81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45

General

Target

81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe
Size

208KB
MD5

4643da36f40db3c5fdafcc54439e6b33
SHA1

7dc18463174d2c1178dce1ce32966c93646e54a1
SHA256

81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45
SHA512

1c667c770455663f9003be8a100b0ebb3348292526325db9780d556a56f4716e4116e46f1294122a84659decaa881fc411efec674ac7fa574f1553781781c4d3
SSDEEP

1536:VNSXbc74YTOnlNSUL09atT0mBBA7aKSvIYFwAUtdvo6QO5:VEo75OnPSI09qgmBBAGKSvwhvo69

Score

10^/10

persistence

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1716	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1880	81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe
1880	81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run	81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\17a8bfc\jusched.exe	81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe
File created	C:\Program Files (x86)\17a8bfc\17a8bfc	81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 1716	1880	81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe	27
PID 1880 wrote to memory of 1716	1880	81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe	27
PID 1880 wrote to memory of 1716	1880	81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe	27
PID 1880 wrote to memory of 1716	1880	81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe	27

C:\Users\Admin\AppData\Local\Temp\81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe
"C:\Users\Admin\AppData\Local\Temp\81cc3ee1ea3ed2d2a26e687f849715e4287fdc90b0986744b49bcb8f8444fc45.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Program Files (x86)\17a8bfc\jusched.exe
  "C:\Program Files (x86)\17a8bfc\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\17a8bfc\17a8bfc

Filesize
17B

MD5
3330ebaaa7e9f4630f4ad4c156be59d8

SHA1
40375cf8e68671e0100e725de5cd5c6657b9f722

SHA256
2c8451d5dca9e68ec3af7f318c5d874fbdfea9e89e7b5f9922b4dbd65f027e15

SHA512
b7631f9685bac9f81aa6bf53afd839910773e108989bbb79ba39cafabbe6b6994ed2fde44911c9f7f24b45c9745d6e80cd9f01975bfb765561df4881f7dad696

Download Submit
C:\Program Files (x86)\17a8bfc\jusched.exe

Filesize
208KB

MD5
8d0358dc94c242121e3054b4f188dab9

SHA1
ea47c246a22978aba97ac25e1c7f83c660f7e3b1

SHA256
e031dd8bd6ce5c3b996495030b7468b46a4257b97242d72cd801fbefff463e8f

SHA512
45a983ea0c981017566dcfe3389efb380d604680edc0bcaa9bbb192c05717359f4e78571bb60ff3d6bdc14f2b46e6b2b01565366a65d79339a88b0a7edc07730

Download Submit
\Program Files (x86)\17a8bfc\jusched.exe

Filesize
208KB

MD5
8d0358dc94c242121e3054b4f188dab9

SHA1
ea47c246a22978aba97ac25e1c7f83c660f7e3b1

SHA256
e031dd8bd6ce5c3b996495030b7468b46a4257b97242d72cd801fbefff463e8f

SHA512
45a983ea0c981017566dcfe3389efb380d604680edc0bcaa9bbb192c05717359f4e78571bb60ff3d6bdc14f2b46e6b2b01565366a65d79339a88b0a7edc07730

Download Submit
\Program Files (x86)\17a8bfc\jusched.exe

Filesize
208KB

MD5
8d0358dc94c242121e3054b4f188dab9

SHA1
ea47c246a22978aba97ac25e1c7f83c660f7e3b1

SHA256
e031dd8bd6ce5c3b996495030b7468b46a4257b97242d72cd801fbefff463e8f

SHA512
45a983ea0c981017566dcfe3389efb380d604680edc0bcaa9bbb192c05717359f4e78571bb60ff3d6bdc14f2b46e6b2b01565366a65d79339a88b0a7edc07730

Download Submit
memory/1716-61-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1880-54-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1880-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1880-60-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download

Analysis

Sharing