c87a7927b960e441bdee32f1636629cd8a894883f161e9a7e658126a4ceb654e

Analysis

max time kernel
42s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2023, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
Size

208KB
MD5

3c93857d991f5cff4dac3e46c65a2dbb
SHA1

b537ceec3d34c0840211170c7a17529578796146
SHA256

c87a7927b960e441bdee32f1636629cd8a894883f161e9a7e658126a4ceb654e
SHA512

057d147d4cc602ec0a44454db03c7fa1f69732a124906a4fa96372f10eb3a16a5e7ca203c57801fc7c331556b92902b8179a21a0e0b340e57a3b2549c6ace0c1
SSDEEP

3072:MUQNYp/nDIs0YFnF2m2HAPg68jVmo8qNhvDC4r4NLthEjQT6j:YNYp/DI2nF2m2HAUjVmkvW4rQEj1

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	VULPPXM.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation	FVV.exe

Executes dropped EXE 3 IoCs

pid	Process
420	VULPPXM.exe
3140	FVV.exe
1620	CIYJS.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\FVV.exe.bat	VULPPXM.exe
File created	C:\windows\SysWOW64\VULPPXM.exe	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
File opened for modification	C:\windows\SysWOW64\VULPPXM.exe	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
File created	C:\windows\SysWOW64\VULPPXM.exe.bat	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
File created	C:\windows\SysWOW64\FVV.exe	VULPPXM.exe
File opened for modification	C:\windows\SysWOW64\FVV.exe	VULPPXM.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\windows\CIYJS.exe	FVV.exe
File opened for modification	C:\windows\CIYJS.exe	FVV.exe
File created	C:\windows\CIYJS.exe.bat	FVV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 4 IoCs

pid	pid_target	Process	procid_target
3776	2716	WerFault.exe	81
4240	420	WerFault.exe	87
760	3140	WerFault.exe	93
2388	1620	WerFault.exe	98

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2716	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
2716	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
420	VULPPXM.exe
420	VULPPXM.exe
3140	FVV.exe
3140	FVV.exe
1620	CIYJS.exe
1620	CIYJS.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2716	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
2716	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
420	VULPPXM.exe
420	VULPPXM.exe
3140	FVV.exe
3140	FVV.exe
1620	CIYJS.exe
1620	CIYJS.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 1264	2716	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe	83
PID 2716 wrote to memory of 1264	2716	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe	83
PID 2716 wrote to memory of 1264	2716	3c93857d991f5cff4dac3e46c65a2dbb_JC.exe	83
PID 1264 wrote to memory of 420	1264	cmd.exe	87
PID 1264 wrote to memory of 420	1264	cmd.exe	87
PID 1264 wrote to memory of 420	1264	cmd.exe	87
PID 420 wrote to memory of 4992	420	VULPPXM.exe	89
PID 420 wrote to memory of 4992	420	VULPPXM.exe	89
PID 420 wrote to memory of 4992	420	VULPPXM.exe	89
PID 4992 wrote to memory of 3140	4992	cmd.exe	93
PID 4992 wrote to memory of 3140	4992	cmd.exe	93
PID 4992 wrote to memory of 3140	4992	cmd.exe	93
PID 3140 wrote to memory of 2116	3140	FVV.exe	94
PID 3140 wrote to memory of 2116	3140	FVV.exe	94
PID 3140 wrote to memory of 2116	3140	FVV.exe	94
PID 2116 wrote to memory of 1620	2116	cmd.exe	98
PID 2116 wrote to memory of 1620	2116	cmd.exe	98
PID 2116 wrote to memory of 1620	2116	cmd.exe	98

C:\Users\Admin\AppData\Local\Temp\3c93857d991f5cff4dac3e46c65a2dbb_JC.exe
"C:\Users\Admin\AppData\Local\Temp\3c93857d991f5cff4dac3e46c65a2dbb_JC.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\windows\system32\VULPPXM.exe.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\windows\SysWOW64\VULPPXM.exe
    C:\windows\system32\VULPPXM.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:420
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\windows\system32\FVV.exe.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4992
    - - C:\windows\SysWOW64\FVV.exe
        
        C:\windows\system32\FVV.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3140
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\windows\CIYJS.exe.bat" "
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\windows\CIYJS.exe
        
        C:\windows\CIYJS.exe
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1620 -s 844
        8⤵
        Program crash
        
        PID:2388
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 1292
        6⤵
        Program crash
        
        PID:760
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 1004
      4⤵
      Program crash
      PID:4240
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 964
  2⤵
  - Program crash
  PID:3776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2716 -ip 2716
1⤵
PID:5096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 420 -ip 420
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 3140 -ip 3140
1⤵
PID:3012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1620 -ip 1620
1⤵
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\CIYJS.exe

Filesize
208KB

MD5
c0b168ac6aabba33b2fe78a6a4e97d25

SHA1
2a6207329b7da863fc06df03fd48c55f257d83c2

SHA256
753138f01490afa2fe6aa04226bcaeb5654361dbbb9417c7ff3fa1003f59fb31

SHA512
a3159ef09bf695ef194068ef73f441f4f9b5e23e4c86ae264e712ea3c3790ac9caa6b62c2f89ac4b76db39d5f14fee7405d5712d871cf9da089d6baeb1863ecb

