08f6f98560d7c79ebe346d8c0664270301b6bc8d8b0eb78f30cb1efbde422257

General

Target

08f6f98560d7c79ebe346d8c0664270301b6bc8d8b0eb78f30cb1efbde422257_JC.exe
Size

3.2MB
MD5

927783a38772fd607fb4dfbf34dceaf3
SHA1

ec0943dc121d4e0526f47c048cd7de4e531bde9c
SHA256

08f6f98560d7c79ebe346d8c0664270301b6bc8d8b0eb78f30cb1efbde422257
SHA512

f3110f91d2ed20356f73dd8ed5f26d6411e7fddea1b69e14a38e462cc0300547751e84f2c9baf0066afede9831209032e1989a988b26089204d7d8e238effae2
SSDEEP

49152:+rrM8ykrJLTarx7otjag3oSPV71Unco9U+ED45aU8QrMmI/KP5zXbYhU/Krq1Ze0:+mcWWYTa96txQxuT66hyYTBDLL

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-919254492-3979293997-764407192-1000\Control Panel\International\Geo\Nation	JQSZY.exe

Executes dropped EXE 1 IoCs

pid	Process
4672	JQSZY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1740	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3260	timeout.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4672	JQSZY.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3480	08f6f98560d7c79ebe346d8c0664270301b6bc8d8b0eb78f30cb1efbde422257_JC.exe
Token: SeDebugPrivilege	4672	JQSZY.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3480 wrote to memory of 4444	3480	08f6f98560d7c79ebe346d8c0664270301b6bc8d8b0eb78f30cb1efbde422257_JC.exe	97
PID 3480 wrote to memory of 4444	3480	08f6f98560d7c79ebe346d8c0664270301b6bc8d8b0eb78f30cb1efbde422257_JC.exe	97
PID 4444 wrote to memory of 3260	4444	cmd.exe	100
PID 4444 wrote to memory of 3260	4444	cmd.exe	100
PID 4444 wrote to memory of 4672	4444	cmd.exe	101
PID 4444 wrote to memory of 4672	4444	cmd.exe	101
PID 4672 wrote to memory of 1120	4672	JQSZY.exe	102
PID 4672 wrote to memory of 1120	4672	JQSZY.exe	102
PID 1120 wrote to memory of 1740	1120	cmd.exe	104
PID 1120 wrote to memory of 1740	1120	cmd.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\08f6f98560d7c79ebe346d8c0664270301b6bc8d8b0eb78f30cb1efbde422257_JC.exe
"C:\Users\Admin\AppData\Local\Temp\08f6f98560d7c79ebe346d8c0664270301b6bc8d8b0eb78f30cb1efbde422257_JC.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC9B4.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3260
- - C:\ProgramData\x64netJS\JQSZY.exe
    "C:\ProgramData\x64netJS\JQSZY.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4672
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JQSZY" /tr "C:\ProgramData\x64netJS\JQSZY.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JQSZY" /tr "C:\ProgramData\x64netJS\JQSZY.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\x64netJS\JQSZY.exe

Filesize
436.4MB

MD5
bb5e97fce798a1d260deaac695e5b6e3

SHA1
8bf8c0ab47b007758295ffb00507cd50acb640fe

SHA256
c8938dbd87e9294cf58fe68d356a5a282e22a5da78baaa2cbee5117431f407fa

SHA512
7432dc63b755bf087f273bf16b0878172bf85e38c021fff5cda3469608f4e59a79a537bd6b9d6fdac20a54701588b85bac06439ad467c10bc56a73c3771caa73

Download Submit
C:\ProgramData\x64netJS\JQSZY.exe

Filesize
442.2MB

MD5
b8daa6531126f3e8cfcd589d4b341c91

SHA1
75ce8c60d98ca949893e9d03a1b6399f246f5b01

SHA256
df48f956b275a7e749e223aaf5cc8364447ef6a108066c281ab03a26c7ec838f

SHA512
aa7d0c845656230b290ab5b30a6d6db80c2b4807c10f2622fa2f1a55ae1505189f2e27a350fb661b14f0df368d8a1f1ec5739f73d3b157ee33ace608b0b59dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC9B4.tmp.bat

Filesize
142B

MD5
5a7f3bba2199f1d74f4902bad0f35d15

SHA1
3207c3dde6ce5c29453226b2dadef4c07c686856

SHA256
0cf3cae4a7b36108edde107a43a7dbebb256596d7351bfd7d64f6cbce7d75bf2

SHA512
518dbaf7a7ec2dad66da5a0201dff9a84cfa3c9c59621ad9c599fc25136406bd4051e5a0a098e0ec375adc109a5a254b36a3b97068732c6f69edbc9f0cc23d75

Download Submit
memory/3480-4-0x00007FFBDE020000-0x00007FFBDEAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-5-0x0000000001F30000-0x0000000001F40000-memory.dmp

Filesize
64KB

Download
memory/3480-11-0x00007FFBDE020000-0x00007FFBDEAE1000-memory.dmp

Filesize
10.8MB

Download
memory/3480-0-0x0000000000DA0000-0x00000000010D0000-memory.dmp

Filesize
3.2MB

Download
memory/3480-2-0x0000000001F30000-0x0000000001F40000-memory.dmp

Filesize
64KB

Download
memory/3480-1-0x00007FFBDE020000-0x00007FFBDEAE1000-memory.dmp

Filesize
10.8MB

Download
memory/4672-16-0x00007FFBDE2E0000-0x00007FFBDEDA1000-memory.dmp

Filesize
10.8MB

Download
memory/4672-17-0x000000001BEF0000-0x000000001BF00000-memory.dmp

Filesize
64KB

Download
memory/4672-18-0x00007FFBDE2E0000-0x00007FFBDEDA1000-memory.dmp

Filesize
10.8MB

Download
memory/4672-21-0x000000001BEF0000-0x000000001BF00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads