Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
25/12/2023, 19:10
General
-
Target
36e8f61c5cbf723ed065b219a0f944f6.exe
-
Size
204KB
-
MD5
36e8f61c5cbf723ed065b219a0f944f6
-
SHA1
c8a6c1dd169d66366b80632d3f06709eef479a64
-
SHA256
0f2335618e4bc53cfcd6e374fc84bb93f932af64d1fe85dd7c271951e282342e
-
SHA512
e794022fb7537e56dff9cd982b741b6c97bae5c835b3713ad9d6cfc3a6a7bba93019e78f6fb293013f1c16d3609a8118d2ac7aecc9e2c09cb6c7e31683b47f2d
-
SSDEEP
1536:rfAiHwgicnislGltILYLU9KD02BBAdKJaPoYkwA2dIol:rfQgicdlGvILcU9KQ2BBAkJaPxhIol
Malware Config
Extracted
Protocol: ftp- Host:
185.27.134.11 - Port:
21 - Username:
b12_8082975 - Password:
951753zx
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\36e8f61c5cbf723ed065b219a0f944f6.exe"C:\Users\Admin\AppData\Local\Temp\36e8f61c5cbf723ed065b219a0f944f6.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\896faad7\jusched.exe"C:\Program Files (x86)\896faad7\jusched.exe"2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
204KB
MD52e1ef4723b530828a58e0d9ea1340189
SHA15ada6d69b7dd8630fcf13ddfe701680dbfa2fad0
SHA2561ba53b200518e412145dc81f0650049c20ab32bdab05f44afdf18e2b6eda7ecd
SHA512813c2aaa165318d1835b3ce9e6e35b0418279c028d8976b7c41df9401871d83466af7f89dec04ef586ed77694907be899e35b05ac4b3d2dd7f7c27958d6d5ef9