b1c30abd717d493c7ef1c6c235b8ec72e3ce83509e06326528d75e3d2b6c4f54

General

Target

3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe
Size

88KB
MD5

3b09c2f2689e7c752092ac08ac1c94d0
SHA1

b4216fe85eb4fcaff5eb4b154954486ab5a78b8c
SHA256

b1c30abd717d493c7ef1c6c235b8ec72e3ce83509e06326528d75e3d2b6c4f54
SHA512

b2ec1f8f3e95ee2f122b65358a1c1979722121e992dfad785883944df28b4879a11ee0b1c59659a341b2c906ce35bdfed623fd446c781e933e9fea0bf7182f0e
SSDEEP

1536:JdXkE87nccOtwqsIcGIjAPdrl86QpCXs8T3yv:rUE87cxtplAKri6WCXs8I

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3064	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1256	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe
1256	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\d96d69a0\jusched.exe	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe
File created	C:\Program Files (x86)\d96d69a0\d96d69a0	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 3064	1256	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe	28
PID 1256 wrote to memory of 3064	1256	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe	28
PID 1256 wrote to memory of 3064	1256	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe	28
PID 1256 wrote to memory of 3064	1256	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe	28

C:\Users\Admin\AppData\Local\Temp\3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Program Files (x86)\d96d69a0\jusched.exe
  "C:\Program Files (x86)\d96d69a0\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\d96d69a0\d96d69a0

Filesize
17B

MD5
4d77d6b250ffb567743b8dbcdad695b8

SHA1
d5a8f98f9433f6d36c74df463cef3e2cf524462d

SHA256
7ec7a3a23890c3592f5b762aecf11adbf8831fad11b8048aedfa7315d599c5f2

SHA512
5655153049101fd67125d484c81f1ad30b44f36f00e3aabfe8d730a21661f4b394357b60da549289def4311b4cc7bd508d8fd6b8db254cd442b2152f8902bd71

Download Submit
C:\Program Files (x86)\d96d69a0\jusched.exe

Filesize
88KB

MD5
0525c4a855279833506d7ffbdbeef2f0

SHA1
8288a8c4a496cf7f6d904c06fe7e8297e2a45e4c

SHA256
a6d0712aa9bea2f6172381ecdd3e106657af18da0c2843fc1204907991eb9975

SHA512
02fa3f45d50265a80af281424d408ba9bae0b8d67dab5adac8e5d6a105c792986ab40e822f1070af0068522cc8ce51f8c2b99361b6b39fdedca22a7af13e6aa5

Download Submit
C:\Program Files (x86)\d96d69a0\jusched.exe

Filesize
88KB

MD5
0525c4a855279833506d7ffbdbeef2f0

SHA1
8288a8c4a496cf7f6d904c06fe7e8297e2a45e4c

SHA256
a6d0712aa9bea2f6172381ecdd3e106657af18da0c2843fc1204907991eb9975

SHA512
02fa3f45d50265a80af281424d408ba9bae0b8d67dab5adac8e5d6a105c792986ab40e822f1070af0068522cc8ce51f8c2b99361b6b39fdedca22a7af13e6aa5

Download Submit
\Program Files (x86)\d96d69a0\jusched.exe

Filesize
88KB

MD5
0525c4a855279833506d7ffbdbeef2f0

SHA1
8288a8c4a496cf7f6d904c06fe7e8297e2a45e4c

SHA256
a6d0712aa9bea2f6172381ecdd3e106657af18da0c2843fc1204907991eb9975

SHA512
02fa3f45d50265a80af281424d408ba9bae0b8d67dab5adac8e5d6a105c792986ab40e822f1070af0068522cc8ce51f8c2b99361b6b39fdedca22a7af13e6aa5

Download Submit
\Program Files (x86)\d96d69a0\jusched.exe

Filesize
88KB

MD5
0525c4a855279833506d7ffbdbeef2f0

SHA1
8288a8c4a496cf7f6d904c06fe7e8297e2a45e4c

SHA256
a6d0712aa9bea2f6172381ecdd3e106657af18da0c2843fc1204907991eb9975

SHA512
02fa3f45d50265a80af281424d408ba9bae0b8d67dab5adac8e5d6a105c792986ab40e822f1070af0068522cc8ce51f8c2b99361b6b39fdedca22a7af13e6aa5

Download Submit
memory/1256-12-0x0000000001FE0000-0x000000000202C000-memory.dmp

Filesize
304KB

Download
memory/1256-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1256-8-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1256-1-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1256-17-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1256-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1256-2-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/3064-20-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3064-22-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/3064-23-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing