0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600

Analysis

max time kernel
149s
max time network
152s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08/05/2023, 23:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe
Size

285KB
MD5

f44375e9145520b83056771dd1749e4c
SHA1

0dfc36424e02a88ead8d1fadf631ba7a63b545b7
SHA256

0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600
SHA512

eb750f01b159789e54e42e6a91aaab6d62eb674a3aa87241523872231264c23717424417534e8b49b2837fe31871c9207dcd4298c61c3cfa36ccc90bcf960cc8
SSDEEP

6144:vYa6cBOlE7jsnxtuyPa8FZ3+thp57s2q89OtlHaFibg+zM:vYaolUi7PTFV+tdsb89OtIOg7

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Control Panel\International\Geo\Nation	jqnctsrjom.exe

Executes dropped EXE 2 IoCs

pid	Process
1592	jqnctsrjom.exe
436	jqnctsrjom.exe

Loads dropped DLL 3 IoCs

pid	Process
1724	0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe
1592	jqnctsrjom.exe
268	chkdsk.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1592 set thread context of 436	1592	jqnctsrjom.exe	29
PID 436 set thread context of 1324	436	jqnctsrjom.exe	14
PID 268 set thread context of 1324	268	chkdsk.exe	14

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2961826002-3968192592-354541192-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
436	jqnctsrjom.exe
436	jqnctsrjom.exe
436	jqnctsrjom.exe
436	jqnctsrjom.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1324	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1592	jqnctsrjom.exe
436	jqnctsrjom.exe
436	jqnctsrjom.exe
436	jqnctsrjom.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe
268	chkdsk.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	436	jqnctsrjom.exe
Token: SeDebugPrivilege	268	chkdsk.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1324	Explorer.EXE
1324	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1324	Explorer.EXE
1324	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 1592	1724	0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe	28
PID 1724 wrote to memory of 1592	1724	0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe	28
PID 1724 wrote to memory of 1592	1724	0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe	28
PID 1724 wrote to memory of 1592	1724	0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe	28
PID 1592 wrote to memory of 436	1592	jqnctsrjom.exe	29
PID 1592 wrote to memory of 436	1592	jqnctsrjom.exe	29
PID 1592 wrote to memory of 436	1592	jqnctsrjom.exe	29
PID 1592 wrote to memory of 436	1592	jqnctsrjom.exe	29
PID 1592 wrote to memory of 436	1592	jqnctsrjom.exe	29
PID 1324 wrote to memory of 268	1324	Explorer.EXE	30
PID 1324 wrote to memory of 268	1324	Explorer.EXE	30
PID 1324 wrote to memory of 268	1324	Explorer.EXE	30
PID 1324 wrote to memory of 268	1324	Explorer.EXE	30
PID 268 wrote to memory of 1076	268	chkdsk.exe	33
PID 268 wrote to memory of 1076	268	chkdsk.exe	33
PID 268 wrote to memory of 1076	268	chkdsk.exe	33
PID 268 wrote to memory of 1076	268	chkdsk.exe	33
PID 268 wrote to memory of 1076	268	chkdsk.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Users\Admin\AppData\Local\Temp\0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe
  "C:\Users\Admin\AppData\Local\Temp\0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe
    "C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe" C:\Users\Admin\AppData\Local\Temp\fyajkg.h
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1592
  - - C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe
      "C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:436
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\SysWOW64\chkdsk.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Enumerates system info in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:1076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fyajkg.h

Filesize
5KB

MD5
99875222af8393b82057b7b011a9b8ec

SHA1
3cd4a208034ca0b405e08723580fc52dc7b21d61

SHA256
653676d7946c5557e1c4009e88ecf86540228939cbe4ba3c6fbbada5777c9859

SHA512
1d2726a60ee67848043115c5f96bb30a91d3ddea1d8d7f38864a521d48a4578f621b1f21d4fb48d9667a92f013a1633aa22bb27fd0086a02322b9c199fb02132

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe

Filesize
85KB

MD5
64d6a0d403c13883b5d147c6785d7f5a

SHA1
60b7451df82a83d9830088187b0efe35d4fcc705

SHA256
b389ae07b56834ec3847bcea3b4657db6e4ef260a24930a8939210db7df82417

SHA512
4bc1f13b03a11ee96be7638bebe6c245c4553213a440873c8a0868552126b716ecc020f9fe69b599e5583009f7d7e33895b03a50b7796d11c43576c51e2cfe2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe

Filesize
85KB

MD5
64d6a0d403c13883b5d147c6785d7f5a

SHA1
60b7451df82a83d9830088187b0efe35d4fcc705

SHA256
b389ae07b56834ec3847bcea3b4657db6e4ef260a24930a8939210db7df82417

SHA512
4bc1f13b03a11ee96be7638bebe6c245c4553213a440873c8a0868552126b716ecc020f9fe69b599e5583009f7d7e33895b03a50b7796d11c43576c51e2cfe2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe

Filesize
85KB

MD5
64d6a0d403c13883b5d147c6785d7f5a

SHA1
60b7451df82a83d9830088187b0efe35d4fcc705

SHA256
b389ae07b56834ec3847bcea3b4657db6e4ef260a24930a8939210db7df82417

SHA512
4bc1f13b03a11ee96be7638bebe6c245c4553213a440873c8a0868552126b716ecc020f9fe69b599e5583009f7d7e33895b03a50b7796d11c43576c51e2cfe2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mhklod.zip

Filesize
420KB

MD5
e52817a24225cd74cf2572296e89e97a

SHA1
b8df50b6fa53542824387439298c3abde19b60aa

SHA256
3eba4df40a820b1b646b312554974a764c513a8318ec9fa414937220cdf6d343

SHA512
52918142caba7e160973787cf4da1e0550face70396c55c4de3771ad2d60bdbb6d71e10f0a4cb5e38ae77fb39effbe945b8bd9c2c3185aff16ce1173f375572b

Download Submit
C:\Users\Admin\AppData\Local\Temp\psrxc.iwq

Filesize
206KB

MD5
8f19bdd9a612727542d08ab7719e5295

SHA1
808679367b7bf403a052e775cfb333baa2d6d7d6

SHA256
4a68e019ec94a794b8fd9bb8dab2da040c85e71d8ccf7935c1e327a4e52bf4d4

SHA512
4f6fc8682478ea1ad4025b624d6b05a3596c40a2fce8bd5ab1500e64577f769854833d24be76c6a5243a02a2def9e901cdfc6f3c7eca725a47c43510f346d52e

Download Submit
\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe

Filesize
85KB

MD5
64d6a0d403c13883b5d147c6785d7f5a

SHA1
60b7451df82a83d9830088187b0efe35d4fcc705

SHA256
b389ae07b56834ec3847bcea3b4657db6e4ef260a24930a8939210db7df82417

SHA512
4bc1f13b03a11ee96be7638bebe6c245c4553213a440873c8a0868552126b716ecc020f9fe69b599e5583009f7d7e33895b03a50b7796d11c43576c51e2cfe2f

Download Submit
\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe

Filesize
85KB

MD5
64d6a0d403c13883b5d147c6785d7f5a

SHA1
60b7451df82a83d9830088187b0efe35d4fcc705

SHA256
b389ae07b56834ec3847bcea3b4657db6e4ef260a24930a8939210db7df82417

SHA512
4bc1f13b03a11ee96be7638bebe6c245c4553213a440873c8a0868552126b716ecc020f9fe69b599e5583009f7d7e33895b03a50b7796d11c43576c51e2cfe2f

Download Submit
\Users\Admin\AppData\Local\Temp\sqlite3.dll

Filesize
804KB

MD5
b09588d000ef4bf2a3dddd85bd701423

SHA1
44a810ff8920a340a30b66d932253555143dc28b

SHA256
ce4ffc1a12150b8523378553f2a97dd3fc44d5210ae6c296ab31e2c78f0d03c3

SHA512
1d807d92da34ccba4628f2a55c3ac1c03ff63925d79e266b4e52d71002228cbde76206ec696c3e25143fc2e0cab56589155666ff6f8ea0ebfd5ebcd362168e2a

Download Submit
memory/268-126-0x0000000061E00000-0x0000000061EB6000-memory.dmp

Filesize
728KB

Download
memory/268-77-0x0000000000AD0000-0x0000000000AD7000-memory.dmp

Filesize
28KB

Download
memory/268-82-0x0000000000940000-0x00000000009CF000-memory.dmp

Filesize
572KB

Download
memory/268-79-0x0000000002070000-0x0000000002373000-memory.dmp

Filesize
3.0MB

Download
memory/268-78-0x0000000000140000-0x000000000016D000-memory.dmp

Filesize
180KB

Download
memory/268-75-0x0000000000AD0000-0x0000000000AD7000-memory.dmp

Filesize
28KB

Download
memory/436-72-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/436-71-0x00000000006E0000-0x00000000009E3000-memory.dmp

Filesize
3.0MB

Download
memory/436-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/436-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1324-73-0x00000000049D0000-0x0000000004AC9000-memory.dmp

Filesize
996KB

Download
memory/1324-80-0x0000000004B60000-0x0000000004BF9000-memory.dmp

Filesize
612KB

Download
memory/1324-84-0x0000000004B60000-0x0000000004BF9000-memory.dmp

Filesize
612KB

Download
memory/1324-70-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download