0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2023 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe
Size

285KB
MD5

f44375e9145520b83056771dd1749e4c
SHA1

0dfc36424e02a88ead8d1fadf631ba7a63b545b7
SHA256

0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600
SHA512

eb750f01b159789e54e42e6a91aaab6d62eb674a3aa87241523872231264c23717424417534e8b49b2837fe31871c9207dcd4298c61c3cfa36ccc90bcf960cc8
SSDEEP

6144:vYa6cBOlE7jsnxtuyPa8FZ3+thp57s2q89OtlHaFibg+zM:vYaolUi7PTFV+tdsb89OtIOg7

Score

7^/10

spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Control Panel\International\Geo\Nation	jqnctsrjom.exe

Executes dropped EXE 2 IoCs

pid	Process
1484	jqnctsrjom.exe
2344	jqnctsrjom.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1484 set thread context of 2344	1484	jqnctsrjom.exe	83
PID 2344 set thread context of 388	2344	jqnctsrjom.exe	20
PID 1688 set thread context of 388	1688	cscript.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4868	444	WerFault.exe	91

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2344	jqnctsrjom.exe
2344	jqnctsrjom.exe
2344	jqnctsrjom.exe
2344	jqnctsrjom.exe
2344	jqnctsrjom.exe
2344	jqnctsrjom.exe
2344	jqnctsrjom.exe
2344	jqnctsrjom.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
388	Explorer.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
1484	jqnctsrjom.exe
2344	jqnctsrjom.exe
2344	jqnctsrjom.exe
2344	jqnctsrjom.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe
1688	cscript.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	jqnctsrjom.exe
Token: SeDebugPrivilege	1688	cscript.exe
Token: SeShutdownPrivilege	388	Explorer.EXE
Token: SeCreatePagefilePrivilege	388	Explorer.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 1484	2424	0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe	82
PID 2424 wrote to memory of 1484	2424	0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe	82
PID 2424 wrote to memory of 1484	2424	0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe	82
PID 1484 wrote to memory of 2344	1484	jqnctsrjom.exe	83
PID 1484 wrote to memory of 2344	1484	jqnctsrjom.exe	83
PID 1484 wrote to memory of 2344	1484	jqnctsrjom.exe	83
PID 1484 wrote to memory of 2344	1484	jqnctsrjom.exe	83
PID 388 wrote to memory of 1688	388	Explorer.EXE	84
PID 388 wrote to memory of 1688	388	Explorer.EXE	84
PID 388 wrote to memory of 1688	388	Explorer.EXE	84
PID 1688 wrote to memory of 444	1688	cscript.exe	91
PID 1688 wrote to memory of 444	1688	cscript.exe	91
PID 1688 wrote to memory of 444	1688	cscript.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:388
- C:\Users\Admin\AppData\Local\Temp\0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe
  "C:\Users\Admin\AppData\Local\Temp\0684a8e1ea5980161c499f1cdbbf7fb64ec32adcdf6009d15192c986e0e49600.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2424
- - C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe
    "C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe" C:\Users\Admin\AppData\Local\Temp\fyajkg.h
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe
      "C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:2344
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:444
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 444 -s 144
      4⤵
      Program crash
      PID:4868

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 472 -p 444 -ip 444
1⤵
PID:1216

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\fyajkg.h

Filesize
5KB

MD5
99875222af8393b82057b7b011a9b8ec

SHA1
3cd4a208034ca0b405e08723580fc52dc7b21d61

SHA256
653676d7946c5557e1c4009e88ecf86540228939cbe4ba3c6fbbada5777c9859

SHA512
1d2726a60ee67848043115c5f96bb30a91d3ddea1d8d7f38864a521d48a4578f621b1f21d4fb48d9667a92f013a1633aa22bb27fd0086a02322b9c199fb02132

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe

Filesize
85KB

MD5
64d6a0d403c13883b5d147c6785d7f5a

SHA1
60b7451df82a83d9830088187b0efe35d4fcc705

SHA256
b389ae07b56834ec3847bcea3b4657db6e4ef260a24930a8939210db7df82417

SHA512
4bc1f13b03a11ee96be7638bebe6c245c4553213a440873c8a0868552126b716ecc020f9fe69b599e5583009f7d7e33895b03a50b7796d11c43576c51e2cfe2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe

Filesize
85KB

MD5
64d6a0d403c13883b5d147c6785d7f5a

SHA1
60b7451df82a83d9830088187b0efe35d4fcc705

SHA256
b389ae07b56834ec3847bcea3b4657db6e4ef260a24930a8939210db7df82417

SHA512
4bc1f13b03a11ee96be7638bebe6c245c4553213a440873c8a0868552126b716ecc020f9fe69b599e5583009f7d7e33895b03a50b7796d11c43576c51e2cfe2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jqnctsrjom.exe

Filesize
85KB

MD5
64d6a0d403c13883b5d147c6785d7f5a

SHA1
60b7451df82a83d9830088187b0efe35d4fcc705

SHA256
b389ae07b56834ec3847bcea3b4657db6e4ef260a24930a8939210db7df82417

SHA512
4bc1f13b03a11ee96be7638bebe6c245c4553213a440873c8a0868552126b716ecc020f9fe69b599e5583009f7d7e33895b03a50b7796d11c43576c51e2cfe2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\psrxc.iwq

Filesize
206KB

MD5
8f19bdd9a612727542d08ab7719e5295

SHA1
808679367b7bf403a052e775cfb333baa2d6d7d6

SHA256
4a68e019ec94a794b8fd9bb8dab2da040c85e71d8ccf7935c1e327a4e52bf4d4

SHA512
4f6fc8682478ea1ad4025b624d6b05a3596c40a2fce8bd5ab1500e64577f769854833d24be76c6a5243a02a2def9e901cdfc6f3c7eca725a47c43510f346d52e

Download Submit
memory/388-149-0x0000000003010000-0x0000000003108000-memory.dmp

Filesize
992KB

Download
memory/388-165-0x0000000008560000-0x000000000865D000-memory.dmp

Filesize
1012KB

Download
memory/388-157-0x0000000008560000-0x000000000865D000-memory.dmp

Filesize
1012KB

Download
memory/1484-141-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download
memory/1688-153-0x0000000000A80000-0x0000000000AA7000-memory.dmp

Filesize
156KB

Download
memory/1688-151-0x0000000000A80000-0x0000000000AA7000-memory.dmp

Filesize
156KB

Download
memory/1688-154-0x0000000000F80000-0x0000000000FAD000-memory.dmp

Filesize
180KB

Download
memory/1688-155-0x00000000032B0000-0x00000000035FA000-memory.dmp

Filesize
3.3MB

Download
memory/1688-156-0x0000000003100000-0x000000000318F000-memory.dmp

Filesize
572KB

Download
memory/2344-148-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/2344-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-146-0x0000000000A70000-0x0000000000DBA000-memory.dmp

Filesize
3.3MB

Download
memory/2344-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2344-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download