Overview

overview

10

Static

static

3

8398265a1a...77.exe

windows7-x64

10

8398265a1a...77.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 23:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8398265a1afccb4b84ddac6f479e4d664d04470149aaffcec2fde3b673a13c77.exe

  • Size

    263KB

  • MD5

    27f6c7b9f5219fecf10e3076ef4d79ac

  • SHA1

    eab258f5c048272219e0806c9930c15c73ee9d22

  • SHA256

    8398265a1afccb4b84ddac6f479e4d664d04470149aaffcec2fde3b673a13c77

  • SHA512

    4eaa055e96313ce532f917d05492d28e9ef65ee749ef52896176c011b73c49d291709acbd9692d9437647c7120148d97208311bf438b0f55668d5632520852ff

  • SSDEEP

    3072:BXpdr1f5QrnssP1Vg6eofg/7+upI8GpFeGMkTZ5:jjRQJ9m6ez+MWeGBTZ5

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.ueuo.com
  • Port:
    21
  • Username:
    googgle.ueuo.com
  • Password:
    741852

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.yesimcopy.com
  • Port:
    21
  • Username:
    yesimcopy1
  • Password:
    825cyf

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8398265a1afccb4b84ddac6f479e4d664d04470149aaffcec2fde3b673a13c77.exe
    "C:\Users\Admin\AppData\Local\Temp\8398265a1afccb4b84ddac6f479e4d664d04470149aaffcec2fde3b673a13c77.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Program Files (x86)\9b42e60d\jusched.exe
      "C:\Program Files (x86)\9b42e60d\jusched.exe"
      2⤵
      • Executes dropped EXE
      PID:4628

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\9b42e60d\9b42e60d
    Filesize

    17B

    MD5

    bc13ad0f8d1727f36fde832e28bf44bb

    SHA1

    258533f23fa6fce5055b1247b9b4cbc8d13233cf

    SHA256

    aeccd3a7dee3061696d55f53b027aa15e4e8f3d66b970dc353d0532fee21aef6

    SHA512

    0389aff4333a77fde96a5439f414b9c71e7cd94948d591debf8e53199f5e1683d016803ba292b1382d288239b8df1ac4cfa81ab95899160a2f5a7ffd77553f3f

    Download Submit

  • C:\Program Files (x86)\9b42e60d\info_a
    Filesize

    12B

    MD5

    4b538e1d56035d1212eecf87e7c574ff

    SHA1

    44add33b85e1b65615843dbac47dd72052534b21

    SHA256

    d4529887b9636a43eedd865e47deeb4310c50e8f3d140c22ea918b214cae82e6

    SHA512

    572d10e2541f55d68979374d3cc886369c5efdf25aa4b02229ba14d31a4bafeaf18d0f27c7b0083517be90466bed75b60d046aa698956ff81b3ae9ea2f756728

    Download Submit

  • C:\Program Files (x86)\9b42e60d\jusched.exe
    Filesize

    263KB

    MD5

    71211812337e82551a853037b0bac9e0

    SHA1

    c2ffc8a397d833962d82db54ffded3a9dd801c50

    SHA256

    94dab76458b74f73159cadd3678a803fd5be880828a30b476e5fd12d21e42145

    SHA512

    df840d451170a6e75278ebb6cfa543ce324f424ef70fedff9cbaa88ad8ba8287ee97f365b164a2fddea9239c160a3c8a1e9a132a08d957758ab0aa6c7385e33c

    Download Submit

  • memory/1356-0-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1356-16-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/4628-15-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download