1ea1028025522a23f44fd7420403f488621eeaf8f4bb5b6b47f8bc7b213f06a6

General

Target

119749d597548e920588cb8cbe72ff2e.exe
Size

1.3MB
MD5

119749d597548e920588cb8cbe72ff2e
SHA1

0e85ceb4ec72720deca37803d873ccdacef9af9f
SHA256

1ea1028025522a23f44fd7420403f488621eeaf8f4bb5b6b47f8bc7b213f06a6
SHA512

20e579cef074438fd130bb8ceea3b6ab09ba5c9c49a675b64ec0ffd843ab6a3b2b2345a9b77805650352260e9c748f4de7e3f6abb373cc9377821e5ba4231e27
SSDEEP

24576:y6rT9SSZ7+w8gLDw0PxEUB8Yoyl2G5eTJMvyTaNAUnAyFmn8Wse:yC9Sy7+3gY0PxEUBroyl2DrTaNhOFse

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Control Panel\International\Geo\Nation	119749d597548e920588cb8cbe72ff2e.exe

Executes dropped EXE 1 IoCs

pid	Process
3932	JKNBMS.exe

Loads dropped DLL 3 IoCs

pid	Process
3932	JKNBMS.exe
3932	JKNBMS.exe
3932	JKNBMS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbclient = "C:\\Program Files\\5678soft\\nbclient\\jknbms.exe"	JKNBMS.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files\5678soft\nbclient\JLEncrypt.dll	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\ErrorLog.txt	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\IEHELPER.dll	119749d597548e920588cb8cbe72ff2e.exe
File created	C:\Program Files\5678soft\nbclient\UNWISE.EXE	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\nbmscc.ser	119749d597548e920588cb8cbe72ff2e.exe
File created	C:\Program Files\__tmp_rar_sfx_access_check_240630125	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\SoapWebService.dll	119749d597548e920588cb8cbe72ff2e.exe
File created	C:\Program Files\5678soft\nbclient\UNWISE.INI	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient	119749d597548e920588cb8cbe72ff2e.exe
File created	C:\Program Files\5678soft\nbclient\JKNBMS.exe	119749d597548e920588cb8cbe72ff2e.exe
File created	C:\Program Files\5678soft\nbclient\JKServerPS.dll	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\UNWISE.EXE	119749d597548e920588cb8cbe72ff2e.exe
File created	C:\Program Files\5678soft\nbclient\nbmscc.ser	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft	119749d597548e920588cb8cbe72ff2e.exe
File created	C:\Program Files\5678soft\nbclient\INSTALL.LOG	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\MYTIMER.sys	119749d597548e920588cb8cbe72ff2e.exe
File created	C:\Program Files\5678soft\nbclient\SoapWebService.dll	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\UNWISE.INI	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\INSTALL.LOG	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\JKNBMS.exe	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\ErrorLog.txt	JKNBMS.exe
File created	C:\Program Files\5678soft\nbclient\ErrorLog.txt	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\SetParam.exe	119749d597548e920588cb8cbe72ff2e.exe
File created	C:\Program Files\5678soft\nbclient\SetParam.exe	119749d597548e920588cb8cbe72ff2e.exe
File created	C:\Program Files\5678soft\nbclient\IEHELPER.dll	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\JLEncrypt.dll	119749d597548e920588cb8cbe72ff2e.exe
File opened for modification	C:\Program Files\5678soft\nbclient\JKServerPS.dll	119749d597548e920588cb8cbe72ff2e.exe
File created	C:\Program Files\5678soft\nbclient\MYTIMER.sys	119749d597548e920588cb8cbe72ff2e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\Software\Microsoft\Internet Explorer\Main	JKNBMS.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.xjshoping.com/"	JKNBMS.exe

Suspicious behavior: LoadsDriver 22 IoCs

pid	Process
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found
672	Process not Found

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 3932	4612	119749d597548e920588cb8cbe72ff2e.exe	92
PID 4612 wrote to memory of 3932	4612	119749d597548e920588cb8cbe72ff2e.exe	92
PID 4612 wrote to memory of 3932	4612	119749d597548e920588cb8cbe72ff2e.exe	92

C:\Users\Admin\AppData\Local\Temp\119749d597548e920588cb8cbe72ff2e.exe
"C:\Users\Admin\AppData\Local\Temp\119749d597548e920588cb8cbe72ff2e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Program Files\5678soft\nbclient\JKNBMS.exe
  "C:\Program Files\5678soft\nbclient\JKNBMS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\5678soft\nbclient\JKNBMS.exe

Filesize
71KB

MD5
4723274209607b3e0b12e72f077f0682

SHA1
d131ab38d01dbf80694fc3470ef6ae066ef1265c

SHA256
0ec3c3fe05fbfa1b034501147da2b12b9149198cb1c9b84e52ed7cd7fc4c53a7

SHA512
b5e486fbb4ba019ad5bd5256de133bffaa588425caa1e7d81afbd60ad408ab0b6fd1e6311843e446727ef042d8212e5a5d78aecedd194ce3e36c93107fd83289

Download Submit
C:\Program Files\5678soft\nbclient\JKNBMS.exe

Filesize
92KB

MD5
b69328f54ad92ce23c319708ec8fbea7

SHA1
ac931b996ddc3b7ed2143ac1f313a54b556d4c35

SHA256
d973061bbca7d1137f34320093d4c0990968821e7bc41829c79a3121770e3930

SHA512
108960927b6f4931615d5565a35939f1ff5db4628bb32ad3072270c9402a2f66180c245a533036d8879333e0ce6b33e1e584e1d0c1657fb147c54fee57ef4f89

Download Submit
C:\Program Files\5678soft\nbclient\SOAPWEBSERVICE.DLL

Filesize
20KB

MD5
c2092f4d0d16d9a7726037354168f660

SHA1
9a3f5a87b63e61c21f16e61e8974e6dd1cb34e39

SHA256
8fcc7937fafb9e2eb393f1e1a385f97569e94800bfda7b09199fa5aced9ec132

SHA512
6ed0defbfa9fae7e918c19657c35569e7371e73e99495f78ecf993468a872376648059577be28712b2703b9850e69fc020c091052f0ae53c4c0ddbddbd34655e

Download Submit
memory/3932-36-0x00000000005F0000-0x0000000000605000-memory.dmp

Filesize
84KB

Download
memory/3932-37-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3932-43-0x0000000000400000-0x00000000005EE000-memory.dmp

Filesize
1.9MB

Download
memory/3932-44-0x00000000005F0000-0x0000000000605000-memory.dmp

Filesize
84KB

Download
memory/3932-47-0x0000000002460000-0x0000000002461000-memory.dmp

Filesize
4KB

Download
memory/3932-49-0x00000000005F0000-0x0000000000605000-memory.dmp

Filesize
84KB

Download
memory/3932-71-0x00000000005F0000-0x0000000000605000-memory.dmp

Filesize
84KB

Download
memory/4612-34-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/4612-22-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads