b1c30abd717d493c7ef1c6c235b8ec72e3ce83509e06326528d75e3d2b6c4f54

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
15/10/2023, 19:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe
Size

88KB
MD5

3b09c2f2689e7c752092ac08ac1c94d0
SHA1

b4216fe85eb4fcaff5eb4b154954486ab5a78b8c
SHA256

b1c30abd717d493c7ef1c6c235b8ec72e3ce83509e06326528d75e3d2b6c4f54
SHA512

b2ec1f8f3e95ee2f122b65358a1c1979722121e992dfad785883944df28b4879a11ee0b1c59659a341b2c906ce35bdfed623fd446c781e933e9fea0bf7182f0e
SSDEEP

1536:JdXkE87nccOtwqsIcGIjAPdrl86QpCXs8T3yv:rUE87cxtplAKri6WCXs8I

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe

Executes dropped EXE 1 IoCs

pid	Process
4756	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\1f564c0a\jusched.exe	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe
File created	C:\Program Files (x86)\1f564c0a\1f564c0a	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4756	404	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe	89
PID 404 wrote to memory of 4756	404	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe	89
PID 404 wrote to memory of 4756	404	3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe	89

C:\Users\Admin\AppData\Local\Temp\3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\3b09c2f2689e7c752092ac08ac1c94d0_exe32.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:404
- C:\Program Files (x86)\1f564c0a\jusched.exe
  "C:\Program Files (x86)\1f564c0a\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\1f564c0a\1f564c0a

Filesize
17B

MD5
4d77d6b250ffb567743b8dbcdad695b8

SHA1
d5a8f98f9433f6d36c74df463cef3e2cf524462d

SHA256
7ec7a3a23890c3592f5b762aecf11adbf8831fad11b8048aedfa7315d599c5f2

SHA512
5655153049101fd67125d484c81f1ad30b44f36f00e3aabfe8d730a21661f4b394357b60da549289def4311b4cc7bd508d8fd6b8db254cd442b2152f8902bd71

Download Submit
C:\Program Files (x86)\1f564c0a\jusched.exe

Filesize
88KB

MD5
82473ee795de351d1db1ff976c29ab0e

SHA1
aad0be2151fb00ff6fa3b0425dbeb35b80c10641

SHA256
80be50eb6f59326369f7b7df8a914b2d50c1a8e529e1b90ab81d018bfc339e25

SHA512
c8ff45b82f866ee0b069aa179ef9a6fdcb49cf0da5b05b6154f441c6f485904313ba244d934de2f44a4fcbd89f17d283ef91df9e20420442105f9cbc8b28aff0

Download Submit
C:\Program Files (x86)\1f564c0a\jusched.exe

Filesize
88KB

MD5
82473ee795de351d1db1ff976c29ab0e

SHA1
aad0be2151fb00ff6fa3b0425dbeb35b80c10641

SHA256
80be50eb6f59326369f7b7df8a914b2d50c1a8e529e1b90ab81d018bfc339e25

SHA512
c8ff45b82f866ee0b069aa179ef9a6fdcb49cf0da5b05b6154f441c6f485904313ba244d934de2f44a4fcbd89f17d283ef91df9e20420442105f9cbc8b28aff0

Download Submit
C:\Program Files (x86)\1f564c0a\jusched.exe

Filesize
88KB

MD5
82473ee795de351d1db1ff976c29ab0e

SHA1
aad0be2151fb00ff6fa3b0425dbeb35b80c10641

SHA256
80be50eb6f59326369f7b7df8a914b2d50c1a8e529e1b90ab81d018bfc339e25

SHA512
c8ff45b82f866ee0b069aa179ef9a6fdcb49cf0da5b05b6154f441c6f485904313ba244d934de2f44a4fcbd89f17d283ef91df9e20420442105f9cbc8b28aff0

Download Submit
memory/404-4-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/404-6-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/404-5-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/404-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/404-22-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/404-2-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/404-1-0x00000000006A0000-0x00000000006A8000-memory.dmp

Filesize
32KB

Download
memory/4756-19-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4756-21-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/4756-24-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download