Overview

overview

10

Static

static

3

Jz.exe

windows10-2004-x64

Analysis

  • max time kernel
    34s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2024, 00:24

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Jz.exe

  • Size

    7.5MB

  • MD5

    cf7974f3af7e1307a4c325750febb201

  • SHA1

    8b1695eb2481872694ac785ba0a14c8e1bb7398c

  • SHA256

    9d2ad8c13ed60d88296433fd3b911995589ff90c476f4ec028596f43f1ac9fe3

  • SHA512

    150895aaf679304c6715368561e8435f6290fcf714f98dac1f0714e6057304708c6524ed1d323426822b765a2e6d578fc618628d1f9ba998afb6564109600612

  • SSDEEP

    196608:XdgqoyUWq8D+w448SSwzxzgjboADM8IaeTCRI:FawN8SXz+YUIRCRI

Score
10/10
agilenetevasionpersistencethemidatrojan

Malware Config

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 2 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Themida packer 6 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Jz.exe
    "C:\Users\Admin\AppData\Local\Temp\Jz.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1292
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\ProgramData\z.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2796
      • C:\Windows\system32\chcp.com
        chcp.com 437
        3⤵
          PID:1924
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c type tmp
          3⤵
            PID:3400
          • C:\Windows\system32\find.exe
            find
            3⤵
              PID:2364
            • C:\Windows\system32\find.exe
              find
              3⤵
                PID:1452
              • C:\Windows\system32\findstr.exe
                findstr /L /I set "C:\ProgramData\z.bat"
                3⤵
                  PID:1736
                • C:\Windows\system32\findstr.exe
                  findstr /L /I goto "C:\ProgramData\z.bat"
                  3⤵
                    PID:3152
                  • C:\Windows\system32\findstr.exe
                    findstr /L /I echo "C:\ProgramData\z.bat"
                    3⤵
                      PID:1940
                    • C:\Windows\system32\findstr.exe
                      findstr /L /I pause "C:\ProgramData\z.bat"
                      3⤵
                        PID:1016
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c type tmp
                        3⤵
                          PID:4048
                        • C:\Windows\system32\cmd.exe
                          cmd.exe /c mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The instruction at 0x00000000771034FB referenced memory at 0x00000000771034FB. The required data was not placed into memory because of an I/O error status of 0x0000428. Click on OK to terminate the program', 0, 'Application Error', 0+16);close()"
                          3⤵
                          • Suspicious use of WriteProcessMemory
                          PID:3320
                          • C:\Windows\system32\mshta.exe
                            mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The instruction at 0x00000000771034FB referenced memory at 0x00000000771034FB. The required data was not placed into memory because of an I/O error status of 0x0000428. Click on OK to terminate the program', 0, 'Application Error', 0+16);close()"
                            4⤵
                              PID:4124
                          • C:\Windows\system32\cmd.exe
                            cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
                            3⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4132
                            • C:\Windows\system32\reg.exe
                              reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
                              4⤵
                              • UAC bypass
                              PID:2368
                        • C:\ProgramData\svchost.exe
                          "C:\ProgramData\svchost.exe"
                          2⤵
                          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                          • Checks BIOS information in registry
                          • Checks computer location settings
                          • Drops startup file
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Adds Run key to start application
                          • Checks whether UAC is enabled
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:2924
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2324
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3992
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2948
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
                            3⤵
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:4076

                      Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\svchost.exe
                              Filesize

                              7.0MB

                              MD5

                              6a1120e0851cf90cf23cd75c016206aa

                              SHA1

                              9962964a5435cf5b6f842830abb45effa1b26829

                              SHA256

                              851cf739d5cf8f8b153127c5bcad620b093e6c343c44cbf4860c2fbc1eae3da2

                              SHA512

                              ca57d7f8ca0d527f4781b8f8e6b9ae3d494be46f4bab0ce2a379ec608557cda1468e73db66e9159b2c67b7e279d3e5e2b1a18f39e48e0a75839c4c6469461909

                              Download Submit

                            • C:\ProgramData\tmp
                              Filesize

                              14B

                              MD5

                              ce585c6ba32ac17652d2345118536f9c

                              SHA1

                              be0e41b3690c42e4c0cdb53d53fc544fb46b758d

                              SHA256

                              589c942e748ea16dc86923c4391092707ce22315eb01cb85b0988c6762aa0ed3

                              SHA512

                              d397eda475d6853ce5cc28887690ddd5f8891be43767cdb666396580687f901fb6f0cc572afa18bde1468a77e8397812009c954f386c8f69cc0678e1253d5752

                              Download Submit

                            • C:\ProgramData\z.bat
                              Filesize

                              20KB

                              MD5

                              77946ef866ba3e46fb161bc52214c616

                              SHA1

                              20a53a00be7f4c76e3a1b02eb82675f7b8e77a0c

                              SHA256

                              0562794443d5322e9271dbdce3af9b3ba5e14e831077796552f0d507e836c48f

                              SHA512

                              b5671ee7de190613ff6095b564283c5b689008c79eab91ab39d95241dfed797ca61ee196bebbac4d481e5c0e4330bc6de40d7486f4d7eb8e0fcb01a734e1cbdb

