45a7b861baac5f8234433fefd9dbdd0a5f288a18b72346b6b6917cf56882bf85

Analysis

max time kernel
91s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21/09/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66e705d09b33c_jack.exe
Size

4.1MB
MD5

abdbcc23bd8f767e671bac6d2ff60335
SHA1

18ca867c0502b353e9aad63553efd4eb4e25723f
SHA256

45a7b861baac5f8234433fefd9dbdd0a5f288a18b72346b6b6917cf56882bf85
SHA512

67c00713e6d24d192c0f8e3e49fa146418faf72b2bb42c276ad560f08e39c68f4ab446c47c7e7710778aee9ca1f193ad65e061645b6bcec414844165b5e16bc7
SSDEEP

49152:HYcdjDQdrscIC5SmTT+mfkj8J6iKG7suEAeMDsaUmxb7WnpRGnKuAsF33PKQTunw:HK/f+mfNptIZ/alxGR7uA8Phanzuhjf

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk	66e705d09b33c_jack.exe

Executes dropped EXE 3 IoCs

pid	Process
1148	66e705d09b33c_jack.exe
3900	66e705d09b33c_jack.exe
4520	66e705d09b33c_jack.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3761892313-3378554128-2287991803-1000\Software\Microsoft\Windows\CurrentVersion\Run\ExtreamFanV6 = "C:\\Users\\Admin\\AppData\\Local\\ExtreamFanV6\\ExtreamFanV6.exe"	66e705d09b33c_jack.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 784 set thread context of 3168	784	66e705d09b33c_jack.exe	79
PID 1148 set thread context of 4520	1148	66e705d09b33c_jack.exe	86

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e705d09b33c_jack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e705d09b33c_jack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e705d09b33c_jack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66e705d09b33c_jack.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3184	schtasks.exe
4632	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1148	66e705d09b33c_jack.exe
1148	66e705d09b33c_jack.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3168	66e705d09b33c_jack.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	784	66e705d09b33c_jack.exe
Token: SeDebugPrivilege	1148	66e705d09b33c_jack.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 784 wrote to memory of 3168	784	66e705d09b33c_jack.exe	79
PID 784 wrote to memory of 3168	784	66e705d09b33c_jack.exe	79
PID 784 wrote to memory of 3168	784	66e705d09b33c_jack.exe	79
PID 784 wrote to memory of 3168	784	66e705d09b33c_jack.exe	79
PID 784 wrote to memory of 3168	784	66e705d09b33c_jack.exe	79
PID 784 wrote to memory of 3168	784	66e705d09b33c_jack.exe	79
PID 784 wrote to memory of 3168	784	66e705d09b33c_jack.exe	79
PID 784 wrote to memory of 3168	784	66e705d09b33c_jack.exe	79
PID 784 wrote to memory of 3168	784	66e705d09b33c_jack.exe	79
PID 784 wrote to memory of 3168	784	66e705d09b33c_jack.exe	79
PID 3168 wrote to memory of 3184	3168	66e705d09b33c_jack.exe	80
PID 3168 wrote to memory of 3184	3168	66e705d09b33c_jack.exe	80
PID 3168 wrote to memory of 3184	3168	66e705d09b33c_jack.exe	80
PID 3168 wrote to memory of 4632	3168	66e705d09b33c_jack.exe	82
PID 3168 wrote to memory of 4632	3168	66e705d09b33c_jack.exe	82
PID 3168 wrote to memory of 4632	3168	66e705d09b33c_jack.exe	82
PID 3168 wrote to memory of 1148	3168	66e705d09b33c_jack.exe	84
PID 3168 wrote to memory of 1148	3168	66e705d09b33c_jack.exe	84
PID 3168 wrote to memory of 1148	3168	66e705d09b33c_jack.exe	84
PID 1148 wrote to memory of 3900	1148	66e705d09b33c_jack.exe	85
PID 1148 wrote to memory of 3900	1148	66e705d09b33c_jack.exe	85
PID 1148 wrote to memory of 3900	1148	66e705d09b33c_jack.exe	85
PID 1148 wrote to memory of 4520	1148	66e705d09b33c_jack.exe	86
PID 1148 wrote to memory of 4520	1148	66e705d09b33c_jack.exe	86
PID 1148 wrote to memory of 4520	1148	66e705d09b33c_jack.exe	86
PID 1148 wrote to memory of 4520	1148	66e705d09b33c_jack.exe	86
PID 1148 wrote to memory of 4520	1148	66e705d09b33c_jack.exe	86
PID 1148 wrote to memory of 4520	1148	66e705d09b33c_jack.exe	86
PID 1148 wrote to memory of 4520	1148	66e705d09b33c_jack.exe	86
PID 1148 wrote to memory of 4520	1148	66e705d09b33c_jack.exe	86
PID 1148 wrote to memory of 4520	1148	66e705d09b33c_jack.exe	86
PID 1148 wrote to memory of 4520	1148	66e705d09b33c_jack.exe	86

