Overview

overview

10

Static

static

3

jestyyfre44321.exe

windows7-x64

10

jestyyfre44321.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    95s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    jestyyfre44321.exe

  • Size

    1.1MB

  • MD5

    c2d4e5290155193ed854fc6d27ec83a4

  • SHA1

    de83fd85e5496b9ccc8f56bd162d27381835c1af

  • SHA256

    e4c4e4111a17d0130da8cfb7694900d1d7f16bfb74ab45eff550e6319d88a602

  • SHA512

    e873f5dc3e318be701bbcdc55f2a61060e72a54c58c17fc2b339b9faf5b9b52f764241d7c6f1c5758884fa76cb1257c605ea2cc1c9d085e99fd51fd457e65e73

  • SSDEEP

    24576:UAOcZXcxP6P4C6oV5Ogn+pN6k77rvyOMF5:CH9C6qX+pN6kDbE5

Score
7/10
discovery

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\jestyyfre44321.exe
    "C:\Users\Admin\AppData\Local\Temp\jestyyfre44321.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Users\Admin\9_53\isab.pif
      "C:\Users\Admin\9_53\isab.pif" telx.ogt
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3932
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1960
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          3⤵
            PID:2024
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 2024 -s 80
              4⤵
              • Program crash
              PID:736
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2024 -ip 2024
        1⤵
          PID:2368

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\9_53\aoss.xls
          Filesize

          40KB

          MD5

          c54a5a90e3803c572ed12150b510f97d

          SHA1

          8e2f02b84fd5f6e873cf51d343fb96a531a45e45

          SHA256

          87cd75d6b1a5607b39e5940d9021ca9281c3d47217e597e0601f6f6d02b06bf8

          SHA512

          d8f5395fde12d62e94e7969b7d298f03733c56adf3139de5a6167a59c497152c384631d6da12380136b00d10119a7fdec4a53208f5152c578a71b589b8f9e776

          Download Submit

        • C:\Users\Admin\9_53\gcvbihuje.mro
          Filesize

          370KB

          MD5

          d40060faa63c30e509e8f6c5be0dcdc4

          SHA1

          4ec1022751784dc6b2a8819e6d4b860d6b38d82f

          SHA256

          15994b50140988529c4b8c18aebabcb60fedc34b45dfdac906569bda318f3414

          SHA512

          1761c72937b4476c666ffb93b96bb94427068dae217fe03c021082e5a988a09e3dacfd306b6440ca90de3ce48afa2aeb85829a1e76f3ff2fc2e636180f0eb1da

          Download Submit

        • C:\Users\Admin\9_53\isab.pif
          Filesize

          820KB

          MD5

          0c996fa7285452f1302d8c781bd72972

          SHA1

          93b2a1bce155afec134804b3a2ef6b40ac0a4178

          SHA256

          470588c09deb416b91666b21a15cda3fd2e8807bdf83e27e5939415651bb006f

          SHA512

          e8d8c61f04707af05143e1c68ffcbf38a433766096a5c87c0f6b2b8cf54f0f2d4a60e39f4b0fb5a78dfbb97a2549d7c930887021bf513abf268a4677d9231c5e

          Download Submit