7bb7fbbd6453d3a050febfd3a737f1be7c21fcbc1329eb3a27305f54cb84c988

General

Target

7bb7fbbd6453d3a050febfd3a737f1be7c21fcbc1329eb3a27305f54cb84c988.exe
Size

3.6MB
MD5

3c56e0304886c98593f0d2be7a27f398
SHA1

b040c424d7c56e370f82a4b58251acfaef8360fa
SHA256

7bb7fbbd6453d3a050febfd3a737f1be7c21fcbc1329eb3a27305f54cb84c988
SHA512

dc40e656868e49149ffb98c1dc49c2605edf7a0275606e71c7aeed07694b728df8dc51b52c444d59319daf5685e9f0b83ccdbc93b50d5872411e7a020607a04b
SSDEEP

49152:4isbu5RceK8aFDu8+WZ60/JKYSljEvATu3aLkMyEDNKDXAWMeH4:QukuaFDu8PZVww3aLkMyEADQ2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2496	JQSZY.exe

Loads dropped DLL 2 IoCs

pid	Process
2588	cmd.exe
2588	cmd.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2728	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2652	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	7bb7fbbd6453d3a050febfd3a737f1be7c21fcbc1329eb3a27305f54cb84c988.exe
Token: SeDebugPrivilege	2496	JQSZY.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2588	2796	7bb7fbbd6453d3a050febfd3a737f1be7c21fcbc1329eb3a27305f54cb84c988.exe	30
PID 2796 wrote to memory of 2588	2796	7bb7fbbd6453d3a050febfd3a737f1be7c21fcbc1329eb3a27305f54cb84c988.exe	30
PID 2796 wrote to memory of 2588	2796	7bb7fbbd6453d3a050febfd3a737f1be7c21fcbc1329eb3a27305f54cb84c988.exe	30
PID 2588 wrote to memory of 2652	2588	cmd.exe	32
PID 2588 wrote to memory of 2652	2588	cmd.exe	32
PID 2588 wrote to memory of 2652	2588	cmd.exe	32
PID 2588 wrote to memory of 2496	2588	cmd.exe	33
PID 2588 wrote to memory of 2496	2588	cmd.exe	33
PID 2588 wrote to memory of 2496	2588	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\7bb7fbbd6453d3a050febfd3a737f1be7c21fcbc1329eb3a27305f54cb84c988.exe
"C:\Users\Admin\AppData\Local\Temp\7bb7fbbd6453d3a050febfd3a737f1be7c21fcbc1329eb3a27305f54cb84c988.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5CB1.tmp.bat""
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2652
- - C:\ProgramData\x64netJS\JQSZY.exe
    "C:\ProgramData\x64netJS\JQSZY.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2496
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JQSZY" /tr "C:\ProgramData\x64netJS\JQSZY.exe"
      4⤵
      PID:2476
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "JQSZY" /tr "C:\ProgramData\x64netJS\JQSZY.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\x64netJS\JQSZY.exe

Filesize
185.5MB

MD5
b2bc513618040ace8ec310f2587e799c

SHA1
8e23f704213e6c0f378ccc65c829bada81c1b953

SHA256
440b59652158987b777e5ff0cd0ec1a15d43dd23426245a58a5254b2ce666f11

SHA512
70d63855a324bd0230b925badeac24a305b0b5d950393c615056f3883a18bc2ce53354b76a9ed0af0f01863d44b3f290e460b0849136bbcd0e64499340e15111

Download Submit
C:\ProgramData\x64netJS\JQSZY.exe

Filesize
185.6MB

MD5
9ad23f3d43a4626e39c27095d86b564c

SHA1
393d888606f08c66fdbd1a389ba28f72bdfba271

SHA256
f454dd83d9ba45b16b4517eae06554fbdd2b47248fb126bb139f5721f95c6ba0

SHA512
5c108eea025dda32eedd877b2d8cce34f1eb1ccbb0e57bf8cd88c5bcc5a8ddbb0055eb9009cf680d5fb2184660deadac4a01f171164e7f39634e5246b4723cba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5CB1.tmp.bat

Filesize
142B

MD5
9331f21899749a83312c8ab982305ad1

SHA1
a119dc43f512d0a80346578145472798f81357ab

SHA256
86cde77b4bea26e3e57822baa41572eeacf242067c6da1ed7dfb56e3b1875515

SHA512
71edab42698618cfaaa60fd07d045d13e50cdaa72e59cb4a6b2a0008f86328a4addacb9c34a630148b1bf0c55de47a7d597b3f46ce98742cbdc6220fa70eb350

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5CB1.tmp.bat

Filesize
142B

MD5
9331f21899749a83312c8ab982305ad1

SHA1
a119dc43f512d0a80346578145472798f81357ab

SHA256
86cde77b4bea26e3e57822baa41572eeacf242067c6da1ed7dfb56e3b1875515

SHA512
71edab42698618cfaaa60fd07d045d13e50cdaa72e59cb4a6b2a0008f86328a4addacb9c34a630148b1bf0c55de47a7d597b3f46ce98742cbdc6220fa70eb350

Download Submit
\ProgramData\x64netJS\JQSZY.exe

Filesize
173.7MB

MD5
5bb192ed0dc73cd0f946175dc91145bd

SHA1
9211f65e609a62e40a5e928bc3197e9fad71ae6f

SHA256
f72da218f73b5630c1ac0428d27362c48a8d2b5dfd8613dd847df253ac2881bc

SHA512
fd66d459d823ca57f187c1f4db269dce16e247d62d4d1fba9230cc4eaa956c2b8eb8816e9274d110ee83618224cb38aeb9a806e7107293d8b7ff1941fafd3e7e

Download Submit
\ProgramData\x64netJS\JQSZY.exe

Filesize
169.6MB

MD5
b29dc9fcb211c446c4b649c43dc9d479

SHA1
fc805fd90961adf7260ec688ecfcd68e596da3d0

SHA256
106a29629758d20c36572bddb5960af9fc3c03d839fc020624012850347d412e

SHA512
6b72183cd7196ea6f059a09dd33d6aa0d2dedbcf9942284b37b06b3c77544cdb40d497cc649f17d0944a37704d5c991409f90b284ae3875521660a45bb587df1

Download Submit
memory/2496-24-0x000000001C4F0000-0x000000001C570000-memory.dmp

Filesize
512KB

Download
memory/2496-25-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2496-30-0x000007FEF4810000-0x000007FEF51FC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-29-0x000000001C4F0000-0x000000001C570000-memory.dmp

Filesize
512KB

Download
memory/2496-26-0x000007FEF4810000-0x000007FEF51FC000-memory.dmp

Filesize
9.9MB

Download
memory/2496-23-0x0000000000150000-0x00000000004E4000-memory.dmp

Filesize
3.6MB

Download
memory/2496-22-0x000007FEF4810000-0x000007FEF51FC000-memory.dmp

Filesize
9.9MB

Download
memory/2796-1-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

Filesize
9.9MB

Download
memory/2796-2-0x000000001C3C0000-0x000000001C440000-memory.dmp

Filesize
512KB

Download
memory/2796-0-0x00000000011A0000-0x0000000001534000-memory.dmp

Filesize
3.6MB

Download
memory/2796-6-0x000000001C3C0000-0x000000001C440000-memory.dmp

Filesize
512KB

Download
memory/2796-3-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/2796-5-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

Filesize
9.9MB

Download
memory/2796-17-0x000007FEF5200000-0x000007FEF5BEC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads