Resubmissions
Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-06-2024 15:15
Static task
static1
Behavioral task
behavioral1
Sample
lrthijawd.exe
Resource
win7-20240221-en
General
-
Target
lrthijawd.exe
-
Size
898KB
-
MD5
1b1ecd323162c054864b63ada693cd71
-
SHA1
333a67545a5d1aad4d73a3501f7152b4529b6b3e
-
SHA256
902337bbf17ac4e015e03d12e79b60b8dd5a8362496da3291a39e9124c58d9ff
-
SHA512
f1776b6a457108f10ca940ce02ce98b73404f5cf18fccee4977024cfaf74d7f48666d4da9be1bee27531525e276cb8cfadba39b0c81e0fd8cbe42f7672f45b71
-
SSDEEP
24576:juDXTIGaPhEYzUzA0amuDXTIGaPhEYzUzA0bnl:KDjlabwz9aDjlabwz9rl
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
lrthijawd.exework.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation lrthijawd.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation work.exe -
Executes dropped EXE 4 IoCs
Processes:
work.exejergs.exeialj.exeialj.exepid process 1768 work.exe 4984 jergs.exe 1544 ialj.exe 1208 ialj.exe -
Drops file in Windows directory 2 IoCs
Processes:
jergs.exedescription ioc process File created C:\Windows\Tasks\ialj.job jergs.exe File opened for modification C:\Windows\Tasks\ialj.job jergs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jergs.exepid process 4984 jergs.exe 4984 jergs.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
lrthijawd.execmd.exework.exedescription pid process target process PID 4472 wrote to memory of 1208 4472 lrthijawd.exe cmd.exe PID 4472 wrote to memory of 1208 4472 lrthijawd.exe cmd.exe PID 1208 wrote to memory of 1768 1208 cmd.exe work.exe PID 1208 wrote to memory of 1768 1208 cmd.exe work.exe PID 1768 wrote to memory of 4984 1768 work.exe jergs.exe PID 1768 wrote to memory of 4984 1768 work.exe jergs.exe PID 1768 wrote to memory of 4984 1768 work.exe jergs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe"C:\Users\Admin\AppData\Local\Temp\lrthijawd.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\work.exework.exe -priverdD3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\jergs.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:4984
-
-
-
-
C:\ProgramData\hdjr\ialj.exeC:\ProgramData\hdjr\ialj.exe start21⤵
- Executes dropped EXE
PID:1544
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2804 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:81⤵PID:1700
-
C:\ProgramData\hdjr\ialj.exeC:\ProgramData\hdjr\ialj.exe start21⤵
- Executes dropped EXE
PID:1208
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
35B
MD5ff59d999beb970447667695ce3273f75
SHA1316fa09f467ba90ac34a054daf2e92e6e2854ff8
SHA256065d2b17ad499587dc9de7ee9ecda4938b45da1df388bc72e6627dff220f64d2
SHA512d5ac72cb065a3cd3cb118a69a2f356314eeed24dcb4880751e1a3683895e66cedc62607967e29f77a0c27adf1c9fe0efd86e804f693f0a63a5b51b0bf0056b5d
-
Filesize
453KB
MD5405b7fbe8c0ed98620064f0cd80f24c4
SHA1bb9e45038e8a9f7b7cd0db62858ac65c74b74821
SHA2569dd8267e66dc584eecb3bece47e826d3189e41077f4083acdfc9a4f623b9c187
SHA5123dd4c407f6c2250d20c005e816e80ad442bb07f84ab02e25951331808fb4229219f9fddbcf1ac2e6d70985e3077a6401905f18a8b2c633e9d0a8b9cc6971b61d
-
Filesize
16KB
MD5c661a77c31f83c413a96b5537ad31989
SHA18a5a47e39a9efa9dc4de447d2ae4cd5e375e3557
SHA256cc5bb638cb34cbd386a906b7708eb62e05e3fc991a20bd060e1d84f722d29ff1
SHA512b86e45d36d8566b51f932f660ee9c3d79cea1a2eb34a9f7da7b2ccc5e50c74f319e8005e43d719c5722ec148ddddf1351a7f9edc430888e572b3884d1610b1aa