dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e

Analysis

max time kernel
181s
max time network
220s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 20:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e.exe
Size

196KB
MD5

a187b4d03187e6c7b25d1d4fe1a2dcf1
SHA1

878b51c0b29f8ebec7895532697ddb7fe598948d
SHA256

dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e
SHA512

d1d541d96f0fa7e95adad3b9108b988cc3a735416d72970f629364bc3bd821b02a85a7fc9952f3be133f87557cf907020867139f702e6f0c8b385b8961d3c9bc
SSDEEP

1536:7Xs9wrnUh4d7ygVpn0uv77P11gqu87UhofgmdBS:7XYw4+dGgLn0sP11gqEofgK8

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.alizametal.com.tr
Port:
21
Username:
alizametal.com.tr
Password:
hd611

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1112	jusched.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\17166bf\jusched.exe	dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e.exe
File created	C:\Program Files (x86)\17166bf\17166bf	dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e.exe
File created	C:\Program Files (x86)\17166bf\info_a	dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2824 wrote to memory of 1112	2824	dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e.exe	81
PID 2824 wrote to memory of 1112	2824	dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e.exe	81
PID 2824 wrote to memory of 1112	2824	dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e.exe	81

C:\Users\Admin\AppData\Local\Temp\dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e.exe
"C:\Users\Admin\AppData\Local\Temp\dd3b29ab78e3d0b307e6fa2a31d4adb29964036c0644989f04e2e91ab5532c3e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2824
- C:\Program Files (x86)\17166bf\jusched.exe
  "C:\Program Files (x86)\17166bf\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:1112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\17166bf\17166bf

Filesize
17B

MD5
6ff89798e0e63d75115c777af43a2cd9

SHA1
e8b994ccbbe64951afe91fc3dd377f88fe6c9ba8

SHA256
3b3947957c6e0abb19d91b256521bdb3826d88d9b7b53995e177a58cebf0d479

SHA512
46557f9bf6f5c5b3316891a9b623a7d11d8d8ff1973ca84cfbcf8d898746f2dbded7fee837c9a70c2e36f9b46a357fe2ba53585bf5307950d2fef6ee1dcb28a3

Download Submit
C:\Program Files (x86)\17166bf\info_a

Filesize
12B

MD5
7a3ce3123673f73d26fa24fbbcab1b29

SHA1
3886afd0c62bace83ad941ec938e634c35b8c0b6

SHA256
3aee03ab359dc2c989b4e9ff33f885e32d57760b1aaf51d4572a6fffab60ea5b

SHA512
2de024acf26be43b1f8e4bb0c3ec889f0d85a9b82cb33516f3120b60bcac24d095b9ffb2a4b3024e0af438408329302c3ed30d568358428d88e9de4d7478d56f

Download Submit
C:\Program Files (x86)\17166bf\jusched.exe

Filesize
196KB

MD5
8736c1e70287ee5bfa520e30a619b2d8

SHA1
698b6d5cdbba0adecd80ecf16195f55c3a119ad1

SHA256
bf96146e52892794ea0cbc2136d77f4c7999c9443434dc43c473ec10b3f72960

SHA512
54e570048c798aeef4cc158858c72589aef8b73bd092c6575486534aa2ecd0bc7185121c6394d12138c5820ade68dd2e7a736b0c3c73f56a5bb40b74e5aa9409

Download Submit
C:\Program Files (x86)\17166bf\jusched.exe

Filesize
196KB

MD5
8736c1e70287ee5bfa520e30a619b2d8

SHA1
698b6d5cdbba0adecd80ecf16195f55c3a119ad1

SHA256
bf96146e52892794ea0cbc2136d77f4c7999c9443434dc43c473ec10b3f72960

SHA512
54e570048c798aeef4cc158858c72589aef8b73bd092c6575486534aa2ecd0bc7185121c6394d12138c5820ade68dd2e7a736b0c3c73f56a5bb40b74e5aa9409

Download Submit