03df3ce82c0d69c1ba8b0c67fdb83dd771b14303b6d61511f8c5622e8da78be7

Analysis

max time kernel
151s
max time network
155s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30/12/2023, 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f0780b25b633b3c64f852abe551fc97.exe
Size

212KB
MD5

1f0780b25b633b3c64f852abe551fc97
SHA1

4baecfc3ff291a0367c0d630ee38d861539aa7b7
SHA256

03df3ce82c0d69c1ba8b0c67fdb83dd771b14303b6d61511f8c5622e8da78be7
SHA512

793efa6a3de70e970f36566ee28fcd1f8538cfdb2b46bfd23c3f3b20d0050e3ff860686fb528ba6c0a3421d7397f2299022a4f86719f8766c094ee536c9c6ab3
SSDEEP

3072:OChJgYMm4xf9cU9KQ2BxA59SPMSOokn2:uYMm4xiWKQ2BiCM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2792	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2888	1f0780b25b633b3c64f852abe551fc97.exe
2888	1f0780b25b633b3c64f852abe551fc97.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\63734c3f\jusched.exe	1f0780b25b633b3c64f852abe551fc97.exe
File created	C:\Program Files (x86)\63734c3f\63734c3f	1f0780b25b633b3c64f852abe551fc97.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	1f0780b25b633b3c64f852abe551fc97.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2792	2888	1f0780b25b633b3c64f852abe551fc97.exe	27
PID 2888 wrote to memory of 2792	2888	1f0780b25b633b3c64f852abe551fc97.exe	27
PID 2888 wrote to memory of 2792	2888	1f0780b25b633b3c64f852abe551fc97.exe	27
PID 2888 wrote to memory of 2792	2888	1f0780b25b633b3c64f852abe551fc97.exe	27

C:\Users\Admin\AppData\Local\Temp\1f0780b25b633b3c64f852abe551fc97.exe
"C:\Users\Admin\AppData\Local\Temp\1f0780b25b633b3c64f852abe551fc97.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Program Files (x86)\63734c3f\jusched.exe
  "C:\Program Files (x86)\63734c3f\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\63734c3f\63734c3f

Filesize
17B

MD5
89931a70501a3362b6823b53523f5a77

SHA1
88c7e199c462ed8cc3af0ba453512b5b1fdcfdb5

SHA256
d30d9a0e64bc9f4a306617f087f30de6d57a5413793ab7bde13a299777a1b254

SHA512
8fa7ab4824ae86f3f47b3718c11f79ef275dd0639396572eaeb1262ad9153ccf43c633a7b292e30c97370436a09f22fbcf817a802015650ffb1f84d2b83483bd

Download Submit
\Program Files (x86)\63734c3f\jusched.exe

Filesize
212KB

MD5
8b98c7b2c2d807b0221a8235cf2e584c

SHA1
8a9fadc934a1b066ad13846ba753e56eeab09da0

SHA256
ff260b3369c948daee3c1a7e7e84fe712d4260c1ad872bb4e74a6e8516b23881

SHA512
11e28512906dfe444b68bfca77d9e010bf32c25a8488ae910fb8da75b57f7183a70adf71a614e7adb21ffffe2a26688b89ce6d910061ecd94bcd60ae27312488

Download Submit
memory/2792-15-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2888-0-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2888-7-0x0000000002310000-0x000000000235E000-memory.dmp

Filesize
312KB

Download
memory/2888-13-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/2888-14-0x0000000002310000-0x000000000235E000-memory.dmp

Filesize
312KB

Download