301606b8412f2e21101dbaadfa1898eb3dd60f4ebede80f2eae4165ddf3ddcca

Analysis

max time kernel
155s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2023, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
Size

825KB
MD5

64ff33cf9a3d079c63c0b0b4d42391d0
SHA1

43499a4f8b59401b3c679f314f83c20995ec2f4f
SHA256

301606b8412f2e21101dbaadfa1898eb3dd60f4ebede80f2eae4165ddf3ddcca
SHA512

53a64cd2683b70bbc0a360c8a63a680bee242665a28e143ec4653076746e5105edfac12373412e4ab077c38d071898a067230cb94f0ee7309c3bfb695023ceee
SSDEEP

6144:jASq+03d8KhKtL5vbXLMxqHe/rDLrDqfSfR2yh4A9xjZjk+cIi:jASq+0K/VbXLz+/HfDuSfRRrZ5i

Score

7^/10

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe
1788	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3148	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	rundll32.exe
Token: SeDebugPrivilege	620	winlogon.exe
Token: SeShutdownPrivilege	332	dwm.exe
Token: SeCreatePagefilePrivilege	332	dwm.exe
Token: SeShutdownPrivilege	3148	Explorer.EXE
Token: SeCreatePagefilePrivilege	3148	Explorer.EXE
Token: SeShutdownPrivilege	332	dwm.exe
Token: SeCreatePagefilePrivilege	332	dwm.exe
Token: SeShutdownPrivilege	3756	RuntimeBroker.exe
Token: SeShutdownPrivilege	3756	RuntimeBroker.exe
Token: SeShutdownPrivilege	3756	RuntimeBroker.exe
Token: SeShutdownPrivilege	332	dwm.exe
Token: SeCreatePagefilePrivilege	332	dwm.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3148	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1788	2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	83
PID 2424 wrote to memory of 1788	2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	83
PID 2424 wrote to memory of 1788	2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	83
PID 2424 wrote to memory of 1788	2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	83
PID 2424 wrote to memory of 1788	2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	83
PID 2424 wrote to memory of 1788	2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	83
PID 2424 wrote to memory of 1788	2424	64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe	83
PID 1788 wrote to memory of 620	1788	rundll32.exe	3
PID 1788 wrote to memory of 332	1788	rundll32.exe	15
PID 620 wrote to memory of 2344	620	winlogon.exe	40
PID 1788 wrote to memory of 2344	1788	rundll32.exe	40
PID 620 wrote to memory of 2360	620	winlogon.exe	41
PID 1788 wrote to memory of 2360	1788	rundll32.exe	41
PID 620 wrote to memory of 2472	620	winlogon.exe	64
PID 620 wrote to memory of 3148	620	winlogon.exe	46
PID 620 wrote to memory of 3328	620	winlogon.exe	57
PID 620 wrote to memory of 3548	620	winlogon.exe	55
PID 620 wrote to memory of 3756	620	winlogon.exe	53
PID 620 wrote to memory of 4004	620	winlogon.exe	47
PID 620 wrote to memory of 4696	620	winlogon.exe	48
PID 620 wrote to memory of 4392	620	winlogon.exe	81

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:332

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2360

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3148
- C:\Users\Admin\AppData\Local\Temp\64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\64ff33cf9a3d079c63c0b0b4d42391d0exe_JC.exe"
  2⤵
  - Checks BIOS information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Windows\system32\rundll32.exe
    -x iqh.dll
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1788

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4696

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3328

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2472

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nnug.bso

Filesize
2KB

MD5
5837e97696b40760976bc4d19ce1109e

SHA1
46b7683ad02d2f5ff64d7cd8331fa5d28acb0238

SHA256
a1f8aed453bb64da1c79163bf804d4f37f56a33e7cec4a3b5546c5128732eec4

SHA512
097d2070e68236c5c24ca5d92194eb51920f8a0e2f236a7e364e97ca7154ee5602156503248eb62151eb8c78dd6eb86edce1ee725a091e8a371fc3a3640d22f4

Download Submit
memory/332-42-0x00000262FC7D0000-0x00000262FC873000-memory.dmp

Filesize
652KB

Download
memory/332-56-0x00000262FC7D0000-0x00000262FC873000-memory.dmp

Filesize
652KB

Download
memory/332-52-0x00000262FC7D0000-0x00000262FC873000-memory.dmp

Filesize
652KB

Download
memory/332-47-0x00000262FC7D0000-0x00000262FC873000-memory.dmp

Filesize
652KB

Download
memory/332-33-0x00000262FC7D0000-0x00000262FC873000-memory.dmp

Filesize
652KB

Download
memory/332-39-0x00000262FC7D0000-0x00000262FC873000-memory.dmp

Filesize
652KB

Download
memory/332-27-0x00000262FC7D0000-0x00000262FC873000-memory.dmp

Filesize
652KB

Download
memory/332-36-0x00000262FC7D0000-0x00000262FC873000-memory.dmp

Filesize
652KB

Download
memory/620-22-0x00000210CDC10000-0x00000210CDCB3000-memory.dmp

Filesize
652KB

Download
memory/620-31-0x00000210CDC10000-0x00000210CDCB3000-memory.dmp

Filesize
652KB

Download
memory/620-29-0x00000210CDC10000-0x00000210CDCB3000-memory.dmp

Filesize
652KB

Download
memory/620-57-0x00000210CDC10000-0x00000210CDCB3000-memory.dmp

Filesize
652KB

Download
memory/620-26-0x00000210CDC10000-0x00000210CDCB3000-memory.dmp

Filesize
652KB

Download
memory/1788-45-0x0000000000280000-0x0000000000323000-memory.dmp

Filesize
652KB

Download
memory/1788-17-0x0000000000280000-0x0000000000323000-memory.dmp

Filesize
652KB

Download
memory/1788-21-0x0000000000280000-0x0000000000323000-memory.dmp

Filesize
652KB

Download
memory/1788-19-0x0000000000280000-0x0000000000323000-memory.dmp

Filesize
652KB

Download
memory/1788-16-0x0000000000280000-0x0000000000323000-memory.dmp

Filesize
652KB

Download
memory/1788-13-0x0000000000280000-0x0000000000323000-memory.dmp

Filesize
652KB

Download
memory/1788-23-0x0000000000280000-0x0000000000323000-memory.dmp

Filesize
652KB

Download
memory/1788-12-0x0000000000280000-0x0000000000323000-memory.dmp

Filesize
652KB

Download
memory/2344-63-0x000001BDBDF70000-0x000001BDBE013000-memory.dmp

Filesize
652KB

Download
memory/2344-53-0x000001BDBE020000-0x000001BDBE0C3000-memory.dmp

Filesize
652KB

Download
memory/2344-58-0x000001BDBDF70000-0x000001BDBE013000-memory.dmp

Filesize
652KB

Download
memory/2344-40-0x000001BDBDF70000-0x000001BDBE013000-memory.dmp

Filesize
652KB

Download
memory/2344-125-0x000001BDBDF70000-0x000001BDBE013000-memory.dmp

Filesize
652KB

Download
memory/2344-38-0x000001BDBE020000-0x000001BDBE0C3000-memory.dmp

Filesize
652KB

Download
memory/2344-67-0x000001BDBDF70000-0x000001BDBE013000-memory.dmp

Filesize
652KB

Download
memory/2344-71-0x000001BDBDF70000-0x000001BDBE013000-memory.dmp

Filesize
652KB

Download
memory/2344-80-0x000001BDBDF70000-0x000001BDBE013000-memory.dmp

Filesize
652KB

Download
memory/2344-50-0x000001BDBDF70000-0x000001BDBE013000-memory.dmp

Filesize
652KB

Download
memory/2344-54-0x000001BDBDF70000-0x000001BDBE013000-memory.dmp

Filesize
652KB

Download
memory/2360-59-0x00000299D4940000-0x00000299D49E3000-memory.dmp

Filesize
652KB

Download
memory/2360-73-0x00000299D4940000-0x00000299D49E3000-memory.dmp

Filesize
652KB

Download
memory/2360-49-0x00000299D4940000-0x00000299D49E3000-memory.dmp

Filesize
652KB

Download
memory/2360-81-0x00000299D4940000-0x00000299D49E3000-memory.dmp

Filesize
652KB

Download
memory/2360-86-0x00000299D4940000-0x00000299D49E3000-memory.dmp

Filesize
652KB

Download
memory/2360-78-0x00000299D4940000-0x00000299D49E3000-memory.dmp

Filesize
652KB

Download
memory/2360-46-0x00000299D42E0000-0x00000299D4383000-memory.dmp

Filesize
652KB

Download
memory/2360-65-0x00000299D4940000-0x00000299D49E3000-memory.dmp

Filesize
652KB

Download
memory/2360-64-0x00000299D4940000-0x00000299D49E3000-memory.dmp

Filesize
652KB

Download
memory/2360-135-0x00000299D4940000-0x00000299D49E3000-memory.dmp

Filesize
652KB

Download
memory/2360-61-0x00000299D42E0000-0x00000299D4383000-memory.dmp

Filesize
652KB

Download
memory/2360-60-0x00000299D42E0000-0x00000299D4383000-memory.dmp

Filesize
652KB

Download
memory/2424-1-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2424-14-0x0000000000970000-0x00000000009A1000-memory.dmp

Filesize
196KB

Download
memory/2424-30-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2424-0-0x0000000000970000-0x00000000009A1000-memory.dmp

Filesize
196KB

Download
memory/2424-15-0x0000000000400000-0x00000000004F0000-memory.dmp

Filesize
960KB

Download
memory/2424-11-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2424-9-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2424-10-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2424-8-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2472-83-0x0000026D5B330000-0x0000026D5B3D3000-memory.dmp

Filesize
652KB

Download
memory/2472-85-0x0000026D5B330000-0x0000026D5B3D3000-memory.dmp

Filesize
652KB

Download
memory/2472-149-0x0000026D5B330000-0x0000026D5B3D3000-memory.dmp

Filesize
652KB

Download
memory/2472-75-0x0000026D5B330000-0x0000026D5B3D3000-memory.dmp

Filesize
652KB

Download
memory/2472-69-0x0000026D5B330000-0x0000026D5B3D3000-memory.dmp

Filesize
652KB

Download
memory/2472-70-0x0000026D5B330000-0x0000026D5B3D3000-memory.dmp

Filesize
652KB

Download
memory/2472-55-0x0000026D5B330000-0x0000026D5B3D3000-memory.dmp

Filesize
652KB

Download
memory/3148-82-0x0000000006FD0000-0x0000000007073000-memory.dmp

Filesize
652KB

Download
memory/3148-74-0x0000000006FD0000-0x0000000007073000-memory.dmp

Filesize
652KB

Download
memory/3148-84-0x0000000006FD0000-0x0000000007073000-memory.dmp

Filesize
652KB

Download
memory/3148-76-0x0000000006FD0000-0x0000000007073000-memory.dmp

Filesize
652KB

Download
memory/3148-150-0x0000000006FD0000-0x0000000007073000-memory.dmp

Filesize
652KB

Download
memory/3148-66-0x0000000006FD0000-0x0000000007073000-memory.dmp

Filesize
652KB

Download
memory/3328-96-0x000001E007940000-0x000001E0079E3000-memory.dmp

Filesize
652KB

Download
memory/3328-151-0x000001E007940000-0x000001E0079E3000-memory.dmp

Filesize
652KB

Download
memory/3756-108-0x0000023B3A650000-0x0000023B3A6F3000-memory.dmp

Filesize
652KB

Download
memory/3756-152-0x0000023B3A650000-0x0000023B3A6F3000-memory.dmp

Filesize
652KB

Download
memory/4004-114-0x000002D284F20000-0x000002D284FC3000-memory.dmp

Filesize
652KB

Download
memory/4004-153-0x000002D284F20000-0x000002D284FC3000-memory.dmp

Filesize
652KB

Download
memory/4392-139-0x000001E5AD040000-0x000001E5AD0E3000-memory.dmp

Filesize
652KB

Download
memory/4392-155-0x000001E5AD040000-0x000001E5AD0E3000-memory.dmp

Filesize
652KB

Download
memory/4392-162-0x000001E5AD040000-0x000001E5AD0E3000-memory.dmp

Filesize
652KB

Download
memory/4696-131-0x000001BBC93B0000-0x000001BBC9453000-memory.dmp

Filesize
652KB

Download
memory/4696-154-0x000001BBC93B0000-0x000001BBC9453000-memory.dmp

Filesize
652KB

Download