Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2024, 21:54
Static task
static1
Behavioral task
behavioral1
Sample
3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe
Resource
win7-20241010-en
General
-
Target
3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe
-
Size
98KB
-
MD5
df46def194ea28b5509e2cc130635bc0
-
SHA1
e4bc07ab6c3c28730a1be80b5ba3704eee399f60
-
SHA256
3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43
-
SHA512
f67a6e142e684554f6bbe0b6e03d95998efaa8bce49ca048d4661abfbf5a60bf3fa68151e0d6e2f7ec6909e6ef1e5fe20cb7d6372aaada0b258378b5ec7243d3
-
SSDEEP
3072:11PgEOng1d66jRVa+n4NmNNouukrD7HNS:TpOg1xFV54eNobG7H
Malware Config
Signatures
-
Blocklisted process makes network request 8 IoCs
flow pid Process 22 376 rundll32.exe 28 376 rundll32.exe 29 376 rundll32.exe 30 376 rundll32.exe 44 376 rundll32.exe 45 376 rundll32.exe 54 376 rundll32.exe 68 376 rundll32.exe -
Deletes itself 1 IoCs
pid Process 2756 jkbee.exe -
Executes dropped EXE 1 IoCs
pid Process 2756 jkbee.exe -
Loads dropped DLL 1 IoCs
pid Process 376 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\EvtMgr = "c:\\windows\\SysWOW64\\rundll32.exe \"c:\\cmriy\\jgeot.goj\",crc32" rundll32.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\p: rundll32.exe File opened (read-only) \??\z: rundll32.exe File opened (read-only) \??\b: rundll32.exe File opened (read-only) \??\e: rundll32.exe File opened (read-only) \??\h: rundll32.exe File opened (read-only) \??\j: rundll32.exe File opened (read-only) \??\k: rundll32.exe File opened (read-only) \??\l: rundll32.exe File opened (read-only) \??\w: rundll32.exe File opened (read-only) \??\m: rundll32.exe File opened (read-only) \??\n: rundll32.exe File opened (read-only) \??\o: rundll32.exe File opened (read-only) \??\q: rundll32.exe File opened (read-only) \??\s: rundll32.exe File opened (read-only) \??\t: rundll32.exe File opened (read-only) \??\a: rundll32.exe File opened (read-only) \??\i: rundll32.exe File opened (read-only) \??\u: rundll32.exe File opened (read-only) \??\v: rundll32.exe File opened (read-only) \??\x: rundll32.exe File opened (read-only) \??\g: rundll32.exe File opened (read-only) \??\r: rundll32.exe File opened (read-only) \??\y: rundll32.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PHYSICALDRIVE0 rundll32.exe -
resource yara_rule behavioral2/files/0x0009000000023bd0-10.dat upx behavioral2/memory/376-12-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/376-13-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/376-15-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/376-16-0x0000000010000000-0x0000000010022000-memory.dmp upx behavioral2/memory/376-17-0x0000000010000000-0x0000000010022000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jkbee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4872 cmd.exe 884 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe -
Kills process with taskkill 1 IoCs
pid Process 2428 taskkill.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 884 PING.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe 376 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 376 rundll32.exe Token: SeDebugPrivilege 2428 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 936 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe 2756 jkbee.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 936 wrote to memory of 4872 936 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe 84 PID 936 wrote to memory of 4872 936 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe 84 PID 936 wrote to memory of 4872 936 3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe 84 PID 4872 wrote to memory of 884 4872 cmd.exe 87 PID 4872 wrote to memory of 884 4872 cmd.exe 87 PID 4872 wrote to memory of 884 4872 cmd.exe 87 PID 4872 wrote to memory of 2756 4872 cmd.exe 90 PID 4872 wrote to memory of 2756 4872 cmd.exe 90 PID 4872 wrote to memory of 2756 4872 cmd.exe 90 PID 2756 wrote to memory of 376 2756 jkbee.exe 91 PID 2756 wrote to memory of 376 2756 jkbee.exe 91 PID 2756 wrote to memory of 376 2756 jkbee.exe 91 PID 376 wrote to memory of 2428 376 rundll32.exe 92 PID 376 wrote to memory of 2428 376 rundll32.exe 92 PID 376 wrote to memory of 2428 376 rundll32.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\cmd.execmd.exe /c ping 127.0.0.1 -n 2&C:\Users\Admin\AppData\Local\Temp\\jkbee.exe "C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"2⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 23⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:884
-
-
C:\Users\Admin\AppData\Local\Temp\jkbee.exeC:\Users\Admin\AppData\Local\Temp\\jkbee.exe "C:\Users\Admin\AppData\Local\Temp\3811d9d2010a0379f2c9bb99ad45fd2608e8c2f0ce0f15c8142a13eda7848e43N.exe"3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2756 -
\??\c:\windows\SysWOW64\rundll32.exec:\windows\system32\rundll32.exe "c:\cmriy\jgeot.goj",crc32 C:\Users\Admin\AppData\Local\Temp\jkbee.exe4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:376 -
\??\c:\windows\SysWOW64\taskkill.exetaskkill /f /im attrib.exe5⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2428
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
98KB
MD55e72d75e134b5085ca640e9b41760cc4
SHA19a373391bca00c76e00fdc79b5d8dd00dbc918ec
SHA2562da3ff23993c83ce280a8d2410e431a659a55c8b2eb89a1c30269ef94f90929d
SHA51251e774212a85c22c5143ae9dea9beb7559408928ec364404ce1bb06a94e38b08e999c93497267b29dd958009aea18f3110a6ed1c7a2a437930295b061d847151
-
Filesize
57KB
MD52f53f49e01f09d6e6064871eec1955cd
SHA1a6e1a6e5c2080d0fb2f7a872e3902a8a4a1a9b5f
SHA256964e4dd2532d540bb61d3c7ccc833f2358d8cd6b2eabc3a2d51183a18b59f82d
SHA5122cb98030c3df7417c04f796f78f23f96d381871d9c7ae4a14116764e915b2e2f56b9b3a6fb76fedc50a17788de9538fc7954a7b73bf17e4be43e1fc1a06bc218