6847bfce1091e64866e9f76271f2758ca8f4cbeb27ab183033e87f9f6e75fd74

Analysis

max time kernel
145s
max time network
143s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27/03/2024, 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1fdbfe2d5b8d35255d29d996a89f3dc.exe
Size

208KB
MD5

e1fdbfe2d5b8d35255d29d996a89f3dc
SHA1

a5fad1e1b5a4bc24c7183361392b03c1c016baaa
SHA256

6847bfce1091e64866e9f76271f2758ca8f4cbeb27ab183033e87f9f6e75fd74
SHA512

f55e7818bb971cd10fa87c93580d2829e7892b7ffbff024d7abd62d6d42eb77c37a1427f5a8cdd49153a750c79b0edf539b28371c3535688366d5ca57d623701
SSDEEP

3072:7ChJgYMm4xf9cU9KQ2BxA59SPMqOogn2:XYMm4xiWKQ2BiCM

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2224	e1fdbfe2d5b8d35255d29d996a89f3dc.exe
2224	e1fdbfe2d5b8d35255d29d996a89f3dc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\98bafc13\98bafc13	e1fdbfe2d5b8d35255d29d996a89f3dc.exe
File created	C:\Program Files (x86)\98bafc13\jusched.exe	e1fdbfe2d5b8d35255d29d996a89f3dc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	e1fdbfe2d5b8d35255d29d996a89f3dc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2200	2224	e1fdbfe2d5b8d35255d29d996a89f3dc.exe	28
PID 2224 wrote to memory of 2200	2224	e1fdbfe2d5b8d35255d29d996a89f3dc.exe	28
PID 2224 wrote to memory of 2200	2224	e1fdbfe2d5b8d35255d29d996a89f3dc.exe	28
PID 2224 wrote to memory of 2200	2224	e1fdbfe2d5b8d35255d29d996a89f3dc.exe	28

C:\Users\Admin\AppData\Local\Temp\e1fdbfe2d5b8d35255d29d996a89f3dc.exe
"C:\Users\Admin\AppData\Local\Temp\e1fdbfe2d5b8d35255d29d996a89f3dc.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Program Files (x86)\98bafc13\jusched.exe
  "C:\Program Files (x86)\98bafc13\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\98bafc13\98bafc13

Filesize
17B

MD5
89931a70501a3362b6823b53523f5a77

SHA1
88c7e199c462ed8cc3af0ba453512b5b1fdcfdb5

SHA256
d30d9a0e64bc9f4a306617f087f30de6d57a5413793ab7bde13a299777a1b254

SHA512
8fa7ab4824ae86f3f47b3718c11f79ef275dd0639396572eaeb1262ad9153ccf43c633a7b292e30c97370436a09f22fbcf817a802015650ffb1f84d2b83483bd

Download Submit
\Program Files (x86)\98bafc13\jusched.exe

Filesize
208KB

MD5
0e5eae49a3d25802af55def7d00c9aed

SHA1
8ab5e378391cc06acff941eab060a5fd3ecc48ca

SHA256
38d22fe3359930bc78d8c0c1e224a797bbbd090deb6da757af73a85c0b50f82f

SHA512
e14bc7ace98bb4bc7c8ea0b5c187d93287da20d3b2c3855a75496795a77aa2473e37f0d89ce5d2bdf3f67978bbf96008d86a71f7c6204a5ad2dc9fd3b6eacecf

Download Submit
memory/2200-14-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2224-0-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download
memory/2224-7-0x0000000002350000-0x00000000023A4000-memory.dmp

Filesize
336KB

Download
memory/2224-13-0x0000000000400000-0x0000000000454000-memory.dmp

Filesize
336KB

Download