Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2024 16:17
Static task
static1
Behavioral task
behavioral1
Sample
JQXl0lEJMWhz.exe
Resource
win7-20240903-en
General
-
Target
JQXl0lEJMWhz.exe
-
Size
13.9MB
-
MD5
1aa9a0eab69a91dad1e4ddf16f3deb44
-
SHA1
a71e6952698784fc2ff931289ed6f87943360c13
-
SHA256
0ada51ccd560238a9b104ee8c26b8afe8f348fbbdfd12f067d2276e880298d8c
-
SHA512
a5682643ed9112435dd7e1ad430955c1ca4e3d2ccc11ac14bed669b556bd3618be4e02104fed2b4f2666d01b63029ad44b4c7534a8d7980e4bbb2a2765cb0415
-
SSDEEP
393216:8JzWUq3UKKeizYH2jBkzv7qZ/CMKGvZ/0ZtCHN:85W1nezCTzDAC1GxvHN
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JQXl0lEJMWhz.exe Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ JQXl0lEJMWhz.exe -
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JQXl0lEJMWhz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JQXl0lEJMWhz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion JQXl0lEJMWhz.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion JQXl0lEJMWhz.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation ldrupd.bin -
Deletes itself 1 IoCs
pid Process 548 ldrupd.bin -
Executes dropped EXE 2 IoCs
pid Process 548 ldrupd.bin 3864 JQXl0lEJMWhz.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JQXl0lEJMWhz.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA JQXl0lEJMWhz.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3864 JQXl0lEJMWhz.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeSystemEnvironmentPrivilege 4260 JQXl0lEJMWhz.exe Token: SeSystemEnvironmentPrivilege 3864 JQXl0lEJMWhz.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3864 JQXl0lEJMWhz.exe 3864 JQXl0lEJMWhz.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 4260 wrote to memory of 3356 4260 JQXl0lEJMWhz.exe 82 PID 4260 wrote to memory of 3356 4260 JQXl0lEJMWhz.exe 82 PID 4260 wrote to memory of 3356 4260 JQXl0lEJMWhz.exe 82 PID 4260 wrote to memory of 3536 4260 JQXl0lEJMWhz.exe 83 PID 4260 wrote to memory of 3536 4260 JQXl0lEJMWhz.exe 83 PID 4260 wrote to memory of 3536 4260 JQXl0lEJMWhz.exe 83 PID 4260 wrote to memory of 548 4260 JQXl0lEJMWhz.exe 84 PID 4260 wrote to memory of 548 4260 JQXl0lEJMWhz.exe 84 PID 548 wrote to memory of 3864 548 ldrupd.bin 85 PID 548 wrote to memory of 3864 548 ldrupd.bin 85 PID 3864 wrote to memory of 2520 3864 JQXl0lEJMWhz.exe 90 PID 3864 wrote to memory of 2520 3864 JQXl0lEJMWhz.exe 90 PID 3864 wrote to memory of 2520 3864 JQXl0lEJMWhz.exe 90 PID 3864 wrote to memory of 4024 3864 JQXl0lEJMWhz.exe 91 PID 3864 wrote to memory of 4024 3864 JQXl0lEJMWhz.exe 91 PID 3864 wrote to memory of 4024 3864 JQXl0lEJMWhz.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\JQXl0lEJMWhz.exe"C:\Users\Admin\AppData\Local\Temp\JQXl0lEJMWhz.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵PID:3356
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"2⤵PID:3536
-
-
C:\Users\Admin\AppData\Local\ldrupd.bin"C:\Users\Admin\AppData\Local\ldrupd.bin"2⤵
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\JQXl0lEJMWhz.exe"C:\Users\Admin\AppData\Local\Temp\JQXl0lEJMWhz.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"4⤵PID:2520
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\SysWOW64\cmd.exe"4⤵PID:4024
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15.8MB
MD5cb4d9a2ec18a637830e43f8826553763
SHA1a4ba2ed8b32cc2e3f33e9dadd9ea30efdc7e25b4
SHA2564a6ce87722da6492489864600e5138c76dc29854e04223d401a124c87c27ffeb
SHA512337e56e558ec6817013d8062416c8ee40435aecf43ef2f50f9503a9f74b9fcde1bb9e36e6f8be345257bebaa4e8f044f10dbf05da45b8a597a1f389923cfa0da
-
Filesize
3KB
MD5a24978a6b77e2cd99823e24c6eb4d055
SHA105aab593ba8e0c21f2859d04d4810fdd1ce453c3
SHA25680ac94c086eb6e52bc3bbebd86e0795f6cb7476153af0c767b9ae4b7e9931140
SHA51224356ce42d0fd7839166416604fd7bd101cab8754de095676c921bfb664bc110e8a87cb863afefb5fd98450496c1b3e303851943f13a3e19f206350239c2a8db