24df359c9aeeee7eef5f38546f048ab7ad5a379ea8ef64b4cc45234fd5477c87

Analysis

max time kernel
93s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 23:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d9928906da1b4c4c9be9591cdcc6667e.exe
Size

298KB
MD5

d9928906da1b4c4c9be9591cdcc6667e
SHA1

10334080d54808af5feec2933c7a608a1ef1292b
SHA256

24df359c9aeeee7eef5f38546f048ab7ad5a379ea8ef64b4cc45234fd5477c87
SHA512

309ebce2b92d8b948b818048254018cfa4fcb2a96621ccf618939c7436308a54789090f3b828fa55ca32a92f11f2685273d9db78032f4f0000e98537ede2d706
SSDEEP

1536:iwQBHSonUWjzlZLXf4QJpUT0mSBAgapetc8o/Kdgo1QGuG3gyh1nu:iBlSRWjzrLXQQJKgmSBAVpet2Ago1ls

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	d9928906da1b4c4c9be9591cdcc6667e.exe

Executes dropped EXE 1 IoCs

pid	Process
4232	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ab373504\jusched.exe	d9928906da1b4c4c9be9591cdcc6667e.exe
File created	C:\Program Files (x86)\ab373504\ab373504	d9928906da1b4c4c9be9591cdcc6667e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	d9928906da1b4c4c9be9591cdcc6667e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3396 wrote to memory of 4232	3396	d9928906da1b4c4c9be9591cdcc6667e.exe	94
PID 3396 wrote to memory of 4232	3396	d9928906da1b4c4c9be9591cdcc6667e.exe	94
PID 3396 wrote to memory of 4232	3396	d9928906da1b4c4c9be9591cdcc6667e.exe	94

C:\Users\Admin\AppData\Local\Temp\d9928906da1b4c4c9be9591cdcc6667e.exe
"C:\Users\Admin\AppData\Local\Temp\d9928906da1b4c4c9be9591cdcc6667e.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Program Files (x86)\ab373504\jusched.exe
  "C:\Program Files (x86)\ab373504\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ab373504\ab373504

Filesize
17B

MD5
2130fee70fc3f7c10d5279f96f98ad1e

SHA1
4307cef89171fa230048ea22546802198d888780

SHA256
3506e286f6223ccaf1665d4e457b712abeb527266ff28327ce60e37b9fbeb404

SHA512
67fa1bb31028ff3ba125f184207499b9205f58c9eef2ac948f5824475515c396b3d5f93e207cb96deffe1aedb286b1f935cc689c5d84449e51c517da1cffe2e5

Download Submit
C:\Program Files (x86)\ab373504\jusched.exe

Filesize
298KB

MD5
3627845a2f1f86965eec3083a6427fc0

SHA1
25090f3b7f0b0cbe2dbba6cfc0b51a95018c736d

SHA256
67ab80733599ea90bd5de067e99a259f1d3b2b4e25c485f77e19d6fc365c3c44

SHA512
86ea779611af05f22be88755371660427cfa0cff62af331c9f9e81af5b2cfbaf3f0a0e8bba4fa2bf5c3cfd7dd94f2a7d365d54046ece7af78e8c395088be0418

Download Submit
memory/3396-0-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/3396-12-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download
memory/4232-11-0x0000000000400000-0x000000000045B000-memory.dmp

Filesize
364KB

Download