4fbf18b6a18e36a57ef07e398330495fae45e7ecea2f7b1ba4d5bc1c10e87146

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 15:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

79535538c605b530668cd9e15304ac79.exe
Size

296KB
MD5

79535538c605b530668cd9e15304ac79
SHA1

0fa9798e0aa00cbdfcf436bd6b3f95c4d664e6d1
SHA256

4fbf18b6a18e36a57ef07e398330495fae45e7ecea2f7b1ba4d5bc1c10e87146
SHA512

b231500a2161372c17dfcd1247195bdcc262f4dbecfd236f462a6cf519e392d26f33487c57957e58b3fd18a0f320dd2c86259bec384ea140edaa102f17930d59
SSDEEP

3072:qePgCctxGv4QcU9KQ2BBA2waPxhtmolHbjRYM5p:OCctxGsWKQ2Bx5xvjHF

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2816	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2216	79535538c605b530668cd9e15304ac79.exe
2216	79535538c605b530668cd9e15304ac79.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\d520e00b\jusched.exe	79535538c605b530668cd9e15304ac79.exe
File created	C:\Program Files (x86)\d520e00b\d520e00b	79535538c605b530668cd9e15304ac79.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	79535538c605b530668cd9e15304ac79.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2816	2216	79535538c605b530668cd9e15304ac79.exe	28
PID 2216 wrote to memory of 2816	2216	79535538c605b530668cd9e15304ac79.exe	28
PID 2216 wrote to memory of 2816	2216	79535538c605b530668cd9e15304ac79.exe	28
PID 2216 wrote to memory of 2816	2216	79535538c605b530668cd9e15304ac79.exe	28

C:\Users\Admin\AppData\Local\Temp\79535538c605b530668cd9e15304ac79.exe
"C:\Users\Admin\AppData\Local\Temp\79535538c605b530668cd9e15304ac79.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files (x86)\d520e00b\jusched.exe
  "C:\Program Files (x86)\d520e00b\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\d520e00b\d520e00b

Filesize
17B

MD5
552bb86ed2797d3fd12ac0d273afaf75

SHA1
6e8633f9c24590779acbd3dd14c60f856320bc0a

SHA256
3ef9ff5da8272fd1b14c83f12c8d28fd9dbf32d56bcb714921032b02557fe789

SHA512
dab57227de02f4667cc8e2ec47566088b473caa0387caffbdfde37f3400da7d4f67dd222e83a4fa93592694bbcff7c52a2bcec074868baf221bc47d9370c8d2c

Download Submit
\Program Files (x86)\d520e00b\jusched.exe

Filesize
296KB

MD5
17de6c9efcf087df9a392a3e25e6263a

SHA1
d5ab7a78a76648620fda73aef98e3b6bdfc48205

SHA256
e964ee1ec289fbc277f9ae6fdb18093e862c15d49543b58dceadb7b9cbc96f37

SHA512
dcd991fe4c2a7426d9be91ad371122fd9583bf37d28c9a34160710f6fbca638f5e40513d969fee826399fa145c6d0d7fc36b060d19d0567b6e4f0a839092d38c

Download Submit
\Program Files (x86)\d520e00b\jusched.exe

Filesize
64KB

MD5
7ea19e3ad6ce009e4f60e10a4417fb52

SHA1
fb088f6fe60673dc0d1b28bd28596084765b7626

SHA256
8ebf0f810ee6e06904ad0104422410ad77e670d11b04ea52965ee237f265424f

SHA512
b0971b637016512269c113a753f8564ca746f82c336295e4ecd1b2a8311796ced26faf1b1d0ec9cc70d44e1a21d50679783fd480b88678cf4c84c188c40116b1

Download Submit
memory/2216-0-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2216-7-0x0000000002760000-0x00000000027BC000-memory.dmp

Filesize
368KB

Download
memory/2216-13-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/2816-14-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download