Overview

overview

7

Static

static

3

d98f926f3a...JC.exe

windows7-x64

7

d98f926f3a...JC.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    151s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 19:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d98f926f3a2ea1308e2d80705591f91b_JC.exe

  • Size

    472KB

  • MD5

    d98f926f3a2ea1308e2d80705591f91b

  • SHA1

    badd7d2f741c15d58139a1ebc3ac0f5152f195b1

  • SHA256

    17e75f28d1566e91fc1e91a7782da24b1cf215fb7d5c2dfd746d7d4808049318

  • SHA512

    eac1f64906642702597a2952ab5817ff632d8aa1ebfb7a0dd759e6cff4309764621fd41abb03f703fe28bf564266c5e7d426df053fc8c4a75fc1ee9961a88338

  • SSDEEP

    6144:Wf+Jjjou35J6i5plrzuo6/LkeYvjoIHnv0RX/VwFdLD/7MsrYMC+9GXL9M8sG3dR:hj8u3ui5pl+uBvc/V0FdYxJdRqMt

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 10 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 4 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d98f926f3a2ea1308e2d80705591f91b_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\d98f926f3a2ea1308e2d80705591f91b_JC.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4128
    • C:\Windows\LSASS.exe
      "C:\Windows\LSASS.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4500
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:508
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:5076
      • C:\Users\Admin\LSASS.exe
        "C:\Users\Admin\LSASS.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3264
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3316
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4748
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1812
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:4664
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:1088
      • C:\Windows\SysWOW64\REG.exe
        REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Windows\LSASS.exe" /f
        3⤵
        • Adds Run key to start application
        PID:3372
    • C:\Windows\SysWOW64\REG.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d98f926f3a2ea1308e2d80705591f91b_JC.exe" /f
      2⤵
      • Adds Run key to start application
      PID:4676
    • C:\Windows\SysWOW64\REG.exe
      REG ADD HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v SysUtils /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\d98f926f3a2ea1308e2d80705591f91b_JC.exe" /f
      2⤵
      • Adds Run key to start application
      PID:2588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\LSASS.exe
    Filesize

    472KB

    MD5

    94c6d31a09841138ce95cbf404f28f36

    SHA1

    12c248e012e574ad151cbbea438a073becf80f2f

    SHA256

    b8562efd9ab474112890497913f02a36da21ad329ed5cf3b835411980c61cd86

    SHA512

    0baf64a0e8489244e1c2cb7ec5442b02ed3226899ba75e64cb57bf54ce21ddab1ba144a5f2cacae9544ffced8838356adc423f21a7ae2c051fa27955edbdc35a

    Download Submit

  • C:\Users\Admin\LSASS.exe
    Filesize

    472KB

    MD5

    94c6d31a09841138ce95cbf404f28f36

    SHA1

    12c248e012e574ad151cbbea438a073becf80f2f

    SHA256

    b8562efd9ab474112890497913f02a36da21ad329ed5cf3b835411980c61cd86

    SHA512

    0baf64a0e8489244e1c2cb7ec5442b02ed3226899ba75e64cb57bf54ce21ddab1ba144a5f2cacae9544ffced8838356adc423f21a7ae2c051fa27955edbdc35a

    Download Submit

  • C:\Windows\LSASS.exe
    Filesize

    472KB

    MD5

    08bdb6cea15305e815f24cf67a31cac5

    SHA1

    85d10d5621c909f04882f73a2edc6d861cb531d7

    SHA256

    bae136df4d8ff9efdf4ce02dbc16e861c2bfb7c6e9118ba5d7a03ec51a3f0f0a

    SHA512

    c697c268a1875fc530cd9a3b453f05d5551c049d91bda1d49626650c496520d31e647a4fb3eb7327b8a215c3e19591cab6d223ef8c13c170b0b061d632b706b9

    Download Submit

  • C:\Windows\LSASS.exe
    Filesize

    472KB

    MD5

    08bdb6cea15305e815f24cf67a31cac5

    SHA1

    85d10d5621c909f04882f73a2edc6d861cb531d7

    SHA256

    bae136df4d8ff9efdf4ce02dbc16e861c2bfb7c6e9118ba5d7a03ec51a3f0f0a

    SHA512

    c697c268a1875fc530cd9a3b453f05d5551c049d91bda1d49626650c496520d31e647a4fb3eb7327b8a215c3e19591cab6d223ef8c13c170b0b061d632b706b9

    Download Submit

  • C:\Windows\LSASS.exe
    Filesize

    472KB

    MD5

    08bdb6cea15305e815f24cf67a31cac5

    SHA1

    85d10d5621c909f04882f73a2edc6d861cb531d7

    SHA256

    bae136df4d8ff9efdf4ce02dbc16e861c2bfb7c6e9118ba5d7a03ec51a3f0f0a

    SHA512

    c697c268a1875fc530cd9a3b453f05d5551c049d91bda1d49626650c496520d31e647a4fb3eb7327b8a215c3e19591cab6d223ef8c13c170b0b061d632b706b9

    Download Submit

  • memory/3264-108-0x0000000001570000-0x0000000001571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3264-109-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4128-0-0x0000000001570000-0x0000000001571000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4128-35-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-129-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-215-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-34-0x00000000041D0000-0x00000000041D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4500-146-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-163-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-180-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-198-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-110-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-236-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-257-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-274-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-291-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-308-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-329-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/4500-346-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download