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                              Filesize

                              2KB

                              MD5

                              d85ba6ff808d9e5444a4b369f5bc2730

                              SHA1

                              31aa9d96590fff6981b315e0b391b575e4c0804a

                              SHA256

                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                              SHA512

                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              77d622bb1a5b250869a3238b9bc1402b

                              SHA1

                              d47f4003c2554b9dfc4c16f22460b331886b191b

                              SHA256

                              f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                              SHA512

                              d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              e5663972c1caaba7088048911c758bf3

                              SHA1

                              3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

                              SHA256

                              9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

                              SHA512

                              ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                              Filesize

                              944B

                              MD5

                              e8478294527bc11b50f13186fc7c114e

                              SHA1

                              4f183fdc2b56fdaea9001248fc89aa748af257c4

                              SHA256

                              dde84811ceb2d1ebcf5b3d6128d0ccce673bb1a5324bffd444300a00c60f32a5

                              SHA512

                              72bda9eb9a4199043bbf538af4a30eea44e23efeafcaa0ad9e83ab18ed37823fafe8d4e833afe5f686c30f2ed46cce2ecf16c34bf6a2f4cdc09e711568197655

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\9c8445fa-8ed9-4f35-ae7d-eaaab8ab464a\AgileDotNetRT64.dll
                              Filesize

                              4.2MB

                              MD5

                              05b012457488a95a05d0541e0470d392

                              SHA1

                              74f541d6a8365508c794ef7b4ac7c297457f9ce3

                              SHA256

                              1f77a0749ac730500f203b8c4d072587923ac679e184a3859aeb855c2a2e7d8d

                              SHA512

                              6d6e7b838d4425d49ac8d3738135374ef5357f0677b07cecb7afbf5feddc1997bf6dce68d48787eff8a74c4728def8880c8f01842eda35b5815fb561fa401ae6

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pwdojr1n.mfw.ps1
                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                              Download Submit

                            • memory/2324-39-0x000001A6B3C30000-0x000001A6B3C52000-memory.dmp

                              Filesize

                              136KB

                              Download

                            • memory/2324-45-0x000001A6B3B20000-0x000001A6B3B30000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2324-44-0x000001A6B3B20000-0x000001A6B3B30000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2324-40-0x00007FFC53960000-0x00007FFC54421000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2324-48-0x00007FFC53960000-0x00007FFC54421000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2924-103-0x00007FFC4E9E0000-0x00007FFC4F564000-memory.dmp

                              Filesize

                              11.5MB

                              Download

                            • memory/2924-31-0x00007FFC4E9E0000-0x00007FFC4F564000-memory.dmp

                              Filesize

                              11.5MB

                              Download

                            • memory/2924-26-0x00007FFC72010000-0x00007FFC72205000-memory.dmp

                              Filesize

                              2.0MB

                              Download

                            • memory/2924-104-0x000000001DF80000-0x000000001DF8E000-memory.dmp

                              Filesize

                              56KB

                              Download

                            • memory/2924-32-0x00007FFC52150000-0x00007FFC5229E000-memory.dmp

                              Filesize

                              1.3MB

                              Download

                            • memory/2924-25-0x00007FFC4E9E0000-0x00007FFC4F564000-memory.dmp

                              Filesize

                              11.5MB

                              Download

                            • memory/2924-102-0x00007FFC4E9E0000-0x00007FFC4F564000-memory.dmp

                              Filesize

                              11.5MB

                              Download

                            • memory/2924-64-0x00007FFC4E9E0000-0x00007FFC4F564000-memory.dmp

                              Filesize

                              11.5MB

                              Download

                            • memory/2924-95-0x00007FFC72010000-0x00007FFC72205000-memory.dmp

                              Filesize

                              2.0MB

                              Download

                            • memory/2924-17-0x00007FFC53960000-0x00007FFC54421000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2924-90-0x00007FFC53960000-0x00007FFC54421000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2924-16-0x00000000009B0000-0x00000000010B6000-memory.dmp

                              Filesize

                              7.0MB

                              Download

                            • memory/2948-80-0x00007FFC53960000-0x00007FFC54421000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2948-78-0x000001FD2EB20000-0x000001FD2EB30000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2948-67-0x000001FD2EB20000-0x000001FD2EB30000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2948-66-0x000001FD2EB20000-0x000001FD2EB30000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2948-65-0x00007FFC53960000-0x00007FFC54421000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3992-63-0x00007FFC53960000-0x00007FFC54421000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/3992-51-0x000001CA61820000-0x000001CA61830000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/3992-50-0x00007FFC53960000-0x00007FFC54421000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4076-92-0x00007FFC53960000-0x00007FFC54421000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/4076-93-0x00000233FFF70000-0x00000233FFF80000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4076-94-0x00000233FFF70000-0x00000233FFF80000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/4076-97-0x00007FFC53960000-0x00007FFC54421000-memory.dmp

                              Filesize

                              10.8MB

                              Download