35f112a9747cbf00a5cc0b3f2f81d79a266b38abe99b5e5171cceaf3acedc144

General

Target

ec6f9d90515c1f077c510efde297792a1dec4a5c3b1653baad3155a2df6be0b6.exe
Size

2.8MB
MD5

0699af667fe97c6bea49453b85828337
SHA1

932c783a1043329e85fc394060d9fe2effaf115e
SHA256

ec6f9d90515c1f077c510efde297792a1dec4a5c3b1653baad3155a2df6be0b6
SHA512

e70c5afeb2231beeac4b0c6bac31a6c7edb1fb36c875a4a9bf1048abef78e2aee0dc4f6f1955ed01182d42d638861385965300a1a4480918e6eea40f48e4ab16
SSDEEP

49152:iqU9c4aoRRxsvG3hDObR2dsCTjHLcAdHTAygs/22MOZaE1jZUSJOEdKLiSsS+lTC:K9a0EwLE2tY1QHlY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2808	JQSZY.exe

Loads dropped DLL 1 IoCs

pid	Process
2888	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2956	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2628	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2044	ec6f9d90515c1f077c510efde297792a1dec4a5c3b1653baad3155a2df6be0b6.exe
Token: SeDebugPrivilege	2808	JQSZY.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 2888	2044	ec6f9d90515c1f077c510efde297792a1dec4a5c3b1653baad3155a2df6be0b6.exe	30
PID 2044 wrote to memory of 2888	2044	ec6f9d90515c1f077c510efde297792a1dec4a5c3b1653baad3155a2df6be0b6.exe	30
PID 2044 wrote to memory of 2888	2044	ec6f9d90515c1f077c510efde297792a1dec4a5c3b1653baad3155a2df6be0b6.exe	30
PID 2888 wrote to memory of 2628	2888	cmd.exe	32
PID 2888 wrote to memory of 2628	2888	cmd.exe	32
PID 2888 wrote to memory of 2628	2888	cmd.exe	32
PID 2888 wrote to memory of 2808	2888	cmd.exe	33
PID 2888 wrote to memory of 2808	2888	cmd.exe	33
PID 2888 wrote to memory of 2808	2888	cmd.exe	33
PID 2808 wrote to memory of 2560	2808	JQSZY.exe	34
PID 2808 wrote to memory of 2560	2808	JQSZY.exe	34
PID 2808 wrote to memory of 2560	2808	JQSZY.exe	34
PID 2560 wrote to memory of 2956	2560	cmd.exe	36
PID 2560 wrote to memory of 2956	2560	cmd.exe	36
PID 2560 wrote to memory of 2956	2560	cmd.exe	36
PID 2808 wrote to memory of 2544	2808	JQSZY.exe	37
PID 2808 wrote to memory of 2544	2808	JQSZY.exe	37
PID 2808 wrote to memory of 2544	2808	JQSZY.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ec6f9d90515c1f077c510efde297792a1dec4a5c3b1653baad3155a2df6be0b6.exe
"C:\Users\Admin\AppData\Local\Temp\ec6f9d90515c1f077c510efde297792a1dec4a5c3b1653baad3155a2df6be0b6.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp24B0.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2628
- - C:\ProgramData\x64netJS\JQSZY.exe
    "C:\ProgramData\x64netJS\JQSZY.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JQSZY" /tr "C:\ProgramData\x64netJS\JQSZY.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JQSZY" /tr "C:\ProgramData\x64netJS\JQSZY.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2956
  - - C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2808 -s 904
      4⤵
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\x64netJS\JQSZY.exe

Filesize
82.1MB

MD5
642f485a57bb1fa476c660843a4b4a35

SHA1
49eba50ba3a396d0d54206bab898b3104dc255fd

SHA256
3cb739c7386788f2f071127ae3fd1aed4d3d601993b315cad689a03978f79bf1

SHA512
0237c8524c4f62d6e901de62768d6341b0ea817c4d3ec62f61beb36b6c1ca6f8b73228b813fa95bae770d7b316824819bd5940e22fa836764bda033bb5899cf7

Download Submit
C:\ProgramData\x64netJS\JQSZY.exe

Filesize
80.8MB

MD5
99d19262839032b78f0a4c4ebba42111

SHA1
7449f8947fcc87b1aeef5bb421edd813cea379ab

SHA256
4c60343eef7d52dec0b49dc6634d3c4c69e5beda4351944854ec3b9ea478289c

SHA512
4e55dd86c88bf6cd7b46ed29b7bdeec3e8184578d0f0d9e958c996d5a6f154bed607067eda89e720617e4417ad9aad211b57fdd1d67f16ddd1b2463e22970427

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24B0.tmp.bat

Filesize
142B

MD5
eeb46f42ce80b0b9de5501b37de5f0c5

SHA1
fee6fa953156ac9c77c10a179db2117ebb64561f

SHA256
96812cababe8dfc9f34e45a0d9b3c447b5bc2f8a164061a714b8bf5e8547da58

SHA512
d0af9e37bfbe31d823ede34ec13935c1c9910e5b0ec34e32ca1a308618e794eff3057ba88f6fab070e96417636ae9ff6bfba5f24bf48c05d583c71a901012df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp24B0.tmp.bat

Filesize
142B

MD5
eeb46f42ce80b0b9de5501b37de5f0c5

SHA1
fee6fa953156ac9c77c10a179db2117ebb64561f

SHA256
96812cababe8dfc9f34e45a0d9b3c447b5bc2f8a164061a714b8bf5e8547da58

SHA512
d0af9e37bfbe31d823ede34ec13935c1c9910e5b0ec34e32ca1a308618e794eff3057ba88f6fab070e96417636ae9ff6bfba5f24bf48c05d583c71a901012df0

Download Submit
\ProgramData\x64netJS\JQSZY.exe

Filesize
81.8MB

MD5
0a0d1576ea132afb63b533331689471f

SHA1
ad83d2c0e6810e712824c8c4764cd28a50504f0e

SHA256
11d76ec98f559c3141dcedaced1cb6652e5475239267bc927a75f579dc59e2f7

SHA512
136c82754b9526fb39eee507488f5cb82b1392ed7934ad24580224edc906eb67ca206a378cfb854074593ae0d875b7c94a493229598d0d969a1976867a347acb

Download Submit
memory/2044-17-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2044-6-0x000000001BDB0000-0x000000001BE30000-memory.dmp

Filesize
512KB

Download
memory/2044-4-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/2044-0-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2044-3-0x000000001BDB0000-0x000000001BE30000-memory.dmp

Filesize
512KB

Download
memory/2044-2-0x000007FEF5400000-0x000007FEF5DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2044-1-0x00000000003E0000-0x00000000006A8000-memory.dmp

Filesize
2.8MB

Download
memory/2808-22-0x00000000003D0000-0x0000000000698000-memory.dmp

Filesize
2.8MB

Download
memory/2808-23-0x000007FEF4A10000-0x000007FEF53FC000-memory.dmp

Filesize
9.9MB

Download
memory/2808-25-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2808-24-0x000000001C400000-0x000000001C480000-memory.dmp

Filesize
512KB

Download
memory/2808-26-0x000007FEF4A10000-0x000007FEF53FC000-memory.dmp

Filesize
9.9MB

Download
memory/2808-27-0x000000001C400000-0x000000001C480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads