92b9dbef2c0414a2e5f09e2a419a80ba9feb628761a6b07d14fb885b2fa22b60

General

Target

92b9dbef2c0414a2e5f09e2a419a80ba9feb628761a6b07d14fb885b2fa22b60.exe
Size

2.2MB
MD5

6a89ffb7a507b6eebf6ec8d7635f6a24
SHA1

63e1e227e56d71b28a4e3ddee623986d98b92a72
SHA256

92b9dbef2c0414a2e5f09e2a419a80ba9feb628761a6b07d14fb885b2fa22b60
SHA512

ddccc7028e469518d2f6c16d70a0f4e4d504135738e0678783fda0b349c22e22a57012e2ad3a4564b93429a5743b8869e3de54c446c9dc800df22544808d02d5
SSDEEP

24576:AZO7/OchxtGgIbpCe5LXsRa4ug9FG8jfqWdwo86FWbbb:cO7PTIsexsRa4uibjf/dw7lbbb

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2468	JQSZY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1916	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1068	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2468	JQSZY.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	92b9dbef2c0414a2e5f09e2a419a80ba9feb628761a6b07d14fb885b2fa22b60.exe
Token: SeDebugPrivilege	2468	JQSZY.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2040	1344	92b9dbef2c0414a2e5f09e2a419a80ba9feb628761a6b07d14fb885b2fa22b60.exe	69
PID 1344 wrote to memory of 2040	1344	92b9dbef2c0414a2e5f09e2a419a80ba9feb628761a6b07d14fb885b2fa22b60.exe	69
PID 2040 wrote to memory of 1068	2040	cmd.exe	71
PID 2040 wrote to memory of 1068	2040	cmd.exe	71
PID 2040 wrote to memory of 2468	2040	cmd.exe	72
PID 2040 wrote to memory of 2468	2040	cmd.exe	72
PID 2468 wrote to memory of 704	2468	JQSZY.exe	73
PID 2468 wrote to memory of 704	2468	JQSZY.exe	73
PID 704 wrote to memory of 1916	704	cmd.exe	75
PID 704 wrote to memory of 1916	704	cmd.exe	75

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\92b9dbef2c0414a2e5f09e2a419a80ba9feb628761a6b07d14fb885b2fa22b60.exe
"C:\Users\Admin\AppData\Local\Temp\92b9dbef2c0414a2e5f09e2a419a80ba9feb628761a6b07d14fb885b2fa22b60.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFE94.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1068
- - C:\ProgramData\x64netJS\JQSZY.exe
    "C:\ProgramData\x64netJS\JQSZY.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JQSZY" /tr "C:\ProgramData\x64netJS\JQSZY.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:704
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JQSZY" /tr "C:\ProgramData\x64netJS\JQSZY.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\x64netJS\JQSZY.exe

Filesize
772.0MB

MD5
c0bacf493e54070bab9a0eaa6ae76d64

SHA1
621576771d58a13a7482dfeb42486a44d80e4bc3

SHA256
c9d62649f374f33a0fe50cf788a1ae669dba33c8d98749c17b8bf7353a37f409

SHA512
2d52bd9ce9b006695b9419338998d9b8da4f85693f76355e8574c0f0dc1b996147fb54ccb128c7b581bf5a0eefa4e2e2e73b5701355edb242b25697ac58f6982

Download Submit
C:\ProgramData\x64netJS\JQSZY.exe

Filesize
772.0MB

MD5
c0bacf493e54070bab9a0eaa6ae76d64

SHA1
621576771d58a13a7482dfeb42486a44d80e4bc3

SHA256
c9d62649f374f33a0fe50cf788a1ae669dba33c8d98749c17b8bf7353a37f409

SHA512
2d52bd9ce9b006695b9419338998d9b8da4f85693f76355e8574c0f0dc1b996147fb54ccb128c7b581bf5a0eefa4e2e2e73b5701355edb242b25697ac58f6982

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFE94.tmp.bat

Filesize
142B

MD5
1c2f6c6eb4420b8fec826f2e536de93b

SHA1
bc4dd8b64fd7959205ef5115cc7686c6bf4f0231

SHA256
18eb9d63c3c82c2b6fdcac5cb742e20ef219cc2bea022894393e39c1c64d57d1

SHA512
2566b6cdc3c9092a99c3f9af627d5e36723859fed630cdf7b6aa6bdb225a19dade4fdfcf334f5191ec7f9430d5208ca762230c90071b57871b6703fb5f936e07

Download Submit
memory/1344-3-0x00000000011B0000-0x00000000011B1000-memory.dmp

Filesize
4KB

Download
memory/1344-5-0x00007FFAF6FA0000-0x00007FFAF798C000-memory.dmp

Filesize
9.9MB

Download
memory/1344-6-0x000000001B860000-0x000000001B870000-memory.dmp

Filesize
64KB

Download
memory/1344-0-0x0000000000810000-0x0000000000A44000-memory.dmp

Filesize
2.2MB

Download
memory/1344-13-0x00007FFAF6FA0000-0x00007FFAF798C000-memory.dmp

Filesize
9.9MB

Download
memory/1344-2-0x000000001B860000-0x000000001B870000-memory.dmp

Filesize
64KB

Download
memory/1344-1-0x00007FFAF6FA0000-0x00007FFAF798C000-memory.dmp

Filesize
9.9MB

Download
memory/2468-17-0x00007FFAF6FA0000-0x00007FFAF798C000-memory.dmp

Filesize
9.9MB

Download
memory/2468-18-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download
memory/2468-19-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/2468-20-0x00007FFAF6FA0000-0x00007FFAF798C000-memory.dmp

Filesize
9.9MB

Download
memory/2468-23-0x000000001B8B0000-0x000000001B8C0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads