3c5e0085adfb6d60d77aa3b3f4a8cf2e3beb1139de69d1f921c6e1017da16a9f

Resubmissions

02/04/2024, 18:02

240402-wmv86shb83 7

02/04/2024, 17:49

240402-wd8g5sgh3s 7

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2024, 17:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JIGUtility_V2.0.8.0_20230112.zip.7z
Size

14.1MB
MD5

6893edd1cddbd7739012c17982ec8001
SHA1

fa5373f9f94a5108b298a7c09e665cc89138b70a
SHA256

3c5e0085adfb6d60d77aa3b3f4a8cf2e3beb1139de69d1f921c6e1017da16a9f
SHA512

add8768abe8ce1a3e2d5a36f5efd280df30751058c348e81ed4d888277cc95ed9a0609d876b824a20bf5e14158db94b649397dd36f8520ece9377d9bc3a4aa7b
SSDEEP

393216:EJBXLLyRfK6WUZUCvZW6Ir6adMoGkEbdAJEkeaZI:EJFyJnvZW6IrlTl2dDj

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3368	JIGUtility_V2.0.8.0.exe

Loads dropped DLL 1 IoCs

pid	Process
3368	JIGUtility_V2.0.8.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 2 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	JIGUtility_V2.0.8.0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	JIGUtility_V2.0.8.0.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000_Classes\Local Settings	7zFM.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
984	NOTEPAD.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3544	7zFM.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3544	7zFM.exe
Token: 35	3544	7zFM.exe
Token: SeSecurityPrivilege	3544	7zFM.exe
Token: SeSecurityPrivilege	3544	7zFM.exe
Token: SeSecurityPrivilege	3544	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3544	7zFM.exe
3544	7zFM.exe
3544	7zFM.exe
3544	7zFM.exe
984	NOTEPAD.EXE
3544	7zFM.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3368	JIGUtility_V2.0.8.0.exe
3368	JIGUtility_V2.0.8.0.exe
3368	JIGUtility_V2.0.8.0.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 3544	1528	cmd.exe	87
PID 1528 wrote to memory of 3544	1528	cmd.exe	87
PID 3544 wrote to memory of 984	3544	7zFM.exe	101
PID 3544 wrote to memory of 984	3544	7zFM.exe	101
PID 3544 wrote to memory of 3368	3544	7zFM.exe	102
PID 3544 wrote to memory of 3368	3544	7zFM.exe	102
PID 3544 wrote to memory of 3368	3544	7zFM.exe	102

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\JIGUtility_V2.0.8.0_20230112.zip.7z
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\JIGUtility_V2.0.8.0_20230112.zip.7z"
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3544
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO8DDBA698\readme.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    - Suspicious use of FindShellTrayWindow
    PID:984
- - C:\Users\Admin\AppData\Local\Temp\7zO8DD95E29\JIGUtility_V2.0.8.0.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO8DD95E29\JIGUtility_V2.0.8.0.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks SCSI registry key(s)
    - Suspicious use of SetWindowsHookEx
    PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO8DD95E29\JIGUtility_V2.0.8.0.exe

Filesize
9.4MB

MD5
3c41b25f4048eb64bc885cc08aaee53f

SHA1
a57295bb0e78ae6a3ddddd6efb30e82cc8c14df4

SHA256
1288b83462626e8f2ec920ca3ad059defdccd449e59003642b227efb632a40f7

SHA512
3532848d0e4a731bd9cc37579a66fcd5d408e4867ebc2ac12caa68a8774fdacba62f2c218729b5ce7af7c76089056bdd5c2a9d858b0738a957684e447b095274

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO8DDBA698\readme.txt

Filesize
6KB

MD5
48f3d46b84e727d01e822ad194fdcaad

SHA1
ac3cefa3dad3053e7a7abe6c3b0883882edaba2a

SHA256
ff9a81f334b2263de647872cffca21ad8a7963d93983a87251ea6747dbed1538

SHA512
aa59d1583564ae3db25d5001fc31f37a44a3896962265adbdf3d1f745501b2bb68e8651504157d50746b1568db5cdc47da68f7cc315e2d64644aa75d37946e07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jl2v717KSV.dll

Filesize
534KB

MD5
0c2ba7dd154b4b978993326f3fbb1ed5

SHA1
b60574dbf26b7d93dbdd06a43120b83ce7d80f71

SHA256
783d2c0b3392f8d14ef7d32b27827adfb0c4310b6fc73dbf50def4effbec351d

SHA512
aa031204cfd09d11f6a6c2bb5f65de3f432bd37d20a3f7c7e3dca81ba25a0ed9b0c521c622529a79e798e45fc324ce6221e67a643babcd76be68681dfc706c40

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads