69151c137bdbf1c0b5e7dae6ecb1bd8f5c588aa1a1587659f0e796a9de53ed3c

Analysis

max time kernel
148s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f0330e4425246e95ba7a596040da8fe.exe
Size

208KB
MD5

0f0330e4425246e95ba7a596040da8fe
SHA1

a116da0bfb633b2cf4dc32795c7ae83259a2ff93
SHA256

69151c137bdbf1c0b5e7dae6ecb1bd8f5c588aa1a1587659f0e796a9de53ed3c
SHA512

e938b63e4eea2d1edbbe732dfe50552dc2319e61f956b5948f9eee91324c8e02f6661df0e13c79a2db5315e2203033a2faef2334976a9dc4a0cfae5c6fa13bd5
SSDEEP

1536:a5AiTLOQ74YDtnlN5UL09atT0mBBAragjSvIYFwAmd/okQpNu8:a53mQ7JtnP5I09qgmBBAWgjSvwN/okWd

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation	0f0330e4425246e95ba7a596040da8fe.exe

Executes dropped EXE 1 IoCs

pid	Process
1108	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\60f4fd71\jusched.exe	0f0330e4425246e95ba7a596040da8fe.exe
File created	C:\Program Files (x86)\60f4fd71\60f4fd71	0f0330e4425246e95ba7a596040da8fe.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	0f0330e4425246e95ba7a596040da8fe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1220 wrote to memory of 1108	1220	0f0330e4425246e95ba7a596040da8fe.exe	89
PID 1220 wrote to memory of 1108	1220	0f0330e4425246e95ba7a596040da8fe.exe	89
PID 1220 wrote to memory of 1108	1220	0f0330e4425246e95ba7a596040da8fe.exe	89

C:\Users\Admin\AppData\Local\Temp\0f0330e4425246e95ba7a596040da8fe.exe
"C:\Users\Admin\AppData\Local\Temp\0f0330e4425246e95ba7a596040da8fe.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Program Files (x86)\60f4fd71\jusched.exe
  "C:\Program Files (x86)\60f4fd71\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\60f4fd71\60f4fd71

Filesize
17B

MD5
4d77d6b250ffb567743b8dbcdad695b8

SHA1
d5a8f98f9433f6d36c74df463cef3e2cf524462d

SHA256
7ec7a3a23890c3592f5b762aecf11adbf8831fad11b8048aedfa7315d599c5f2

SHA512
5655153049101fd67125d484c81f1ad30b44f36f00e3aabfe8d730a21661f4b394357b60da549289def4311b4cc7bd508d8fd6b8db254cd442b2152f8902bd71

Download Submit
C:\Program Files (x86)\60f4fd71\jusched.exe

Filesize
208KB

MD5
421d3040c12318b7b917498637328f3b

SHA1
680bc58347a996c88499ce54207a29122fbf9ebd

SHA256
53db88c2f40defc9fabfc9735d92fa8ce9b27be1381e28dac2d47bc945f2dab3

SHA512
a757ca26089f6be3d6d8d2af3693fb0345d8f36fa5b44810cf08551c25ff20cd70167745daefa63e322e198cee3b2729d3de6b632a3067a6f8ec14f1de95ba05

Download Submit