d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646

Analysis

max time kernel
94s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe
Size

208KB
MD5

2536bb5dc8c4bf730e40f362c20b7a50
SHA1

9d8029f486d2fa9b84c20c430d6aa4dcea0b8b45
SHA256

d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646
SHA512

6233b0f0c8c22591b064766a7218e5ccb72dbde9d875f6bd2acf249bcf585c6fe23c49478cb2223604ee274bde97b7496a9b114a510e9f5b40e8e04ed02831d5
SSDEEP

3072:nVHgCc4xGvbwcU9KQ2BBAHmaPxiVoSb5Ev:OCc4xGxWKQ2BonxF

Score

10^/10

persistence

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.byethost12.com
Port:
21
Username:
b12_8082975
Password:
951753zx

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

Processes:

jusched.exe

pid process

3624 jusched.exe

pid	process
3624	jusched.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe

Drops file in Program Files directory 2 IoCs

Processes:

d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe

description	ioc	process
File created	C:\Program Files (x86)\83384a21\jusched.exe	d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe
File created	C:\Program Files (x86)\83384a21\83384a21	d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe

Drops file in Windows directory 1 IoCs

Processes:

d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe

description ioc process

File created C:\Windows\Tasks\Update23.job d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\Update23.job	d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe

description	pid	process	target process
PID 5032 wrote to memory of 3624	5032	d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe	jusched.exe
PID 5032 wrote to memory of 3624	5032	d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe	jusched.exe
PID 5032 wrote to memory of 3624	5032	d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe	jusched.exe

C:\Users\Admin\AppData\Local\Temp\d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe
"C:\Users\Admin\AppData\Local\Temp\d20d772f1d4f55e999a7d9b353a532a0fe5dfa4c62377a3a8b1d442cf3f1a646.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5032

C:\Program Files (x86)\83384a21\jusched.exe
"C:\Program Files (x86)\83384a21\jusched.exe"
2⤵
- Executes dropped EXE
PID:3624

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\83384a21\83384a21

Filesize
17B

MD5
134c1d489094d6d3399f65b0e9aebc1f

SHA1
612a57fbe6ed3ab9c15b39451171d813314a28d5

SHA256
54f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781

SHA512
b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed

Download Submit
C:\Program Files (x86)\83384a21\jusched.exe

Filesize
208KB

MD5
2c8391deadb6a936c2179264ca5a31cd

SHA1
bea052c0708a721c3194847a49810d4739a89ba6

SHA256
9ad0a60e8bc60b771482140772524659bbfe99e80b2cfaf95a9b45fb33826386

SHA512
30dbffc6ee5fa7029076166a02abe0e6d5e8575f09dd54a1c4de0f28710d8ddbc74b2d5cf165ee3e262024ae13da9987ce7d32eec542d1f31c8a7b677b2cc5d7

Download Submit
C:\Program Files (x86)\83384a21\jusched.exe

Filesize
208KB

MD5
2c8391deadb6a936c2179264ca5a31cd

SHA1
bea052c0708a721c3194847a49810d4739a89ba6

SHA256
9ad0a60e8bc60b771482140772524659bbfe99e80b2cfaf95a9b45fb33826386

SHA512
30dbffc6ee5fa7029076166a02abe0e6d5e8575f09dd54a1c4de0f28710d8ddbc74b2d5cf165ee3e262024ae13da9987ce7d32eec542d1f31c8a7b677b2cc5d7

Download Submit
memory/3624-132-0x0000000000000000-mapping.dmp

Download