79c59fa84969d8d06a85d9aefed6ec252b0855ad1d9af4815077dcc925d964e4

Analysis

max time kernel
155s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2023, 22:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fd07f0d9cccbc4a340043dec29ed4473.exe
Size

188KB
MD5

fd07f0d9cccbc4a340043dec29ed4473
SHA1

a2559599bccef0c90ff8300f5ca47ccd4f546054
SHA256

79c59fa84969d8d06a85d9aefed6ec252b0855ad1d9af4815077dcc925d964e4
SHA512

ba9086373d68bb2fd16d087af30408701e0c1ba2f2ed49cf8bf1637810856151d5d62feafbe970d80e9da1ef1c2ec00a67375ce58f7e1af92c74ca7c015b4fe9
SSDEEP

1536:MfVLuTnlTTy9uEGe9t2oKLjWlCu8i9pUJANjUSqoW/Qnes:MfVLWlTTbEGe9AJKlCvIUuqoWonl

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	fd07f0d9cccbc4a340043dec29ed4473.exe

Executes dropped EXE 1 IoCs

pid	Process
4760	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\b2fb7108\b2fb7108	fd07f0d9cccbc4a340043dec29ed4473.exe
File created	C:\Program Files (x86)\b2fb7108\jusched.exe	fd07f0d9cccbc4a340043dec29ed4473.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	fd07f0d9cccbc4a340043dec29ed4473.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1740 wrote to memory of 4760	1740	fd07f0d9cccbc4a340043dec29ed4473.exe	91
PID 1740 wrote to memory of 4760	1740	fd07f0d9cccbc4a340043dec29ed4473.exe	91
PID 1740 wrote to memory of 4760	1740	fd07f0d9cccbc4a340043dec29ed4473.exe	91

C:\Users\Admin\AppData\Local\Temp\fd07f0d9cccbc4a340043dec29ed4473.exe
"C:\Users\Admin\AppData\Local\Temp\fd07f0d9cccbc4a340043dec29ed4473.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1740
- C:\Program Files (x86)\b2fb7108\jusched.exe
  "C:\Program Files (x86)\b2fb7108\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\b2fb7108\b2fb7108

Filesize
17B

MD5
713de2425165c8df1702f4fa73675b7c

SHA1
8776000c93a63c318fd1dc5765010ced1568ffa7

SHA256
27969b723db5b2dd9c284c3351d884a535a92e6dadc44a425054fa76626a2343

SHA512
9b5327edc09bca4846029bda05502e34711ee843fbeccf3328253fcd2f1b399601eb613350c49e1d06098831d7b3dc8f5b2e1d1651b44e070ba70c8fedf6cf44

Download Submit
C:\Program Files (x86)\b2fb7108\jusched.exe

Filesize
188KB

MD5
9caeba725561d97934ce8fe2cbe6b52e

SHA1
50f060d94c35d83c740974fab1498db058df9f06

SHA256
d2952ac4b171d6ee1b60660ae3bbe81454a58c3e42264a341ce62b48f9d2a11f

SHA512
aa6ec559a7852de32f38ed70fc67f89bd06aa2b6681fd4884b64d996282f14044d6c87c40622da937078cd357d142babba7119fd1490ffbfee31a4b9a7c1f694

Download Submit