Download Submit
C:\Windows\SysWOW64\FVV.exe

Filesize
208KB

MD5
93140836310bffb3b9a97afe53c6d4de

SHA1
a91a735ebbc2b46002553dcb940d807f0a70549d

SHA256
03eecbefa8260bd3ccd34e1fca8a1f34bd4603c0497bfdd4508f9bef33790bb9

SHA512
cf2c1c9318b4f3e5e21f4c88a96fc0e498f1d327ebd51b54202b91566c064c26bcc1cc817350a40276b11cd4de5f263793beb23fec8e2256d6380a3db936c15c

Download Submit
C:\Windows\SysWOW64\FVV.exe

Filesize
208KB

MD5
b166f211634fc977a2afafbe6088ee2e

SHA1
d04571c311850a05f606212cb65708f228fa1db9

SHA256
021bca8b526952986716ee72353c8e60457dac32191d75c7ed48032440004ead

SHA512
1ad106be149c0d6fd4e64e02154957a06f66ac54f5442093a2316dac8eaa185329c19bb6474fcd59be43780eabaf602a9be8086f2a64db554abf797c4463306c

Download Submit
C:\Windows\SysWOW64\VULPPXM.exe

Filesize
208KB

MD5
2a2d2c873b55e43aaa944573283e870c

SHA1
beb063492e49eb3b2de999b0d24c9565f26418ab

SHA256
5e0b734f9630af47b5ff406ffb1cb193cb7dfa9af08cb54289fcebe71c980145

SHA512
bf609266117514250a609bd7f0c953e3bfac5ffd83dbf921faeed298aed3f9e4b66420a9878f74f6ba8c8ebad505cdf3dd45f46b1ff9374553ef7059e9fe6f48

Download Submit
C:\windows\CIYJS.exe

Filesize
208KB

MD5
c0b168ac6aabba33b2fe78a6a4e97d25

SHA1
2a6207329b7da863fc06df03fd48c55f257d83c2

SHA256
753138f01490afa2fe6aa04226bcaeb5654361dbbb9417c7ff3fa1003f59fb31

SHA512
a3159ef09bf695ef194068ef73f441f4f9b5e23e4c86ae264e712ea3c3790ac9caa6b62c2f89ac4b76db39d5f14fee7405d5712d871cf9da089d6baeb1863ecb

Download Submit
C:\windows\CIYJS.exe.bat

Filesize
56B

MD5
28efff2455f249c8c916550353bb9894

SHA1
192c6fc5879f338bdd85964319bf2a5f0effb6d6

SHA256
95ffc67b56f2b6e7df2a4870b48772239f32b8f41f5f050a841ad90d79f9a39c

SHA512
4c3fafd1bb7ae755b555c410a34eac155e88631fbcdf7079453cab38649c5656e3302d0925636cf8566cdcd28d1b397286ad308d085b49ffef29dcdeee97ce60

Download Submit
C:\windows\SysWOW64\FVV.exe

Filesize
208KB

MD5
b166f211634fc977a2afafbe6088ee2e

SHA1
d04571c311850a05f606212cb65708f228fa1db9

SHA256
021bca8b526952986716ee72353c8e60457dac32191d75c7ed48032440004ead

SHA512
1ad106be149c0d6fd4e64e02154957a06f66ac54f5442093a2316dac8eaa185329c19bb6474fcd59be43780eabaf602a9be8086f2a64db554abf797c4463306c

Download Submit
C:\windows\SysWOW64\FVV.exe.bat

Filesize
70B

MD5
71f1068fd093765dc3709be4c692ee87

SHA1
fcf6cfade8c81369e39591fbf1a01335f1330f86

SHA256
5cf3d8356ade4b23b1c265accd769577089747a6a89a29d32481f0592df3ee05

SHA512
7b01c0020fd2402e377188aaf273fad90f684976a77462fc7ddeb192dc3ccfffd8551c04e64f11d4ba8d375515911cf6345ffe042112f94cc62f5ad4c5aafd5d

Download Submit
C:\windows\SysWOW64\VULPPXM.exe

Filesize
208KB

MD5
2a2d2c873b55e43aaa944573283e870c

SHA1
beb063492e49eb3b2de999b0d24c9565f26418ab

SHA256
5e0b734f9630af47b5ff406ffb1cb193cb7dfa9af08cb54289fcebe71c980145

SHA512
bf609266117514250a609bd7f0c953e3bfac5ffd83dbf921faeed298aed3f9e4b66420a9878f74f6ba8c8ebad505cdf3dd45f46b1ff9374553ef7059e9fe6f48

Download Submit
C:\windows\SysWOW64\VULPPXM.exe.bat

Filesize
78B

MD5
0335553faa273867333db5666b8fcb2c

SHA1
5c8bc285c892f28641455c9deba701257efa4c47

SHA256
f1be7bee963686d335b77909444247b1520aacbdc5506ea130adbb2579b382d0

SHA512
3a8a09d5918b1c4d5bfd711162e98a6eff94a79c656af92f9b579a1cffb0ac85b4624489dbe14c00e92c42891a6d69dcbb289f757516c3b7e6bdac6c9d2b49cd

Download Submit
memory/420-10-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/420-34-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1620-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1620-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2716-0-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2716-36-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3140-21-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3140-37-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download