6ac3ce815936f1d584280a3bae54805f4abe5859c3bcc4f3ede706474bcba942

Analysis

max time kernel
119s
max time network
142s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
01-01-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ca7d46295eb67c93b4520417373af37.exe
Size

34KB
MD5

3ca7d46295eb67c93b4520417373af37
SHA1

72fb8d73346cc2bd2987a308c29cd9923595a3f8
SHA256

6ac3ce815936f1d584280a3bae54805f4abe5859c3bcc4f3ede706474bcba942
SHA512

8324bebbd1d007c3e507254c36ca2e646a08d5bb130380cdbd3bb1d17e6bb71de6c441a371f61d4c6bc84a77f2b55d18fad1c660c834ffe691e60dd335aebe10
SSDEEP

768:mzQYScGrIubHuYtvdxwYHw5FAe2QqncwxHJ:gQTIubHy5wQqd

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2352	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2820	3ca7d46295eb67c93b4520417373af37.exe
2820	3ca7d46295eb67c93b4520417373af37.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\52b769a4\jusched.exe	3ca7d46295eb67c93b4520417373af37.exe
File created	C:\Program Files (x86)\52b769a4\52b769a4	3ca7d46295eb67c93b4520417373af37.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe
2352	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2352	2820	3ca7d46295eb67c93b4520417373af37.exe	28
PID 2820 wrote to memory of 2352	2820	3ca7d46295eb67c93b4520417373af37.exe	28
PID 2820 wrote to memory of 2352	2820	3ca7d46295eb67c93b4520417373af37.exe	28
PID 2820 wrote to memory of 2352	2820	3ca7d46295eb67c93b4520417373af37.exe	28

C:\Users\Admin\AppData\Local\Temp\3ca7d46295eb67c93b4520417373af37.exe
"C:\Users\Admin\AppData\Local\Temp\3ca7d46295eb67c93b4520417373af37.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Program Files (x86)\52b769a4\jusched.exe
  "C:\Program Files (x86)\52b769a4\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\52b769a4\52b769a4

Filesize
13B

MD5
f253efe302d32ab264a76e0ce65be769

SHA1
768685ca582abd0af2fbb57ca37752aa98c9372b

SHA256
49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

SHA512
1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

Download Submit
C:\Program Files (x86)\52b769a4\jusched.exe

Filesize
20KB

MD5
76b8020a9f3ee3e22e28fa0069b8854d

SHA1
49cb8712c5840dafa0b880ec07f7ae01505af438

SHA256
d6a473899a6b055f0d0f84e78812229aa79d0478950f0286ae55b0b22a9718b1

SHA512
ee0cdf1efa331034e4e2250cad9b4092c32bbe717f4b26683904544f9090a0bb1b67be228e719b41bbbad809dfa1925f7e6a6acc5cc968d8f7cb20676b6bcd39

Download Submit
C:\Program Files (x86)\52b769a4\jusched.exe

Filesize
28KB

MD5
7bbc0c50c249b78d9f79629baec112b9

SHA1
c42ab2915696c874cd22597fd1cb329d47986107

SHA256
a9f8d26a84906d1b2203914391d7d4cf9b85b67219f700fc4e72eceb9dabdb6b

SHA512
d4343ad83c810f715c1ccad76cf8c744d5f69d78d8231415a58acbef8bba001d3635456e264fad4c54c0aa3b50bf976bba078d22252609de1cd23e2d7506da41

Download Submit
\Program Files (x86)\52b769a4\jusched.exe

Filesize
34KB

MD5
559560d775f3ab452be1aebe629f9a07

SHA1
2ac1638152fc19ee9d7545b19445a77b1c7d93ae

SHA256
036ff1044e1c9f6cc414aad49fd01859e3379c5000fe9d0200b43e0c32af9eeb

SHA512
2b9f22331816935b8f1fdc8475e9b44afa196a6cbdd3ec7b17d5c78caef926bb915f96e5309c846eae6d1bd646287b0c52661e06cf43f117029972b520093d33

Download Submit
\Program Files (x86)\52b769a4\jusched.exe

Filesize
4KB

MD5
a04708e4fdc8390f2f86aeea4d0098d8

SHA1
e01c091d8568a950e6314db3c9643a3d4ef90e8e

SHA256
6773ea85e6995eaff4032971305df0fb3285e18e56b3c05dd41a9d7f96c633ad

SHA512
30c2c5fcc4e102fe65551d536a243f3f3115bbb9fdef4beeedf4a74b45fc554681a2fb46d76547d9c6725982606cbf2dc90832d2f94c014410382180c7dd4d6f

Download Submit