6c551a1172a33d11b974f02a5e5489f851fcf1899e877c7e59abd2f650526c19

Target

2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe
Size

4.5MB
MD5

c20351b808023b220b948a520e5eb163
SHA1

6db7728a2ed6406b6d83761df9676e66f6895878
SHA256

2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b
SHA512

939433491c7df9f0fbe8017ac66f5b45b4011d4e3ae2d27fc1718751b9f14d5b1d04020ed4c2ee176be39d1145ec1c4584d6c0d54549bedf7fffdbfe7e20a390

Score

8^/10

discovery spyware

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
6	1144	CScript.exe
8	1144	CScript.exe
10	1144	CScript.exe
12	1144	CScript.exe
14	1144	CScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1720	1.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	1.exe

Loads dropped DLL 4 IoCs

pid	Process
1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe
1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe
1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe
1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Jaoler\kader\1.exe	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe
File created	C:\Program Files (x86)\Jaoler\kader\Setup1.exe	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe
File created	C:\Program Files (x86)\Jaoler\kader\Setup1.vbs	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	1.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	CScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CScript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1144	CScript.exe
Token: SeBackupPrivilege	1144	CScript.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1720	1.exe
1720	1.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 1144	1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe	26
PID 1728 wrote to memory of 1144	1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe	26
PID 1728 wrote to memory of 1144	1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe	26
PID 1728 wrote to memory of 1144	1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe	26
PID 1728 wrote to memory of 1144	1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe	26
PID 1728 wrote to memory of 1144	1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe	26
PID 1728 wrote to memory of 1144	1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe	26
PID 1728 wrote to memory of 1720	1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe	33
PID 1728 wrote to memory of 1720	1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe	33
PID 1728 wrote to memory of 1720	1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe	33
PID 1728 wrote to memory of 1720	1728	2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe	33

C:\Users\Admin\AppData\Local\Temp\2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe
"C:\Users\Admin\AppData\Local\Temp\2f7a2890d38eeb574b1c357854c137c1403dfc0db6410a8e0186339da862c52b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\CScript.exe
  "C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Jaoler\kader\Setup1.vbs" //e:vbscript //B //NOLOGO
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:1144
- C:\Program Files (x86)\Jaoler\kader\1.exe
  "C:\Program Files (x86)\Jaoler\kader\1.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  PID:1720

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1144-9-0x0000000002720000-0x0000000002724000-memory.dmp

Filesize
16KB

Download
memory/1720-14-0x000000013F870000-0x000000013FF8A000-memory.dmp

Filesize
7.1MB

Download
memory/1720-15-0x000000013F870000-0x000000013FF8A000-memory.dmp

Filesize
7.1MB

Download
memory/1720-16-0x000007FEFBDE1000-0x000007FEFBDE3000-memory.dmp

Filesize
8KB

Download
memory/1720-17-0x0000000001E00000-0x0000000001E01000-memory.dmp

Filesize
4KB

Download
memory/1728-2-0x00000000766F1000-0x00000000766F3000-memory.dmp

Filesize
8KB

Download
memory/1792-8-0x000007FEF7730000-0x000007FEF79AA000-memory.dmp

Filesize
2.5MB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads