Analysis
-
max time kernel
4s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2023, 10:46
Static task
static1
Behavioral task
behavioral1
Sample
183cc5406314f67b15a424162da1e431.exe
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
183cc5406314f67b15a424162da1e431.exe
Resource
win10v2004-20231222-en
General
-
Target
183cc5406314f67b15a424162da1e431.exe
-
Size
208KB
-
MD5
183cc5406314f67b15a424162da1e431
-
SHA1
a6dc2b382023ccac71f87bfc3e80b013b0fd458f
-
SHA256
ec073d73d54a52d889115abe7a08088f2fe16c0cf1186078b43a0f79a6db155c
-
SHA512
a3437e66c622c07ca0bb6aaf1bea4ce7160bcf97976be84fef41cae8d5815b7f055765e5ac73c2b022e1f33b88261a5faa795597df1ad2ebb06384ad4e950582
-
SSDEEP
3072:8VHgCc4xGvbwcU9KQ2BBAHmaPxiVoIb5ET:5Cc4xGxWKQ2Bonxb
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation 183cc5406314f67b15a424162da1e431.exe -
Executes dropped EXE 1 IoCs
pid Process 3480 jusched.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\1de979a9\jusched.exe 183cc5406314f67b15a424162da1e431.exe File created C:\Program Files (x86)\1de979a9\1de979a9 183cc5406314f67b15a424162da1e431.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Update23.job 183cc5406314f67b15a424162da1e431.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3000 wrote to memory of 3480 3000 183cc5406314f67b15a424162da1e431.exe 91 PID 3000 wrote to memory of 3480 3000 183cc5406314f67b15a424162da1e431.exe 91 PID 3000 wrote to memory of 3480 3000 183cc5406314f67b15a424162da1e431.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\183cc5406314f67b15a424162da1e431.exe"C:\Users\Admin\AppData\Local\Temp\183cc5406314f67b15a424162da1e431.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Program Files (x86)\1de979a9\jusched.exe"C:\Program Files (x86)\1de979a9\jusched.exe"2⤵
- Executes dropped EXE
PID:3480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17B
MD5134c1d489094d6d3399f65b0e9aebc1f
SHA1612a57fbe6ed3ab9c15b39451171d813314a28d5
SHA25654f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781
SHA512b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed
-
Filesize
1KB
MD569bb57fcf480b3e89572dc3735e6161d
SHA14fdf18fb81462019db2d22d084fe72a7a8217dbd
SHA256ca8a4cf0ef70bd508da2c5d9d540f5e87ce0bd659c3fd47467e5983d2018ab63
SHA5126ca9d613daec04f736cfd634310c28696508b92d189ff4ea25764f46a73be8b87f31c80359b7a971d57aab4a38bfe3ed496e311ef9204939de8d6c086b86a010
-
Filesize
13KB
MD52020a9100e41dafe66cc19a8022022ea
SHA1104ed0f5bd8522b71b85b15509cb7a6f13ec073b
SHA2567bfa09882481801acadc669e97b2481fe68294f124467a838d3e11228e9aca2f
SHA512300dc58b0638d1b8c4bbd8d44ae456d45747a1149f2a65449a103e35e3689764ec9f6a7b95babb77913d33336e56e8b6223f0ad57eddd6b300b3af7be39f7a2d
-
Filesize
28KB
MD5dfac5010e92765b8819c703749d8036d
SHA1e4f0500815544b037be4f80dcee7db7cce0a6aeb
SHA2568e82b9726e31a0991435206138a69f0e252bb68e0779faf2d35a6b99977660d2
SHA512a0832b4fe38bd6c2151f934fdb560a38468eeb637edcd7efa73b006f510697097052aec980245bca02b4a5bbd3d2db67cd6ada735e74c3490ea14350603b944b