2f8a9ca3546de242f4680dca3f5a5603af1ea290b762fb550f4866004a472746

Analysis

max time kernel
141s
max time network
137s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
18-01-2024 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65aa2e6428ea172fef0d60efe208e13d.exe
Size

209KB
MD5

65aa2e6428ea172fef0d60efe208e13d
SHA1

a6ddb21e3c9e6882fb268b740d0f1a1f21da7d7c
SHA256

2f8a9ca3546de242f4680dca3f5a5603af1ea290b762fb550f4866004a472746
SHA512

9da3c729fd7f27242b08fd56c38a82f9cb3317b18eef340d3ea6c0b7c1b1a391983cd4b1ea244461c672425e317e24990066889e775744529fcf26eabc6733f6
SSDEEP

1536:SNSXbc74YTOnlNSUL09atT0mBBA7aKSvIYFwAfdvo6QO5M:SEo75OnPSI09qgmBBAGKSvwovo692

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	65aa2e6428ea172fef0d60efe208e13d.exe
2372	65aa2e6428ea172fef0d60efe208e13d.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\d9d0e583\jusched.exe	65aa2e6428ea172fef0d60efe208e13d.exe
File created	C:\Program Files (x86)\d9d0e583\d9d0e583	65aa2e6428ea172fef0d60efe208e13d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	65aa2e6428ea172fef0d60efe208e13d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2200	2372	65aa2e6428ea172fef0d60efe208e13d.exe	28
PID 2372 wrote to memory of 2200	2372	65aa2e6428ea172fef0d60efe208e13d.exe	28
PID 2372 wrote to memory of 2200	2372	65aa2e6428ea172fef0d60efe208e13d.exe	28
PID 2372 wrote to memory of 2200	2372	65aa2e6428ea172fef0d60efe208e13d.exe	28

C:\Users\Admin\AppData\Local\Temp\65aa2e6428ea172fef0d60efe208e13d.exe
"C:\Users\Admin\AppData\Local\Temp\65aa2e6428ea172fef0d60efe208e13d.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Program Files (x86)\d9d0e583\jusched.exe
  "C:\Program Files (x86)\d9d0e583\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\d9d0e583\d9d0e583

Filesize
17B

MD5
3330ebaaa7e9f4630f4ad4c156be59d8

SHA1
40375cf8e68671e0100e725de5cd5c6657b9f722

SHA256
2c8451d5dca9e68ec3af7f318c5d874fbdfea9e89e7b5f9922b4dbd65f027e15

SHA512
b7631f9685bac9f81aa6bf53afd839910773e108989bbb79ba39cafabbe6b6994ed2fde44911c9f7f24b45c9745d6e80cd9f01975bfb765561df4881f7dad696

Download Submit
\Program Files (x86)\d9d0e583\jusched.exe

Filesize
209KB

MD5
44e5f64aa0823550ed7f8e7fe4b86d6a

SHA1
16d0834cd21ff6fb25a7232207e9021f611a45ce

SHA256
a479e0472fc37b41dcd202cc24fdf9baf0e319e199cd5da608db35f249cf1a85

SHA512
b470760ded0a648935aafb7eadf9d6df12a5369f9fcc0e9f3b32590fa96b4dc99fe5451dc2ad4c0daf7e4c7f983fffef3ec61a85d70b4fa08a190bb7a5b26318

Download Submit