5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73

Analysis

max time kernel
150s
max time network
178s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 21:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe
Size

196KB
MD5

5ef1986f3b4d9254d096ab1a5f9261fc
SHA1

72f586795fdc3523d31c82fe1dc6859d229b3a68
SHA256

5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73
SHA512

8e4a36ea1f815dbd6fc103a0fc78c942107c5cc79a110d400e4cedb3af5aa058a8c5da7df22f6d16e9a1c260933e8f75267febd208ca15b46d0c3907fbb2af34
SSDEEP

1536:bXscdri741fT/dQVJnsuv77P1Vg6u8jxZofgyd8B:bXpdr1f5QrnssP1Vg6vofgWk

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.ueuo.com
Port:
21
Username:
googgle.ueuo.com
Password:
741852

Signatures

Executes dropped EXE 1 IoCs

pid	Process
956	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1712	5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe
1712	5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\5914a891\jusched.exe	5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe
File created	C:\Program Files (x86)\5914a891\5914a891	5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe
File created	C:\Program Files (x86)\5914a891\info_a	5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1712 wrote to memory of 956	1712	5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe	27
PID 1712 wrote to memory of 956	1712	5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe	27
PID 1712 wrote to memory of 956	1712	5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe	27
PID 1712 wrote to memory of 956	1712	5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe	27

C:\Users\Admin\AppData\Local\Temp\5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe
"C:\Users\Admin\AppData\Local\Temp\5f6c90b647dc8f4b3e19d2faf0034fc3466cb231826e8b5f81e4930876ecba73.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1712
- C:\Program Files (x86)\5914a891\jusched.exe
  "C:\Program Files (x86)\5914a891\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:956

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\5914a891\5914a891

Filesize
17B

MD5
bc13ad0f8d1727f36fde832e28bf44bb

SHA1
258533f23fa6fce5055b1247b9b4cbc8d13233cf

SHA256
aeccd3a7dee3061696d55f53b027aa15e4e8f3d66b970dc353d0532fee21aef6

SHA512
0389aff4333a77fde96a5439f414b9c71e7cd94948d591debf8e53199f5e1683d016803ba292b1382d288239b8df1ac4cfa81ab95899160a2f5a7ffd77553f3f

Download Submit
C:\Program Files (x86)\5914a891\info_a

Filesize
12B

MD5
225a5d1d7170d219e678737d139da6c2

SHA1
b6c8df22449d71e5cbadc289e8dbd8e4aed29e2c

SHA256
3d5a479f54e91c8907f68642685da30f62234044bc3f6049f9a2cebfa58f1415

SHA512
96cc21e3320b1ff5d262b1bbe26112a88a648a6c9051915e27ae68d9266845d20492f7b1beaa0c7956e3a6a42ae9b7ae393ce0f2793a80034b0b6a893c2fc1d0

Download Submit
C:\Program Files (x86)\5914a891\jusched.exe

Filesize
196KB

MD5
91eb498aeb0cdac18ae1880cf260843f

SHA1
9ba03b8921a96889069703a10979687a69cf699a

SHA256
dd44eea73ce3eaf16d8003de6464980ed49c87136e690b59e6af10e0273789d8

SHA512
eb365aa83da876aa175b6cac7d8d03a778e626b90968b07dfcf91bf3d8afa634cd46a8c03cee8a16ea59937039a9b3f2b508d22762e8a67a89fa66df7066265e

Download Submit
\Program Files (x86)\5914a891\jusched.exe

Filesize
196KB

MD5
91eb498aeb0cdac18ae1880cf260843f

SHA1
9ba03b8921a96889069703a10979687a69cf699a

SHA256
dd44eea73ce3eaf16d8003de6464980ed49c87136e690b59e6af10e0273789d8

SHA512
eb365aa83da876aa175b6cac7d8d03a778e626b90968b07dfcf91bf3d8afa634cd46a8c03cee8a16ea59937039a9b3f2b508d22762e8a67a89fa66df7066265e

Download Submit
\Program Files (x86)\5914a891\jusched.exe

Filesize
196KB

MD5
91eb498aeb0cdac18ae1880cf260843f

SHA1
9ba03b8921a96889069703a10979687a69cf699a

SHA256
dd44eea73ce3eaf16d8003de6464980ed49c87136e690b59e6af10e0273789d8

SHA512
eb365aa83da876aa175b6cac7d8d03a778e626b90968b07dfcf91bf3d8afa634cd46a8c03cee8a16ea59937039a9b3f2b508d22762e8a67a89fa66df7066265e

Download Submit
memory/1712-54-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download