Analysis
-
max time kernel
196s -
max time network
204s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12/10/2023, 01:32
Static task
static1
Behavioral task
behavioral1
Sample
c9e6dee589715daa2c0bde8d9a9de139_JC.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
c9e6dee589715daa2c0bde8d9a9de139_JC.exe
Resource
win10v2004-20230915-en
General
-
Target
c9e6dee589715daa2c0bde8d9a9de139_JC.exe
-
Size
48KB
-
MD5
c9e6dee589715daa2c0bde8d9a9de139
-
SHA1
a46154a248df435adab1e58cfadd2b56dd653c92
-
SHA256
32c2b0e2b89103da6722110439572b10fd288054af0c7651b00d3d3568ce475a
-
SHA512
aafa36cf637511c61d29f4429e82a1f91ac0dda3abea7eb47ae4db603f3c88eb1ce6eafd0b8aead4f697dd326e108193f017c9bea7191382e2886345e9e8b4ab
-
SSDEEP
768:4vQ5qeLHRdw2iPSMEk/6KMvu571x6EMb96/yX:4vQVLHjw2iWPKMvw71A7oyX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation c9e6dee589715daa2c0bde8d9a9de139_JC.exe -
Executes dropped EXE 3 IoCs
pid Process 4896 fsohost.exe 412 fsohost.exe 4900 fsohost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\Debug\fsohost.exe c9e6dee589715daa2c0bde8d9a9de139_JC.exe File created C:\Windows\Debug\fsohost.exe c9e6dee589715daa2c0bde8d9a9de139_JC.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 3 IoCs
pid pid_target Process procid_target 656 4896 WerFault.exe 88 1952 412 WerFault.exe 96 1524 4900 WerFault.exe 103 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 5104 c9e6dee589715daa2c0bde8d9a9de139_JC.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5104 wrote to memory of 5084 5104 c9e6dee589715daa2c0bde8d9a9de139_JC.exe 91 PID 5104 wrote to memory of 5084 5104 c9e6dee589715daa2c0bde8d9a9de139_JC.exe 91 PID 5104 wrote to memory of 5084 5104 c9e6dee589715daa2c0bde8d9a9de139_JC.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9e6dee589715daa2c0bde8d9a9de139_JC.exe"C:\Users\Admin\AppData\Local\Temp\c9e6dee589715daa2c0bde8d9a9de139_JC.exe"1⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5104 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\C9E6DE~1.EXE > nul2⤵PID:5084
-
-
C:\Windows\Debug\fsohost.exeC:\Windows\Debug\fsohost.exe1⤵
- Executes dropped EXE
PID:4896 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 5922⤵
- Program crash
PID:656
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4896 -ip 48961⤵PID:4740
-
C:\Windows\Debug\fsohost.exeC:\Windows\Debug\fsohost.exe1⤵
- Executes dropped EXE
PID:412 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 5642⤵
- Program crash
PID:1952
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 412 -ip 4121⤵PID:932
-
C:\Windows\Debug\fsohost.exeC:\Windows\Debug\fsohost.exe1⤵
- Executes dropped EXE
PID:4900 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 5642⤵
- Program crash
PID:1524
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4900 -ip 49001⤵PID:3684
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD591341f5c4eb5e69057cf8651fb24bfc3
SHA18c38bee6d2189ecc5ed2869c86d732d24f48a9db
SHA2564e2d2efe23d4935eeffe96985f102c4eaa35064d067abe94a25f9715fe4785ca
SHA51288156825731df5001ff1d0c51dd50f42a5b0cf0b0857fa6b43b6113ecceba7b6acbf9ae7b88037eed5e8a3294f96b1d12d0a3f92c1ba0bec6c1e69dab1096e3a
-
Filesize
48KB
MD591341f5c4eb5e69057cf8651fb24bfc3
SHA18c38bee6d2189ecc5ed2869c86d732d24f48a9db
SHA2564e2d2efe23d4935eeffe96985f102c4eaa35064d067abe94a25f9715fe4785ca
SHA51288156825731df5001ff1d0c51dd50f42a5b0cf0b0857fa6b43b6113ecceba7b6acbf9ae7b88037eed5e8a3294f96b1d12d0a3f92c1ba0bec6c1e69dab1096e3a
-
Filesize
48KB
MD591341f5c4eb5e69057cf8651fb24bfc3
SHA18c38bee6d2189ecc5ed2869c86d732d24f48a9db
SHA2564e2d2efe23d4935eeffe96985f102c4eaa35064d067abe94a25f9715fe4785ca
SHA51288156825731df5001ff1d0c51dd50f42a5b0cf0b0857fa6b43b6113ecceba7b6acbf9ae7b88037eed5e8a3294f96b1d12d0a3f92c1ba0bec6c1e69dab1096e3a
-
Filesize
48KB
MD591341f5c4eb5e69057cf8651fb24bfc3
SHA18c38bee6d2189ecc5ed2869c86d732d24f48a9db
SHA2564e2d2efe23d4935eeffe96985f102c4eaa35064d067abe94a25f9715fe4785ca
SHA51288156825731df5001ff1d0c51dd50f42a5b0cf0b0857fa6b43b6113ecceba7b6acbf9ae7b88037eed5e8a3294f96b1d12d0a3f92c1ba0bec6c1e69dab1096e3a