Analysis
-
max time kernel
29s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 20:31
Behavioral task
behavioral1
Sample
JITStarter.exe
Resource
win7-20240611-en
General
-
Target
JITStarter.exe
-
Size
3.6MB
-
MD5
3a410cb997acba8b4dbe9d56b85c8684
-
SHA1
27606b79c325f88c63af65f5a7ca9cbfb68e2753
-
SHA256
24ec014d446db69e549b233aff46015e8ee561fa66241f8075c3383a6c8f1ee6
-
SHA512
5d19215003a0f16ed4ee426db0e914d2bae21c6e28f107717e10eab7696eb4d2dd18e8548e18c3ab9db75ba7fc9c172f50ab80a1877b33079696b3f137cd222e
-
SSDEEP
98304:DvyRYhAywIk6T3JOxeUdjiAdYVSUhM30z8zxs:D5hAywItSeWjiVSZFs
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
JITStarter.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JITStarter.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
JITStarter.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JITStarter.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JITStarter.exe -
Processes:
resource yara_rule behavioral1/memory/1720-0-0x0000000000280000-0x0000000000CF4000-memory.dmp themida behavioral1/memory/1720-5-0x0000000000280000-0x0000000000CF4000-memory.dmp themida behavioral1/memory/1720-7-0x0000000000280000-0x0000000000CF4000-memory.dmp themida behavioral1/memory/1720-6-0x0000000000280000-0x0000000000CF4000-memory.dmp themida behavioral1/memory/1720-4-0x0000000000280000-0x0000000000CF4000-memory.dmp themida behavioral1/memory/1720-3-0x0000000000280000-0x0000000000CF4000-memory.dmp themida behavioral1/memory/1720-2-0x0000000000280000-0x0000000000CF4000-memory.dmp themida behavioral1/memory/1720-44-0x0000000000280000-0x0000000000CF4000-memory.dmp themida behavioral1/memory/1720-160-0x0000000000280000-0x0000000000CF4000-memory.dmp themida behavioral1/memory/1720-159-0x0000000000280000-0x0000000000CF4000-memory.dmp themida behavioral1/memory/1720-165-0x0000000000280000-0x0000000000CF4000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
JITStarter.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JITStarter.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
JITStarter.exepid process 1720 JITStarter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1616 1720 WerFault.exe JITStarter.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
JITStarter.exepid process 1720 JITStarter.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
JITStarter.exedescription pid process target process PID 1720 wrote to memory of 2288 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 2288 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 2288 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 2288 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 2496 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 2496 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 2496 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 2496 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 1100 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 1100 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 1100 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 1100 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 2128 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 2128 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 2128 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 2128 1720 JITStarter.exe cmd.exe PID 1720 wrote to memory of 1616 1720 JITStarter.exe WerFault.exe PID 1720 wrote to memory of 1616 1720 JITStarter.exe WerFault.exe PID 1720 wrote to memory of 1616 1720 JITStarter.exe WerFault.exe PID 1720 wrote to memory of 1616 1720 JITStarter.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JITStarter.exe"C:\Users\Admin\AppData\Local\Temp\JITStarter.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\cmd.exe/C vcredist86.exe /install /quiet /norestart2⤵PID:2288
-
C:\Windows\SysWOW64\cmd.exe/C vcredist64.exe /install /quiet /norestart2⤵PID:2496
-
C:\Windows\SysWOW64\cmd.exe/C NDP461-KB3102438-Web.exe /q /norestart2⤵PID:1100
-
C:\Windows\SysWOW64\cmd.exe/C dxwebsetup.exe /Q2⤵PID:2128
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 2962⤵
- Program crash
PID:1616