C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe
"C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784
- C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe
  "C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf HR" /sc HOURLY /rl HIGHEST
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3184
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /RU "Admin" /tr "C:\ProgramData\jewkkwnf\jewkkwnf.exe" /tn "jewkkwnf LG" /sc ONLOGON /rl HIGHEST
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4632
- - C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe
    "C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe
      "C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe"
      4⤵
      Executes dropped EXE
      PID:3900
  - - C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe
      "C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jewkkwnf\jewkkwnf.exe

Filesize
4.1MB

MD5
abdbcc23bd8f767e671bac6d2ff60335

SHA1
18ca867c0502b353e9aad63553efd4eb4e25723f

SHA256
45a7b861baac5f8234433fefd9dbdd0a5f288a18b72346b6b6917cf56882bf85

SHA512
67c00713e6d24d192c0f8e3e49fa146418faf72b2bb42c276ad560f08e39c68f4ab446c47c7e7710778aee9ca1f193ad65e061645b6bcec414844165b5e16bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\66e705d09b33c_jack.exe.log

Filesize
617B

MD5
c66cf802a892edafbc83ff0079efbd11

SHA1
872238b3ee0a9386a9fd634efd6e09668984fa6b

SHA256
4ab646f8bf5623ebac140b0b649eae85c7e864866013151d56ce996d96d64153

SHA512
e44b332728209d34691db8618acceacdc3366769abd8f96370e9de4e684e062e426591f9ff1dc086203db2bd0a812aff1038211638899e8b078b0819badd0708

Download Submit
C:\Users\Admin\AppData\Local\Temp\66e705d09b33c_jack.exe

Filesize
1.0MB

MD5
8c8af20bf6536903c1d042cebede6475

SHA1
8ef42abc3ad478f6d8c17691fe4cc1975ca43684

SHA256
b15bdb0a4d7f265cf4ed7c46668f4ca247347ca2ce4a7689cb8dbb25863f294a

SHA512
8f68e5302d07fb74dde0e42e0d370e1cb7c1d6b0372633fcfaab95cd1d12f9786c4e44e71b3cc98eeeb60ea10f54497773c3b4aa58afa5297fad93a3f11097e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNNT.lnk

Filesize
1KB

MD5
6da5ed85c5a209798c4858eb1f5d6f33

SHA1
9e74b41a8914df9fbd4bf45224b4dafa58da69a8

SHA256
47b904e2a84e28c938bbb8554ba7e9ff377a0017d5c3d5917bf2fd41b10ab82d

SHA512
ca4c3b2015c3fb8db459cda09250d502cdf392480f0820c39929833f190553fc84a997c30d1071c1a14ad28cbe4d426356b6c60d9a56ccac6c13b1f16e1ea7c4

Download Submit
memory/784-3-0x0000000075250000-0x0000000075A01000-memory.dmp

Filesize
7.7MB

Download
memory/784-5-0x0000000075250000-0x0000000075A01000-memory.dmp

Filesize
7.7MB

Download
memory/784-6-0x00000000054D0000-0x000000000564C000-memory.dmp

Filesize
1.5MB

Download
memory/784-7-0x0000000005C00000-0x00000000061A6000-memory.dmp

Filesize
5.6MB

Download
memory/784-8-0x0000000005280000-0x00000000052A2000-memory.dmp

Filesize
136KB

Download
memory/784-4-0x000000007525E000-0x000000007525F000-memory.dmp

Filesize
4KB

Download
memory/784-0-0x000000007525E000-0x000000007525F000-memory.dmp

Filesize
4KB

Download
memory/784-2-0x0000000004FD0000-0x000000000506C000-memory.dmp

Filesize
624KB

Download
memory/784-1-0x00000000000E0000-0x00000000004F4000-memory.dmp

Filesize
4.1MB

Download
memory/784-14-0x0000000075250000-0x0000000075A01000-memory.dmp

Filesize
7.7MB

Download
memory/1148-42-0x0000000000300000-0x000000000040C000-memory.dmp

Filesize
1.0MB

Download
memory/1148-40-0x000000007541E000-0x000000007541F000-memory.dmp

Filesize
4KB

Download
memory/1148-43-0x000000007541E000-0x000000007541F000-memory.dmp

Filesize
4KB

Download
memory/1148-44-0x0000000005000000-0x00000000050E2000-memory.dmp

Filesize
904KB

Download
memory/1148-45-0x00000000027E0000-0x0000000002802000-memory.dmp

Filesize
136KB

Download
memory/3168-13-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3168-12-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3168-10-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3168-38-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3168-9-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4520-50-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4520-49-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download