE4000-memory.dmp

Filesize
3.9MB

Download
memory/396-141-0x0000000000A00000-0x0000000000DE4000-memory.dmp

Filesize
3.9MB

Download
memory/3628-133-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3628-134-0x0000000000B60000-0x0000000000D0C000-memory.dmp

Filesize
1.7MB

Download
memory/3628-135-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/3628-136-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3628-137-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/3628-142-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download