8232f0378be169cea3d5f33e04bcbf2ae12d884277a3b24cedb8992c31c638e3

Analysis

max time kernel
192s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 02:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8232f0378be169cea3d5f33e04bcbf2ae12d884277a3b24cedb8992c31c638e3.exe
Size

35KB
MD5

43d830f62f9ec58490f8f3fac237c053
SHA1

3fb0f1f2796d2c3e33f21c8a89d153da53bf0d72
SHA256

8232f0378be169cea3d5f33e04bcbf2ae12d884277a3b24cedb8992c31c638e3
SHA512

0c044b13a5c1aa45208bf547dfcdac9d73b688d480034ffc16814b65efd2d350dc857c24e9f8888a173ac8b97712a0a0f76de21628440ac37a04d00d06b549d5
SSDEEP

768:cflivXrVKpVhKvtxwYHwVFoeAQqmucwUvnih:ylqrVKprVuQqOn4

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4032	jusched.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	8232f0378be169cea3d5f33e04bcbf2ae12d884277a3b24cedb8992c31c638e3.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\40a19e58\40a19e58	8232f0378be169cea3d5f33e04bcbf2ae12d884277a3b24cedb8992c31c638e3.exe
File created	C:\Program Files (x86)\40a19e58\jusched.exe	8232f0378be169cea3d5f33e04bcbf2ae12d884277a3b24cedb8992c31c638e3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe
4032	jusched.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 4032	4060	8232f0378be169cea3d5f33e04bcbf2ae12d884277a3b24cedb8992c31c638e3.exe	86
PID 4060 wrote to memory of 4032	4060	8232f0378be169cea3d5f33e04bcbf2ae12d884277a3b24cedb8992c31c638e3.exe	86
PID 4060 wrote to memory of 4032	4060	8232f0378be169cea3d5f33e04bcbf2ae12d884277a3b24cedb8992c31c638e3.exe	86

C:\Users\Admin\AppData\Local\Temp\8232f0378be169cea3d5f33e04bcbf2ae12d884277a3b24cedb8992c31c638e3.exe
"C:\Users\Admin\AppData\Local\Temp\8232f0378be169cea3d5f33e04bcbf2ae12d884277a3b24cedb8992c31c638e3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Program Files (x86)\40a19e58\jusched.exe
  "C:\Program Files (x86)\40a19e58\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:4032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\40a19e58\40a19e58

Filesize
13B

MD5
f253efe302d32ab264a76e0ce65be769

SHA1
768685ca582abd0af2fbb57ca37752aa98c9372b

SHA256
49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

SHA512
1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

Download Submit
C:\Program Files (x86)\40a19e58\jusched.exe

Filesize
36KB

MD5
2eba5589d5a7660e2960bde9d2224621

SHA1
e6f1887de9e39056f10a278884a19697ab8f95f5

SHA256
43e5e20eda6024ede460fe68553acc4a8b046a35e0594250d0b5af97e4484f2e

SHA512
e9f8b5c298af03a8d9e0fe7cfbd15a9094fe25d039335ae05b435d95de16d538ebf0d94a0c4aa5374d25a3fb67e4d6e3e138a9aeea9e929d3a9366c3fb3030cf

Download Submit
C:\Program Files (x86)\40a19e58\jusched.exe

Filesize
36KB

MD5
2eba5589d5a7660e2960bde9d2224621

SHA1
e6f1887de9e39056f10a278884a19697ab8f95f5

SHA256
43e5e20eda6024ede460fe68553acc4a8b046a35e0594250d0b5af97e4484f2e

SHA512
e9f8b5c298af03a8d9e0fe7cfbd15a9094fe25d039335ae05b435d95de16d538ebf0d94a0c4aa5374d25a3fb67e4d6e3e138a9aeea9e929d3a9366c3fb3030cf

Download Submit