Analysis
-
max time kernel
142s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
16-06-2024 20:31
Behavioral task
behavioral1
Sample
JITStarter.exe
Resource
win7-20240611-en
General
-
Target
JITStarter.exe
-
Size
3.6MB
-
MD5
3a410cb997acba8b4dbe9d56b85c8684
-
SHA1
27606b79c325f88c63af65f5a7ca9cbfb68e2753
-
SHA256
24ec014d446db69e549b233aff46015e8ee561fa66241f8075c3383a6c8f1ee6
-
SHA512
5d19215003a0f16ed4ee426db0e914d2bae21c6e28f107717e10eab7696eb4d2dd18e8548e18c3ab9db75ba7fc9c172f50ab80a1877b33079696b3f137cd222e
-
SSDEEP
98304:DvyRYhAywIk6T3JOxeUdjiAdYVSUhM30z8zxs:D5hAywItSeWjiVSZFs
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
JITStarter.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JITStarter.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
JITStarter.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JITStarter.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JITStarter.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation cmd.exe -
Processes:
resource yara_rule behavioral2/memory/3612-0-0x0000000000640000-0x00000000010B4000-memory.dmp themida behavioral2/memory/3612-2-0x0000000000640000-0x00000000010B4000-memory.dmp themida behavioral2/memory/3612-4-0x0000000000640000-0x00000000010B4000-memory.dmp themida behavioral2/memory/3612-5-0x0000000000640000-0x00000000010B4000-memory.dmp themida behavioral2/memory/3612-3-0x0000000000640000-0x00000000010B4000-memory.dmp themida behavioral2/memory/3612-7-0x0000000000640000-0x00000000010B4000-memory.dmp themida behavioral2/memory/3612-6-0x0000000000640000-0x00000000010B4000-memory.dmp themida behavioral2/memory/3612-8-0x0000000000640000-0x00000000010B4000-memory.dmp themida -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Processes:
JITStarter.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JITStarter.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
JITStarter.exepid process 3612 JITStarter.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
JITStarter.exepid process 3612 JITStarter.exe 3612 JITStarter.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
cmd.exepid process 1596 cmd.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
JITStarter.exedescription pid process target process PID 3612 wrote to memory of 1596 3612 JITStarter.exe cmd.exe PID 3612 wrote to memory of 1596 3612 JITStarter.exe cmd.exe PID 3612 wrote to memory of 1596 3612 JITStarter.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JITStarter.exe"C:\Users\Admin\AppData\Local\Temp\JITStarter.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\cmd.exe/C vcredist86.exe /install /quiet /norestart2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1596