39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f

General

Target

39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe
Size

2.5MB
MD5

eca95fbb69ab3ba58f0f535c0e481d67
SHA1

82f2092667e20ef4992d13a428102d64176b4b9e
SHA256

39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f
SHA512

3646cf1f9a1fcd854f4ad63ce1bcd451319efd27c21255279add937a9060f32c15d944aa8b4df1712bcf600703614c66c57144061ac09afd4bbec89a4612e3ff
SSDEEP

49152:vhDZlDTeHumcu6x06hZJYtF2EGvxyhXQu8GqbilpEVWi26kAdSNl:ZVlExGT2tF2rCXrVlScJAoz

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2508	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1812	39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe
1812	39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
1812	39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe
2508	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\d98752a2\jusched.exe	39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe
File created	C:\Program Files (x86)\d98752a2\d98752a2	39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1812	39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe
2508	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1812 wrote to memory of 2508	1812	39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe	28
PID 1812 wrote to memory of 2508	1812	39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe	28
PID 1812 wrote to memory of 2508	1812	39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe	28
PID 1812 wrote to memory of 2508	1812	39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe	28

C:\Users\Admin\AppData\Local\Temp\39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe
"C:\Users\Admin\AppData\Local\Temp\39961846fd6cbd3fee80abc78b0cc489964dceb9c77197608f4fbdb16316d73f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1812
- C:\Program Files (x86)\d98752a2\jusched.exe
  "C:\Program Files (x86)\d98752a2\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetWindowsHookEx
  PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\d98752a2\d98752a2

Filesize
17B

MD5
4d77d6b250ffb567743b8dbcdad695b8

SHA1
d5a8f98f9433f6d36c74df463cef3e2cf524462d

SHA256
7ec7a3a23890c3592f5b762aecf11adbf8831fad11b8048aedfa7315d599c5f2

SHA512
5655153049101fd67125d484c81f1ad30b44f36f00e3aabfe8d730a21661f4b394357b60da549289def4311b4cc7bd508d8fd6b8db254cd442b2152f8902bd71

Download Submit
\Program Files (x86)\d98752a2\jusched.exe

Filesize
2.5MB

MD5
6b734efd400923f27288711d9c61ff8d

SHA1
49b2592a3adc90f7ba0dc09a4b3c569029692526

SHA256
b5f4bce42c5c863d61bdd5f5ea44b5578c6ccb32e621a0ffdd4bfcd76a0c4207

SHA512
3e675305694f7b948d750fec82f85b9c1a54c2e9357bc56130d740c343f741b7ef715ce13abfca963fdf479dbba0a4d1c3304b7cdc10fa3935c1968e739ccbeb

Download Submit
memory/1812-0-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/1812-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/1812-14-0x0000000004150000-0x0000000004B5F000-memory.dmp

Filesize
10.1MB

Download
memory/1812-12-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/1812-16-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2508-23-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-27-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-20-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-21-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-22-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-18-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2508-24-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-15-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-26-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-19-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-28-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-29-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-30-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-31-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-32-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-33-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download
memory/2508-34-0x0000000000400000-0x0000000000E0F000-memory.dmp

Filesize
10.1MB

Download

Analysis

Sharing