Analysis
-
max time kernel
149s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 13:32
Static task
static1
Behavioral task
behavioral1
Sample
cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.exe
Resource
win10v2004-20240508-en
General
-
Target
cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.exe
-
Size
406KB
-
MD5
6b5ea479b3d938f82138a3f456b9896b
-
SHA1
f214db6c0dbe3d5ccd8215f585ccf749895acce3
-
SHA256
cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a
-
SHA512
54bd0667c7e7af04515841f6f2180a4119dfbd8a71a5569d622111275a771fd4c591df343ea246e7e9e2827a20794fb3d24b6a34fa28e826b26f5b951b0d2188
-
SSDEEP
6144:3w9D91dOrcN3ZGXNYFNmIkYvUIelVjjVtGRyFH4:gtRfJcNYFNm8UhlZGse
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 2 4556 rundll32.exe 7 4556 rundll32.exe 9 4556 rundll32.exe 10 4556 rundll32.exe 15 4556 rundll32.exe 16 4556 rundll32.exe 17 4556 rundll32.exe 18 4556 rundll32.exe -
Deletes itself 1 IoCs
Processes:
jbsytqog.exepid process 2040 jbsytqog.exe -
Executes dropped EXE 1 IoCs
Processes:
jbsytqog.exepid process 2040 jbsytqog.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4556 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dotx = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\Program Files\\cruszjaf\\jpshfj.dll\",Verify" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
rundll32.exedescription ioc process File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\y: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\v: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
rundll32.exedescription ioc process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
rundll32.exepid process 4556 rundll32.exe -
Drops file in Program Files directory 2 IoCs
Processes:
jbsytqog.exedescription ioc process File opened for modification \??\c:\Program Files\cruszjaf jbsytqog.exe File created \??\c:\Program Files\cruszjaf\jpshfj.dll jbsytqog.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rundll32.exepid process 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe 4556 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 4556 rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.exejbsytqog.exepid process 3268 cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.exe 2040 jbsytqog.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.execmd.exejbsytqog.exedescription pid process target process PID 3268 wrote to memory of 2416 3268 cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.exe cmd.exe PID 3268 wrote to memory of 2416 3268 cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.exe cmd.exe PID 3268 wrote to memory of 2416 3268 cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.exe cmd.exe PID 2416 wrote to memory of 924 2416 cmd.exe PING.EXE PID 2416 wrote to memory of 924 2416 cmd.exe PING.EXE PID 2416 wrote to memory of 924 2416 cmd.exe PING.EXE PID 2416 wrote to memory of 2040 2416 cmd.exe jbsytqog.exe PID 2416 wrote to memory of 2040 2416 cmd.exe jbsytqog.exe PID 2416 wrote to memory of 2040 2416 cmd.exe jbsytqog.exe PID 2040 wrote to memory of 4556 2040 jbsytqog.exe rundll32.exe PID 2040 wrote to memory of 4556 2040 jbsytqog.exe rundll32.exe PID 2040 wrote to memory of 4556 2040 jbsytqog.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.exe"C:\Users\Admin\AppData\Local\Temp\cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\jbsytqog.exe "C:\Users\Admin\AppData\Local\Temp\cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- Runs ping.exe
PID:924 -
C:\Users\Admin\AppData\Local\Temp\jbsytqog.exeC:\Users\Admin\AppData\Local\Temp\\jbsytqog.exe "C:\Users\Admin\AppData\Local\Temp\cc8058b2aa85f39a646fc8aefbe8ee4767af9ec8eb518af8fbbf501f1543566a.exe"3⤵
- Deletes itself
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2040 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\Program Files\cruszjaf\jpshfj.dll",Verify C:\Users\Admin\AppData\Local\Temp\jbsytqog.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
406KB
MD5dc05b7e8c7c62649426c4047eaf69ebd
SHA1240859d6f08aedd5384379a977a1727b789f668d
SHA2560b4b375defd4d9080cfa1d49544e7b7ae9be0b1da8e45b773b03548f0470271d
SHA51228f2b9955a7c6f61f98d383c02399dd11a4b4a122c234a6048b787db72b2d71960d4f8137bf18fd6ce612c5b68b3eb791dcf140c2320c55ac2fbaa855a4a0274
-
Filesize
228KB
MD5e50b87227d8a927d43f52b11b7cd6202
SHA192d0ab718192b4ab9b3706bfd857100ba08f2d0f
SHA2568b73cfda720ef715e21491f59c62ff0918f666d5690735bd03c4e5ce6014706a
SHA512b3a431a1c466fedd5bf5644b2b0eefa947be14f57558f6ee6a2659ec961d18297dcc655e2bd89b89f847482c8aaea58ec46aff252451ab7904b5d7d8330b8d2c