6c551a1172a33d11b974f02a5e5489f851fcf1899e877c7e59abd2f650526c19

Target

448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe
Size

4.5MB
MD5

01bde657829f533c72468b2234a57424
SHA1

b0369575161af6659df620350aecaf6aebfadc4f
SHA256

448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c
SHA512

379b3320bd8da31cc58701896a877c8187fe0a21f86036bdbcd68e449b082d2d6511550118c23d7b78a80d6bb7a0f8ba5cd2d362df224d0197badbb31ebc7d4f

Score

8^/10

discovery spyware

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
6	2016	CScript.exe
8	2016	CScript.exe
10	2016	CScript.exe
12	2016	CScript.exe
14	2016	CScript.exe

Executes dropped EXE 1 IoCs

pid	Process
1540	3.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	3.exe

Loads dropped DLL 4 IoCs

pid	Process
1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe
1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe
1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe
1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Jaoler\kader\Setup3.exe	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe
File created	C:\Program Files (x86)\Jaoler\kader\Setup3.vbs	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe
File created	C:\Program Files (x86)\Jaoler\kader\3.exe	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	3.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	CScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CScript.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	CScript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2016	CScript.exe
Token: SeBackupPrivilege	2016	CScript.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1540	3.exe
1540	3.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2016	1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe	26
PID 1720 wrote to memory of 2016	1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe	26
PID 1720 wrote to memory of 2016	1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe	26
PID 1720 wrote to memory of 2016	1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe	26
PID 1720 wrote to memory of 2016	1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe	26
PID 1720 wrote to memory of 2016	1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe	26
PID 1720 wrote to memory of 2016	1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe	26
PID 1720 wrote to memory of 1540	1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe	33
PID 1720 wrote to memory of 1540	1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe	33
PID 1720 wrote to memory of 1540	1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe	33
PID 1720 wrote to memory of 1540	1720	448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe	33

C:\Users\Admin\AppData\Local\Temp\448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe
"C:\Users\Admin\AppData\Local\Temp\448a675cb76d76830930fd79347452b44bfc13eca1fc92c4e81d00eedfafac2c.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\CScript.exe
  "C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Jaoler\kader\Setup3.vbs" //e:vbscript //B //NOLOGO
  2⤵
  - Blocklisted process makes network request
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- C:\Program Files (x86)\Jaoler\kader\3.exe
  "C:\Program Files (x86)\Jaoler\kader\3.exe"
  2⤵
  - Executes dropped EXE
  - Checks BIOS information in registry
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  PID:1540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1540-12-0x000000013F3B0000-0x000000013FADE000-memory.dmp

Filesize
7.2MB

Download
memory/1540-13-0x000000013F3B0000-0x000000013FADE000-memory.dmp

Filesize
7.2MB

Download
memory/1740-6-0x000007FEF6200000-0x000007FEF647A000-memory.dmp

Filesize
2.5MB

Download
memory/2016-7-0x0000000002930000-0x0000000002934000-memory.dmp

Filesize
16KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads