98ca7a5fb785f0eb0f000782908a258b42bd7f27cc28d8daba52bad9236efa13

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 20:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

028a7c3103e13888ae9801115c4d4490.exe
Size

240KB
MD5

028a7c3103e13888ae9801115c4d4490
SHA1

d14a80a11ab37dee3e8ad07b76811ec5b13bc44f
SHA256

98ca7a5fb785f0eb0f000782908a258b42bd7f27cc28d8daba52bad9236efa13
SHA512

2b26744b5d7455757f5575922d21f07cafc8ff1fe68a6c4ae7154a0354b59d0ef09c14590ad89c4af292e1b28814f977244f39fee769a915f250df914c718c7b
SSDEEP

3072:SVHgCc4xGvbwcU9KQ2BBAHmaPxlVozb5EC:TCc4xGxWKQ2BonxS

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	028a7c3103e13888ae9801115c4d4490.exe

Executes dropped EXE 1 IoCs

pid	Process
3356	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\e181858e\jusched.exe	028a7c3103e13888ae9801115c4d4490.exe
File created	C:\Program Files (x86)\e181858e\e181858e	028a7c3103e13888ae9801115c4d4490.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	028a7c3103e13888ae9801115c4d4490.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 3356	1944	028a7c3103e13888ae9801115c4d4490.exe	95
PID 1944 wrote to memory of 3356	1944	028a7c3103e13888ae9801115c4d4490.exe	95
PID 1944 wrote to memory of 3356	1944	028a7c3103e13888ae9801115c4d4490.exe	95

C:\Users\Admin\AppData\Local\Temp\028a7c3103e13888ae9801115c4d4490.exe
"C:\Users\Admin\AppData\Local\Temp\028a7c3103e13888ae9801115c4d4490.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1944
- C:\Program Files (x86)\e181858e\jusched.exe
  "C:\Program Files (x86)\e181858e\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\e181858e\e181858e

Filesize
17B

MD5
134c1d489094d6d3399f65b0e9aebc1f

SHA1
612a57fbe6ed3ab9c15b39451171d813314a28d5

SHA256
54f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781

SHA512
b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed

Download Submit
C:\Program Files (x86)\e181858e\jusched.exe

Filesize
240KB

MD5
8f3ea999aca885cbdf38137974957ffb

SHA1
9744ced5ca1ff54d6ee6c9292550e1e7b5023300

SHA256
db3ed9c1edc48f87b63c9a45823be7b7f8ab83b200448964df263f6a7171f211

SHA512
dad0e1228f718d6beda6df470b5e940e42fb88345ec26646d554e61b16230e0fb260660dafd04b68ccfa2832bcdae257b8813e56761e7865cf6710e5302f84a1

Download Submit
memory/1944-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/1944-14-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/3356-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download