6437ed43d49d1684827f79515b4fa453ef0f39690e588dae0d56a00d890ab972

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-03-2024 21:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6437ed43d49d1684827f79515b4fa453ef0f39690e588dae0d56a00d890ab972.exe
Size

432KB
MD5

c78b8de4bded642f818a27ac7bb0245d
SHA1

257717f1e8501fde94943ad14eabb2fa9eacda57
SHA256

6437ed43d49d1684827f79515b4fa453ef0f39690e588dae0d56a00d890ab972
SHA512

3431830954c9f6d89f512efa091f17b4283a3f923338ca8de23cb948f20afad574f5b6de9ba7ee140fd95d17d150b7b6c7dc81b4c78e6c3041ef6b5baf327ddc
SSDEEP

3072:KChJgYMm4xf9cU9KQ2BxA59SPMIOonn240YK0FN8lpSUyKncAxi2sh:SYMm4xiWKQ2BiCM2ZK03kNcATy

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation	6437ed43d49d1684827f79515b4fa453ef0f39690e588dae0d56a00d890ab972.exe

Executes dropped EXE 1 IoCs

pid	Process
1848	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\62d8ef80\jusched.exe	6437ed43d49d1684827f79515b4fa453ef0f39690e588dae0d56a00d890ab972.exe
File created	C:\Program Files (x86)\62d8ef80\62d8ef80	6437ed43d49d1684827f79515b4fa453ef0f39690e588dae0d56a00d890ab972.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	6437ed43d49d1684827f79515b4fa453ef0f39690e588dae0d56a00d890ab972.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1848	1404	6437ed43d49d1684827f79515b4fa453ef0f39690e588dae0d56a00d890ab972.exe	100
PID 1404 wrote to memory of 1848	1404	6437ed43d49d1684827f79515b4fa453ef0f39690e588dae0d56a00d890ab972.exe	100
PID 1404 wrote to memory of 1848	1404	6437ed43d49d1684827f79515b4fa453ef0f39690e588dae0d56a00d890ab972.exe	100

C:\Users\Admin\AppData\Local\Temp\6437ed43d49d1684827f79515b4fa453ef0f39690e588dae0d56a00d890ab972.exe
"C:\Users\Admin\AppData\Local\Temp\6437ed43d49d1684827f79515b4fa453ef0f39690e588dae0d56a00d890ab972.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Program Files (x86)\62d8ef80\jusched.exe
  "C:\Program Files (x86)\62d8ef80\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:1848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4392 --field-trial-handle=2972,i,4036376905309803364,5412922217215781933,262144 --variations-seed-version /prefetch:8
1⤵
PID:3936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\62d8ef80\62d8ef80

Filesize
17B

MD5
89931a70501a3362b6823b53523f5a77

SHA1
88c7e199c462ed8cc3af0ba453512b5b1fdcfdb5

SHA256
d30d9a0e64bc9f4a306617f087f30de6d57a5413793ab7bde13a299777a1b254

SHA512
8fa7ab4824ae86f3f47b3718c11f79ef275dd0639396572eaeb1262ad9153ccf43c633a7b292e30c97370436a09f22fbcf817a802015650ffb1f84d2b83483bd

Download Submit
C:\Program Files (x86)\62d8ef80\jusched.exe

Filesize
432KB

MD5
7b4746ac7d74dc128c330cda450f203e

SHA1
ec84c58c196dfb2193ac78d02d8c1638a09a69d6

SHA256
effabf1c33451a9d512943d1170e4230285f9afa13c9e21edbc91fbb9f758476

SHA512
e47f557a5145e8bd89f6dc8baa5dce0a6575b6dcedacc7cb61cf442e262733411b6fab3027cc56a6a896296a63d0d641f4b2d0933cd39ec0a676ace7bf8cb050

Download Submit
memory/1404-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1404-15-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1848-13-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download