954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.exe
Size

4.7MB
MD5

8d28010627a4b1d9135a58c76fae8403
SHA1

291f782cec0b4c848cdbcc2434c54ba2c2b580c3
SHA256

954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e
SHA512

c460ede4f85a58873bbae462fb0cccfe7ec69298145be5c6f47721db5707fb072adc3483c37d1fb9d827158a7047a66a9f3b947e9fa37941229cd539a2a9a4e2
SSDEEP

98304:Qg2pUvDo4iVk6IGLJD0YJYtviHPvVG+EmITP54sGoLqQM5hjhuzsK1V8Nk3xZQ0c:2UvU66ImJ0YuvqUxTPzlujKs/NkU1449

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
4344	jsonstdapi.exe
1884	jsonstdapi.exe

Loads dropped DLL 3 IoCs

pid	Process
4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-61LPM.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-07T5C.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-7RTQN.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-F7PNI.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-PHQSL.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\stuff\is-2OUS3.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-GSB1G.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-DEGL1.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-KPEF3.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-0P835.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-0ATDI.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\stuff\is-834BT.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-U7CIA.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-4KM22.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-UJ80T.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-2M8HD.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-SC239.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-Q52U2.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-SNBV2.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File opened for modification	C:\Program Files (x86)\JSON Stdandart API\unins000.dat	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-QKG3F.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-4BQRT.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-EPBH6.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-69K60.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-B75B1.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\plugins\internal\is-A997M.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File opened for modification	C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\is-V1202.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-MUKFA.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\unins000.dat	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-JTMU1.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\lessmsi\is-0BUGG.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\stuff\is-DUS17.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-F5GC7.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-MSPT9.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-S1PPS.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-R8R66.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-H6LK4.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-RDSUE.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\stuff\is-LKBCC.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-7LNC1.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-NCO4L.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-D6R9H.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-JFG79.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-2CI4S.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\plugins\internal\is-TV763.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-MAT2S.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-AN7OD.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-F8KI9.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\bin\x86\is-3LET2.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
File created	C:\Program Files (x86)\JSON Stdandart API\is-A47AV.tmp	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 4404	2328	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.exe	88
PID 2328 wrote to memory of 4404	2328	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.exe	88
PID 2328 wrote to memory of 4404	2328	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.exe	88
PID 4404 wrote to memory of 628	4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp	95
PID 4404 wrote to memory of 628	4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp	95
PID 4404 wrote to memory of 628	4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp	95
PID 4404 wrote to memory of 4344	4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp	96
PID 4404 wrote to memory of 4344	4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp	96
PID 4404 wrote to memory of 4344	4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp	96
PID 628 wrote to memory of 4992	628	net.exe	98
PID 628 wrote to memory of 4992	628	net.exe	98
PID 628 wrote to memory of 4992	628	net.exe	98
PID 4404 wrote to memory of 1884	4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp	99
PID 4404 wrote to memory of 1884	4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp	99
PID 4404 wrote to memory of 1884	4404	954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp	99

C:\Users\Admin\AppData\Local\Temp\954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.exe
"C:\Users\Admin\AppData\Local\Temp\954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Users\Admin\AppData\Local\Temp\is-3Q08N.tmp\954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-3Q08N.tmp\954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp" /SL5="$5021C,4659015,54272,C:\Users\Admin\AppData\Local\Temp\954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4404
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" helpmsg 30
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 helpmsg 30
      4⤵
      PID:4992
- - C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe
    "C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe" -i
    3⤵
    - Executes dropped EXE
    PID:4344
- - C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe
    "C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe" -s
    3⤵
    - Executes dropped EXE
    PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe

Filesize
1.6MB

MD5
207925b387cc88991f5c587ab200dfb0

SHA1
709f13b73610d6a2b65c1a9f17bce06bc498c80a

SHA256
d33b6698ea36861fbb67538bdd083deb87b8a0f00944ae60a4415a13c1d179b2

SHA512
d52eb4f81705cfd01e92f493c941a614bc7bf1499338113f06de8832b38637ee4b7a40af59565b6b775ec656555a9ea9d4a3da13bf4af6057850e8dadcaa2bf0

Download Submit
C:\Program Files (x86)\JSON Stdandart API\jsonstdapi.exe

Filesize
385KB

MD5
9c8875f49c667c17a833e5e68632bae1

SHA1
e96fb099faf4b6cb07e3579fa92ebf4ac6fc45de

SHA256
15db13b3f1aea344c0e0e7264d96f1b0c9531cff029e71ebececdb6a40cf3e35

SHA512
6a50b47ec6f9fcd0641cc7315e013b3d4ad4cc909075368ef96daeb3da474ab3e776cc7930d8b5a7d5e032cbcf8656bcc7cf75c99dc8255028d477b22e1f72b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3Q08N.tmp\954e838e8f5b220253b75049646ecc1354a18fc1815d2631676a5b3b640ae04e.tmp

Filesize
688KB

MD5
a7662827ecaeb4fc68334f6b8791b917

SHA1
f93151dd228d680aa2910280e51f0a84d0cad105

SHA256
05f159722d6905719d2d6f340981a293f40ab8a0d2d4a282c948066809d4af6d

SHA512
e9880b3f3ec9201e59114850e9c570d0ad6d3b0e04c60929a03cf983c62c505fcb6bb9dc3adeee88c78d43bd484159626b4a2f000a34b8883164c263f21e6f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SG56V.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SG56V.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
memory/1884-159-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1884-166-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1884-179-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1884-176-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1884-173-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1884-172-0x0000000000880000-0x0000000000922000-memory.dmp

Filesize
648KB

Download
memory/1884-170-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1884-147-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1884-161-0x0000000000880000-0x0000000000922000-memory.dmp

Filesize
648KB

Download
memory/1884-156-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1884-153-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1884-140-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1884-150-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1884-144-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/1884-146-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/2328-0-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2328-23-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2328-2-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/4344-137-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4344-136-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4344-133-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4344-132-0x0000000000400000-0x0000000000591000-memory.dmp

Filesize
1.6MB

Download
memory/4404-142-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4404-7-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4404-29-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4404-28-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4404-24-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download