45a7b861baac5f8234433fefd9dbdd0a5f288a18b72346b6b6917cf56882bf85

Analysis

max time kernel
135s
max time network
136s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
21-09-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66e705d09b33c_jack.exe
Size

4.1MB
MD5

abdbcc23bd8f767e671bac6d2ff60335
SHA1

18ca867c0502b353e9aad63553efd4eb4e25723f
SHA256

45a7b861baac5f8234433fefd9dbdd0a5f288a18b72346b6b6917cf56882bf85
SHA512

67c00713e6d24d192c0f8e3e49fa146418faf72b2bb42c276ad560f08e39c68f4ab446c47c7e7710778aee9ca1f193ad65e061645b6bcec414844165b5e16bc7
SSDEEP

49152:HYcdjDQdrscIC5SmTT+mfkj8J6iKG7suEAeMDsaUmxb7WnpRGnKuAsF33PKQTunw:HK/f+mfNptIZ/alxGR7uA8Phanzuhjf

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk	66e705d09b33c_jack.exe

Executes dropped EXE 2 IoCs

pid	Process
3104	66e705d09b33c_jack.exe
3896	66e705d09b33c_jack.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe"	66e705d09b33c_jack.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1008 set thread context of 4964	1008	66e705d09b33c_jack.exe	74
PID 3104 set thread context of 3896	3104	66e705d09b33c_jack.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e705d09b33c_jack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e705d09b33c_jack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e705d09b33c_jack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e705d09b33c_jack.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
776	schtasks.exe
4232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1008	66e705d09b33c_jack.exe
1008	66e705d09b33c_jack.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4964	66e705d09b33c_jack.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1008	66e705d09b33c_jack.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1008 wrote to memory of 2112	1008	66e705d09b33c_jack.exe	73
PID 1008 wrote to memory of 2112	1008	66e705d09b33c_jack.exe	73
PID 1008 wrote to memory of 2112	1008	66e705d09b33c_jack.exe	73
PID 1008 wrote to memory of 4964	1008	66e705d09b33c_jack.exe	74
PID 1008 wrote to memory of 4964	1008	66e705d09b33c_jack.exe	74
PID 1008 wrote to memory of 4964	1008	66e705d09b33c_jack.exe	74
PID 1008 wrote to memory of 4964	1008	66e705d09b33c_jack.exe	74
PID 1008 wrote to memory of 4964	1008	66e705d09b33c_jack.exe	74
PID 1008 wrote to memory of 4964	1008	66e705d09b33c_jack.exe	74
PID 1008 wrote to memory of 4964	1008	66e705d09b33c_jack.exe	74
PID 1008 wrote to memory of 4964	1008	66e705d09b33c_jack.exe	74
PID 1008 wrote to memory of 4964	1008	66e705d09b33c_jack.exe	74
PID 1008 wrote to memory of 4964	1008	66e705d09b33c_jack.exe	74
PID 4964 wrote to memory of 776	4964	66e705d09b33c_jack.exe	75
PID 4964 wrote to memory of 776	4964	66e705d09b33c_jack.exe	75
PID 4964 wrote to memory of 776	4964	66e705d09b33c_jack.exe	75
PID 4964 wrote to memory of 4232	4964	66e705d09b33c_jack.exe	77
PID 4964 wrote to memory of 4232	4964	66e705d09b33c_jack.exe	77
PID 4964 wrote to memory of 4232	4964	66e705d09b33c_jack.exe	77
PID 4964 wrote to memory of 3104	4964	66e705d09b33c_jack.exe	79
PID 4964 wrote to memory of 3104	4964	66e705d09b33c_jack.exe	79
PID 4964 wrote to memory of 3104	4964	66e705d09b33c_jack.exe	79
PID 3104 wrote to memory of 3896	3104	66e705d09b33c_jack.exe	82
PID 3104 wrote to memory of 3896	3104	66e705d09b33c_jack.exe	82
PID 3104 wrote to memory of 3896	3104	66e705d09b33c_jack.exe	82
PID 3104 wrote to memory of 3896	3104	66e705d09b33c_jack.exe	82
PID 3104 wrote to memory of 3896	3104	66e705d09b33c_jack.exe	82
PID 3104 wrote to memory of 3896	3104	66e705d09b33c_jack.exe	82
PID 3104 wrote to memory of 3896	3104	66e705d09b33c_jack.exe	82
PID 3104 wrote to memory of 3896	3104	66e705d09b33c_jack.exe	82
PID 3104 wrote to memory of 3896	3104	66e705d09b33c_jack.exe	82
PID 3104 wrote to memory of 3896	3104	66e705d09b33c_jack.exe	82

