Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
24-02-2024 04:27
Behavioral task
behavioral1
Sample
jjj.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
jjj.exe
Resource
win10v2004-20240221-en
General
-
Target
jjj.exe
-
Size
37KB
-
MD5
1b6f416c01dab81fc69ba006b4cfd768
-
SHA1
ce5f59bcd9ab11d17e5c6dcc5024722f5275328a
-
SHA256
91f01488d2602ac9c3139c22fe0ff48212d8da63be4f9fa33f48ad9ac778a974
-
SHA512
94c083810adc76efd0d8928a93622f2001961efcb0fb002f9dfe77aad9c07eefe4fab768be35f2a674c97c0008f5dc1e5f392c0ce4a1c2a3435ee7f07b8d3ea7
-
SSDEEP
384:SsSKMizdTjnBhFbJ8ycPvZ3hdwKax0rAF+rMRTyN/0L+EcoinblneHQM3epzXGNl:lSgTlLJfcPvZP9aurM+rMRa8NuQ9t
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 1828 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000\Control Panel\International\Geo\Nation jjj.exe -
Executes dropped EXE 1 IoCs
pid Process 1820 ver.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 33 IoCs
description pid Process Token: SeDebugPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe Token: 33 1820 ver.exe Token: SeIncBasePriorityPrivilege 1820 ver.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4788 wrote to memory of 1820 4788 jjj.exe 87 PID 4788 wrote to memory of 1820 4788 jjj.exe 87 PID 4788 wrote to memory of 1820 4788 jjj.exe 87 PID 1820 wrote to memory of 1828 1820 ver.exe 88 PID 1820 wrote to memory of 1828 1820 ver.exe 88 PID 1820 wrote to memory of 1828 1820 ver.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\jjj.exe"C:\Users\Admin\AppData\Local\Temp\jjj.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Users\Admin\AppData\Roaming\ver.exe"C:\Users\Admin\AppData\Roaming\ver.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\ver.exe" "ver.exe" ENABLE3⤵
- Modifies Windows Firewall
PID:1828
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
37KB
MD51b6f416c01dab81fc69ba006b4cfd768
SHA1ce5f59bcd9ab11d17e5c6dcc5024722f5275328a
SHA25691f01488d2602ac9c3139c22fe0ff48212d8da63be4f9fa33f48ad9ac778a974
SHA51294c083810adc76efd0d8928a93622f2001961efcb0fb002f9dfe77aad9c07eefe4fab768be35f2a674c97c0008f5dc1e5f392c0ce4a1c2a3435ee7f07b8d3ea7