60a828dce91a199f720ab96f365be16e704b381eb535985923b2248a800ba0f0

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e914b106544ee25bf3969c31156716b.exe
Size

196KB
MD5

7e914b106544ee25bf3969c31156716b
SHA1

6975e0e86bfe68e43363501e63b0236b7582f799
SHA256

60a828dce91a199f720ab96f365be16e704b381eb535985923b2248a800ba0f0
SHA512

ef4e491b23fe85e01a199419c30df35ef2cb6d05e03b300f0ded7b5ffe7d3bf0a0746ef9face10c9382950e675c3d90bb7cc6cdb143c0b0c7e8d9ba6ec946fd6
SSDEEP

1536:sfVLuTnlTTy9uEGe9t2oKLjWlCu8i9pUJANjUSqoWZQnem:sfVLWlTTbEGe9AJKlCvIUuqoWqnb

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	7e914b106544ee25bf3969c31156716b.exe

Executes dropped EXE 1 IoCs

pid	Process
4268	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\6d9a2edb\jusched.exe	7e914b106544ee25bf3969c31156716b.exe
File created	C:\Program Files (x86)\6d9a2edb\6d9a2edb	7e914b106544ee25bf3969c31156716b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	7e914b106544ee25bf3969c31156716b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 4268	1580	7e914b106544ee25bf3969c31156716b.exe	87
PID 1580 wrote to memory of 4268	1580	7e914b106544ee25bf3969c31156716b.exe	87
PID 1580 wrote to memory of 4268	1580	7e914b106544ee25bf3969c31156716b.exe	87

C:\Users\Admin\AppData\Local\Temp\7e914b106544ee25bf3969c31156716b.exe
"C:\Users\Admin\AppData\Local\Temp\7e914b106544ee25bf3969c31156716b.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Program Files (x86)\6d9a2edb\jusched.exe
  "C:\Program Files (x86)\6d9a2edb\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\6d9a2edb\6d9a2edb

Filesize
17B

MD5
713de2425165c8df1702f4fa73675b7c

SHA1
8776000c93a63c318fd1dc5765010ced1568ffa7

SHA256
27969b723db5b2dd9c284c3351d884a535a92e6dadc44a425054fa76626a2343

SHA512
9b5327edc09bca4846029bda05502e34711ee843fbeccf3328253fcd2f1b399601eb613350c49e1d06098831d7b3dc8f5b2e1d1651b44e070ba70c8fedf6cf44

Download Submit
C:\Program Files (x86)\6d9a2edb\jusched.exe

Filesize
196KB

MD5
c31942c4a5abe86f540894b3cfc7e057

SHA1
8f711ef596e0874b3e40e6f17e243ca5d2007355

SHA256
106399dfec5be28e6a78ecac21ff970f5cd355ff0c730cf1f74bdddc0800000c

SHA512
fe642826cb2c20a5d015f085d4d3ed84e7c91942e7cf97dead4de60e812d10d905c87c57dffb52fa7f4d49c259df3456967add9326907b8f8870a9f90bc5ed82

Download Submit
memory/1580-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/1580-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/4268-15-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download