C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe
"C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1008
- C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe
  "C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe"
  2⤵
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe
  "C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:776
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4232
- - C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe
    "C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3104
  - - C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe
      "C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jewkkwnf\jewkkwnf.exe

Filesize
4.1MB

MD5
abdbcc23bd8f767e671bac6d2ff60335

SHA1
18ca867c0502b353e9aad63553efd4eb4e25723f

SHA256
45a7b861baac5f8234433fefd9dbdd0a5f288a18b72346b6b6917cf56882bf85

SHA512
67c00713e6d24d192c0f8e3e49fa146418faf72b2bb42c276ad560f08e39c68f4ab446c47c7e7710778aee9ca1f193ad65e061645b6bcec414844165b5e16bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\66e705d09b33c_jack.exe.log

Filesize
617B

MD5
21d11e397ef7f2f1f178bc264ea39177

SHA1
5de91b5b224f895f30f696616166244e6a462a3c

SHA256
7f1df88e4c6399bad18faef35b6333ccec5f96320d65231f387d8334a0e90dfe

SHA512
51fcd9cedc956a8a17e94f621159fcc0ae5eaf99d13dd8d517a976e8730c9fe5c37d43e35c092e2aac986bab35f68ad86eeddf9881732a032e5969b0e7d3816a

Download Submit
C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe

Filesize
1.0MB

MD5
8c8af20bf6536903c1d042cebede6475

SHA1
8ef42abc3ad478f6d8c17691fe4cc1975ca43684

SHA256
b15bdb0a4d7f265cf4ed7c46668f4ca247347ca2ce4a7689cb8dbb25863f294a

SHA512
8f68e5302d07fb74dde0e42e0d370e1cb7c1d6b0372633fcfaab95cd1d12f9786c4e44e71b3cc98eeeb60ea10f54497773c3b4aa58afa5297fad93a3f11097e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk

Filesize
1KB

MD5
a87ae395a62dd98acbbcdcddbbef19ee

SHA1
d78410ef2dc8cd022b5aabbe411bd9a0e08deca7

SHA256
e93030988341a5633d6b55a8236c71584418b60c68d1a00011b9227c82592449

SHA512
a4dbcb0382e86ab8b1ad34ace137aed14ef64207b8e69b2a89f1b71767892d96c4efcb20240eaa24ad062250fd97e8e3078e4642531f9f78782ab26c46cc3085

Download Submit
memory/1008-3-0x0000000073350000-0x0000000073A3E000-memory.dmp

Filesize
6.9MB

Download
memory/1008-5-0x0000000073350000-0x0000000073A3E000-memory.dmp

Filesize
6.9MB

Download
memory/1008-6-0x0000000005C80000-0x0000000005DFC000-memory.dmp

Filesize
1.5MB

Download
memory/1008-7-0x0000000006300000-0x00000000067FE000-memory.dmp

Filesize
5.0MB

Download
memory/1008-8-0x0000000005850000-0x0000000005872000-memory.dmp

Filesize
136KB

Download
memory/1008-4-0x000000007335E000-0x000000007335F000-memory.dmp

Filesize
4KB

Download
memory/1008-0-0x000000007335E000-0x000000007335F000-memory.dmp

Filesize
4KB

Download
memory/1008-2-0x0000000005870000-0x000000000590C000-memory.dmp

Filesize
624KB

Download
memory/1008-1-0x0000000000B30000-0x0000000000F44000-memory.dmp

Filesize
4.1MB

Download
memory/1008-14-0x0000000073350000-0x0000000073A3E000-memory.dmp

Filesize
6.9MB

Download
memory/3104-39-0x0000000000310000-0x000000000041C000-memory.dmp

Filesize
1.0MB

Download
memory/3104-40-0x0000000004FA0000-0x0000000005082000-memory.dmp

Filesize
904KB

Download
memory/3104-41-0x0000000005080000-0x00000000050A2000-memory.dmp

Filesize
136KB

Download
memory/3896-44-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3896-45-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4964-15-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4964-36-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4964-11-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4964-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4964-9-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download