fee5ed2692a8f0d4966f8e2c0444897c25f90596649e0272cee667bea83f90d3

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
22/04/2024, 05:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

fee5ed2692a8f0d4966f8e2c0444897c25f90596649e0272cee667bea83f90d3.exe
Size

208KB
MD5

0cdcb2f5adce1ce0d1e339a8aeff8273
SHA1

7362da727425e3690df39c9145b426a5c7cf0058
SHA256

fee5ed2692a8f0d4966f8e2c0444897c25f90596649e0272cee667bea83f90d3
SHA512

83d3c7225b557e6cfdbdd3944027842941e8579c66a945326cd74d750588916b7aba90a32762ce9a0e4be5cc1f7478e88ed514995df9a8e8d86dca7072094b78
SSDEEP

1536:iHtNFk+5wIaVanPSE8GHo7P1A4xVz28nJtonpZIqi2uN:idk+xagnPm/P1A4xVzPonp2N

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	fee5ed2692a8f0d4966f8e2c0444897c25f90596649e0272cee667bea83f90d3.exe

Executes dropped EXE 1 IoCs

pid	Process
4512	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\f3bdf2f4\jusched.exe	fee5ed2692a8f0d4966f8e2c0444897c25f90596649e0272cee667bea83f90d3.exe
File created	C:\Program Files (x86)\f3bdf2f4\f3bdf2f4	fee5ed2692a8f0d4966f8e2c0444897c25f90596649e0272cee667bea83f90d3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	fee5ed2692a8f0d4966f8e2c0444897c25f90596649e0272cee667bea83f90d3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 4512	2088	fee5ed2692a8f0d4966f8e2c0444897c25f90596649e0272cee667bea83f90d3.exe	94
PID 2088 wrote to memory of 4512	2088	fee5ed2692a8f0d4966f8e2c0444897c25f90596649e0272cee667bea83f90d3.exe	94
PID 2088 wrote to memory of 4512	2088	fee5ed2692a8f0d4966f8e2c0444897c25f90596649e0272cee667bea83f90d3.exe	94

C:\Users\Admin\AppData\Local\Temp\fee5ed2692a8f0d4966f8e2c0444897c25f90596649e0272cee667bea83f90d3.exe
"C:\Users\Admin\AppData\Local\Temp\fee5ed2692a8f0d4966f8e2c0444897c25f90596649e0272cee667bea83f90d3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Program Files (x86)\f3bdf2f4\jusched.exe
  "C:\Program Files (x86)\f3bdf2f4\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\f3bdf2f4\jusched.exe

Filesize
208KB

MD5
872dc5407171bfd62c7a3a778a858b9d

SHA1
6cf470bfe3498d8980593ac3d55e54cd463c5bc1

SHA256
00645d6f2923297848753b1d31c825a19780a2f19dac12d2f7e821af85825e0a

SHA512
1a0cf3aa1df7baa9ba2d72f55ae27f9b554fbf74a1435444747a5c82278e95176a5074e77766f2cbb76756b33d7b0e3586e4826a7dfefbabd0f8550da6632512

Download Submit