Analysis
-
max time kernel
123s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
15/10/2023, 19:50
Static task
static1
Behavioral task
behavioral1
Sample
f66ea506fdc728aa805ea87bfa071060_exe32.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
f66ea506fdc728aa805ea87bfa071060_exe32.exe
Resource
win10v2004-20230915-en
General
-
Target
f66ea506fdc728aa805ea87bfa071060_exe32.exe
-
Size
237KB
-
MD5
f66ea506fdc728aa805ea87bfa071060
-
SHA1
f08ed629c8b401a22caff1344d142b03792f3629
-
SHA256
e12a6b6a2f677bc9e045de2a39c6543a10196ced461bb12b470c3e7882ab4b26
-
SHA512
89d524edae6f14b26a61f047d42a758cb376be072a4208fc65d745f221689d42e9d3a23b32595adcba521f3cbba85c8f44fa3f35cee0bcfa964d795149c6fa90
-
SSDEEP
3072:hePgCctxGv4QcU9KQ2BBA2waPxhtmollrAN/kcMP:dCctxGsWKQ2Bx5xvhcNOP
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
onthelinux - Password:
741852abc
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation f66ea506fdc728aa805ea87bfa071060_exe32.exe -
Executes dropped EXE 1 IoCs
pid Process 4528 jusched.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\c00db806\jusched.exe f66ea506fdc728aa805ea87bfa071060_exe32.exe File created C:\Program Files (x86)\c00db806\c00db806 f66ea506fdc728aa805ea87bfa071060_exe32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Update23.job f66ea506fdc728aa805ea87bfa071060_exe32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4968 wrote to memory of 4528 4968 f66ea506fdc728aa805ea87bfa071060_exe32.exe 86 PID 4968 wrote to memory of 4528 4968 f66ea506fdc728aa805ea87bfa071060_exe32.exe 86 PID 4968 wrote to memory of 4528 4968 f66ea506fdc728aa805ea87bfa071060_exe32.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\f66ea506fdc728aa805ea87bfa071060_exe32.exe"C:\Users\Admin\AppData\Local\Temp\f66ea506fdc728aa805ea87bfa071060_exe32.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Program Files (x86)\c00db806\jusched.exe"C:\Program Files (x86)\c00db806\jusched.exe"2⤵
- Executes dropped EXE
PID:4528
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17B
MD5552bb86ed2797d3fd12ac0d273afaf75
SHA16e8633f9c24590779acbd3dd14c60f856320bc0a
SHA2563ef9ff5da8272fd1b14c83f12c8d28fd9dbf32d56bcb714921032b02557fe789
SHA512dab57227de02f4667cc8e2ec47566088b473caa0387caffbdfde37f3400da7d4f67dd222e83a4fa93592694bbcff7c52a2bcec074868baf221bc47d9370c8d2c
-
Filesize
237KB
MD54393c4f58bc568b43bd5187c6274e97b
SHA18992d1131d231473a7dbcbdc6092188d63006d89
SHA256d02cd1b7b6b8f90b1baaef3f497301394e7b4e404304c25feed6aee80a3983ce
SHA512797415eedaaf95611f3a7bc3593c295e34d40fc812bc77e90886a11ecafe54c2decea6aa9aac93ae6d52687a3968d8ea56f3d5c59cd41f184696264358f85808
-
Filesize
237KB
MD54393c4f58bc568b43bd5187c6274e97b
SHA18992d1131d231473a7dbcbdc6092188d63006d89
SHA256d02cd1b7b6b8f90b1baaef3f497301394e7b4e404304c25feed6aee80a3983ce
SHA512797415eedaaf95611f3a7bc3593c295e34d40fc812bc77e90886a11ecafe54c2decea6aa9aac93ae6d52687a3968d8ea56f3d5c59cd41f184696264358f85808
-
Filesize
237KB
MD54393c4f58bc568b43bd5187c6274e97b
SHA18992d1131d231473a7dbcbdc6092188d63006d89
SHA256d02cd1b7b6b8f90b1baaef3f497301394e7b4e404304c25feed6aee80a3983ce
SHA512797415eedaaf95611f3a7bc3593c295e34d40fc812bc77e90886a11ecafe54c2decea6aa9aac93ae6d52687a3968d8ea56f3d5c59cd41f184696264358f85808