d38926ca512f16be28d3331852e0296128a97497e6d98de82890006f27b5000f

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14/03/2024, 23:45 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d38926ca512f16be28d3331852e0296128a97497e6d98de82890006f27b5000f.exe
Size

196KB
MD5

8c9f87a56213fd81590d2b75553ca612
SHA1

2b8e6e7f879dca0d8485d4868b7d0b419847b647
SHA256

d38926ca512f16be28d3331852e0296128a97497e6d98de82890006f27b5000f
SHA512

87431d3b322dbd55eddbbbacdd1774023865983d3800c8780886e4ba8f9bb19ada8ed7ec334cfeecfb3fed2812e950da73bc03f6f67f5338bda98b9e1eff824f
SSDEEP

1536:pvVQb4cLIkN+4Weat2RKLjWlC48Pp9JAcjrSrowlU5PT:pvVQLIkLWeaA8KlCph9GrowliT

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	d38926ca512f16be28d3331852e0296128a97497e6d98de82890006f27b5000f.exe

Executes dropped EXE 1 IoCs

pid	Process
3084	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\bbeb2caf\jusched.exe	d38926ca512f16be28d3331852e0296128a97497e6d98de82890006f27b5000f.exe
File created	C:\Program Files (x86)\bbeb2caf\bbeb2caf	d38926ca512f16be28d3331852e0296128a97497e6d98de82890006f27b5000f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	d38926ca512f16be28d3331852e0296128a97497e6d98de82890006f27b5000f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3956 wrote to memory of 3084	3956	d38926ca512f16be28d3331852e0296128a97497e6d98de82890006f27b5000f.exe	87
PID 3956 wrote to memory of 3084	3956	d38926ca512f16be28d3331852e0296128a97497e6d98de82890006f27b5000f.exe	87
PID 3956 wrote to memory of 3084	3956	d38926ca512f16be28d3331852e0296128a97497e6d98de82890006f27b5000f.exe	87

C:\Users\Admin\AppData\Local\Temp\d38926ca512f16be28d3331852e0296128a97497e6d98de82890006f27b5000f.exe
"C:\Users\Admin\AppData\Local\Temp\d38926ca512f16be28d3331852e0296128a97497e6d98de82890006f27b5000f.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Program Files (x86)\bbeb2caf\jusched.exe
  "C:\Program Files (x86)\bbeb2caf\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:3084

Network

DNS

228.249.119.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

228.249.119.40.in-addr.arpa

IN PTR

Response
DNS

136.32.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

136.32.126.40.in-addr.arpa

IN PTR

Response
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

209.205.72.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

209.205.72.20.in-addr.arpa

IN PTR

Response
DNS

79.121.231.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

79.121.231.20.in-addr.arpa

IN PTR

Response
DNS

26.165.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

26.165.165.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR

Response

217.135.221.88.in-addr.arpa

IN PTR

a88-221-135-217deploystaticakamaitechnologiescom
DNS

217.135.221.88.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.135.221.88.in-addr.arpa

IN PTR
DNS

ftp.byethost12.com

jusched.exe

Remote address:

8.8.8.8:53

Request

ftp.byethost12.com

IN A

Response

ftp.byethost12.com

IN A

185.27.134.11
DNS

griptoloji.host-ed.net

jusched.exe

Remote address:

8.8.8.8:53

Request

griptoloji.host-ed.net

IN A

Response
DNS

ftp.tripod.com

jusched.exe

Remote address:

8.8.8.8:53

Request

ftp.tripod.com

IN A

Response

ftp.tripod.com

IN A

209.202.252.54
DNS

54.252.202.209.in-addr.arpa

Remote address:

8.8.8.8:53

Request

54.252.202.209.in-addr.arpa

IN PTR

Response

54.252.202.209.in-addr.arpa

IN PTR

ftptripodcom
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR

Response
DNS

31.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

31.243.111.52.in-addr.arpa

IN PTR
DNS

griptoloji.host-ed.net

jusched.exe

Remote address:

8.8.8.8:53

Request

griptoloji.host-ed.net

IN A

Response

185.27.134.11:21

ftp.byethost12.com

jusched.exe

260 B
5
209.202.252.54:21

ftp.tripod.com

jusched.exe

144 B
44 B
3
1
185.27.134.11:21

ftp.byethost12.com

jusched.exe

260 B
5
209.202.252.54:21

ftp.tripod.com

jusched.exe

98 B
44 B
2
1

8.8.8.8:53

228.249.119.40.in-addr.arpa

dns

73 B
159 B
1
1

DNS Request

228.249.119.40.in-addr.arpa
8.8.8.8:53

136.32.126.40.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

136.32.126.40.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

209.205.72.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

209.205.72.20.in-addr.arpa
8.8.8.8:53

79.121.231.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

79.121.231.20.in-addr.arpa
8.8.8.8:53

26.165.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

26.165.165.52.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

144 B
146 B
2
1

DNS Request

15.164.165.52.in-addr.arpa

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

217.135.221.88.in-addr.arpa

dns

146 B
139 B
2
1

DNS Request

217.135.221.88.in-addr.arpa

DNS Request

217.135.221.88.in-addr.arpa
8.8.8.8:53

ftp.byethost12.com

dns

jusched.exe

64 B
80 B
1
1

DNS Request

ftp.byethost12.com

DNS Response

185.27.134.11
8.8.8.8:53

griptoloji.host-ed.net

dns

jusched.exe

68 B
124 B
1
1

DNS Request

griptoloji.host-ed.net
8.8.8.8:53

ftp.tripod.com

dns

jusched.exe

60 B
76 B
1
1

DNS Request

ftp.tripod.com

DNS Response

209.202.252.54
8.8.8.8:53

54.252.202.209.in-addr.arpa

dns

73 B
101 B
1
1

DNS Request

54.252.202.209.in-addr.arpa
8.8.8.8:53

31.243.111.52.in-addr.arpa

dns

144 B
158 B
2
1

DNS Request

31.243.111.52.in-addr.arpa

DNS Request

31.243.111.52.in-addr.arpa
8.8.8.8:53

griptoloji.host-ed.net

dns

jusched.exe

68 B
124 B
1
1

DNS Request

griptoloji.host-ed.net

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\bbeb2caf\bbeb2caf

Filesize
17B

MD5
7bdf61d37c9adf3e1c6937107016091f

SHA1
56b8e0c454f9dd16d508a04b3afa7e458453ac41

SHA256
4c57d86c256214baa0a5a3322ef5cdd575210455b7e964ad60382bd9d4be12e0

SHA512
ff4fc1a427c84f47042375749f45ee6edea73b902ae977f14243ebceb7b9a28f41fe5dd404e3ea381754d9122202bc6b61ed0152b20a1c1be76c225dd20861d1

Download Submit
C:\Program Files (x86)\bbeb2caf\jusched.exe

Filesize
196KB

MD5
86df1487331896f4170bddb1723ebc5f

SHA1
5b53a465ae940e3298173ffd07613d54543314de

SHA256
9b1d6dab0f7e27054ed1b4922ebe47f790d63f3dd3e619896ed6fe56de53150c

SHA512
291fcc48b34ec7a72245d98df3d0b6b8715305efe37a285e4948c80ca177c683052a73e78534a0125f28f2e5d217d35a8f15af0c30f9e014dc2f5e4d02841c1e

Download Submit
memory/3084-15-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3956-0-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/3956-14-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.