555d1f9e4aa8ffcd1fa2e6b4d82905951a5d580f55487e8627a378e0d33251db

Analysis

max time kernel
124s
max time network
125s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26-12-2023 01:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49b3b8d84fbb92c0cb6e75dcdc2f8152.exe
Size

208KB
MD5

49b3b8d84fbb92c0cb6e75dcdc2f8152
SHA1

9f0383e316d8a9254d8ce90d43ec0461a28ad296
SHA256

555d1f9e4aa8ffcd1fa2e6b4d82905951a5d580f55487e8627a378e0d33251db
SHA512

c775c9e3449ab5dc49ca76b22365d68717774a81543567b4c35640b62368fad289d83aaabf9f80c048bd6c9deb6e722949b64fd8798dcb0739ef2c6fbc1bcee8
SSDEEP

3072:xVHgCc4xGvbwcU9KQ2BBAHmaPxBVoob5EW:ECc4xGxWKQ2Bonx3

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3068	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	49b3b8d84fbb92c0cb6e75dcdc2f8152.exe
2140	49b3b8d84fbb92c0cb6e75dcdc2f8152.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\868faba6\jusched.exe	49b3b8d84fbb92c0cb6e75dcdc2f8152.exe
File created	C:\Program Files (x86)\868faba6\868faba6	49b3b8d84fbb92c0cb6e75dcdc2f8152.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	49b3b8d84fbb92c0cb6e75dcdc2f8152.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 3068	2140	49b3b8d84fbb92c0cb6e75dcdc2f8152.exe	28
PID 2140 wrote to memory of 3068	2140	49b3b8d84fbb92c0cb6e75dcdc2f8152.exe	28
PID 2140 wrote to memory of 3068	2140	49b3b8d84fbb92c0cb6e75dcdc2f8152.exe	28
PID 2140 wrote to memory of 3068	2140	49b3b8d84fbb92c0cb6e75dcdc2f8152.exe	28

C:\Users\Admin\AppData\Local\Temp\49b3b8d84fbb92c0cb6e75dcdc2f8152.exe
"C:\Users\Admin\AppData\Local\Temp\49b3b8d84fbb92c0cb6e75dcdc2f8152.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Program Files (x86)\868faba6\jusched.exe
  "C:\Program Files (x86)\868faba6\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2140-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2140-13-0x0000000002930000-0x0000000002976000-memory.dmp

Filesize
280KB

Download
memory/2140-12-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3068-14-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download