301606b8412f2e21101dbaadfa1898eb3dd60f4ebede80f2eae4165ddf3ddcca

Analysis

max time kernel
151s
max time network
156s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
Size

825KB
MD5

64ff33cf9a3d079c63c0b0b4d42391d0
SHA1

43499a4f8b59401b3c679f314f83c20995ec2f4f
SHA256

301606b8412f2e21101dbaadfa1898eb3dd60f4ebede80f2eae4165ddf3ddcca
SHA512

53a64cd2683b70bbc0a360c8a63a680bee242665a28e143ec4653076746e5105edfac12373412e4ab077c38d071898a067230cb94f0ee7309c3bfb695023ceee
SSDEEP

6144:jASq+03d8KhKtL5vbXLMxqHe/rDLrDqfSfR2yh4A9xjZjk+cIi:jASq+0K/VbXLz+/HfDuSfRRrZ5i

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe
424	winlogon.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	rundll32.exe
Token: SeDebugPrivilege	424	winlogon.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 812 wrote to memory of 3052	812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	28
PID 812 wrote to memory of 3052	812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	28
PID 812 wrote to memory of 3052	812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	28
PID 812 wrote to memory of 3052	812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	28
PID 812 wrote to memory of 3052	812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	28
PID 812 wrote to memory of 3052	812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	28
PID 812 wrote to memory of 3052	812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	28
PID 812 wrote to memory of 3052	812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	28
PID 812 wrote to memory of 3052	812	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	28
PID 3052 wrote to memory of 424	3052	rundll32.exe	2
PID 424 wrote to memory of 1104	424	winlogon.exe	21
PID 424 wrote to memory of 1200	424	winlogon.exe	19
PID 424 wrote to memory of 1812	424	winlogon.exe	23
PID 3052 wrote to memory of 1104	3052	rundll32.exe	21

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1200
- C:\Users\Admin\AppData\Local\Temp\64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe"
  2⤵
  - Checks BIOS information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\system32\rundll32.exe
    -go twmyrn.dll
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3052

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1104

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fgnio.tep

Filesize
6KB

MD5
08f4b48d2613b856b750f2f2462badd7

SHA1
405fb0d5695f7ce84b0087cf67542067b0dba147

SHA256
525ab16aab58d0b9f42c8dbab047f0ef4f13e55b43acac66b29e927f801ece14

SHA512
3aaecbd59eb08d00007e474000d7c8669d4b7d64321f71406d2ce916721a958d9b2acbacace000a4b1b1a125f277409ada43db2ec85d6a81451f16c9f832f75e

Download Submit
memory/424-73-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/424-41-0x0000000000410000-0x00000000004B3000-memory.dmp

Filesize
652KB

Download
memory/424-58-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/424-62-0x0000000000410000-0x00000000004B3000-memory.dmp

Filesize
652KB

Download
memory/424-25-0x0000000000410000-0x00000000004B3000-memory.dmp

Filesize
652KB

Download
memory/424-22-0x0000000000410000-0x00000000004B3000-memory.dmp

Filesize
652KB

Download
memory/424-75-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/812-21-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/812-23-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/812-16-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/812-17-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/812-12-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/812-11-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/812-26-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/812-10-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/812-24-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/812-14-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/812-18-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/812-19-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/812-29-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/812-31-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/812-0-0x00000000001B0000-0x00000000001E1000-memory.dmp

Filesize
196KB

Download
memory/812-2-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/812-61-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/812-9-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/812-1-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/1104-63-0x0000000001E40000-0x0000000001EE3000-memory.dmp

Filesize
652KB

Download
memory/1104-60-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1104-39-0x0000000001E40000-0x0000000001EE3000-memory.dmp

Filesize
652KB

Download
memory/1104-72-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1104-76-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1104-50-0x0000000001C40000-0x0000000001C50000-memory.dmp

Filesize
64KB

Download
memory/1104-47-0x0000000001EF0000-0x0000000001F93000-memory.dmp

Filesize
652KB

Download
memory/1104-77-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1104-71-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1104-30-0x0000000001E40000-0x0000000001EE3000-memory.dmp

Filesize
652KB

Download
memory/1104-55-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1104-38-0x0000000001EF0000-0x0000000001F93000-memory.dmp

Filesize
652KB

Download
memory/1104-56-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1104-44-0x0000000001E40000-0x0000000001EE3000-memory.dmp

Filesize
652KB

Download
memory/1104-59-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1200-70-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1200-52-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1200-79-0x000007FF59D00000-0x000007FF59D0A000-memory.dmp

Filesize
40KB

Download
memory/1200-57-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1200-54-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1200-37-0x0000000006180000-0x0000000006223000-memory.dmp

Filesize
652KB

Download
memory/1200-78-0x000007FEF71F0000-0x000007FEF7333000-memory.dmp

Filesize
1.3MB

Download
memory/1200-48-0x0000000001C40000-0x0000000001C50000-memory.dmp

Filesize
64KB

Download
memory/1200-33-0x0000000006180000-0x0000000006223000-memory.dmp

Filesize
652KB

Download
memory/1200-74-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1200-64-0x0000000006180000-0x0000000006223000-memory.dmp

Filesize
652KB

Download
memory/1200-65-0x0000000001C40000-0x0000000001C50000-memory.dmp

Filesize
64KB

Download
memory/1200-66-0x0000000001C40000-0x0000000001C50000-memory.dmp

Filesize
64KB

Download
memory/1200-49-0x0000000001C40000-0x0000000001C50000-memory.dmp

Filesize
64KB

Download
memory/1200-68-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1200-69-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1200-45-0x0000000006180000-0x0000000006223000-memory.dmp

Filesize
652KB

Download
memory/1200-53-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/1812-35-0x0000000001EE0000-0x0000000001F83000-memory.dmp

Filesize
652KB

Download
memory/1812-46-0x0000000001EE0000-0x0000000001F83000-memory.dmp

Filesize
652KB

Download
memory/1812-40-0x0000000001EE0000-0x0000000001F83000-memory.dmp

Filesize
652KB

Download
memory/3052-15-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/3052-13-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/3052-67-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download
memory/3052-36-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/3052-51-0x0000000000290000-0x0000000000333000-memory.dmp

Filesize
652KB

Download