1ae1c1596fc7201777e6d937c1a28b61fd0ab68d4ce2594a3e89f9a97db3f3f2

Analysis

max time kernel
146s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ae1c1596fc7201777e6d937c1a28b61fd0ab68d4ce2594a3e89f9a97db3f3f2.exe
Size

211KB
MD5

9ef108fd2bf242bb863d017f2e9ced19
SHA1

23cd3d758865975e097e8dc44c8306f193420807
SHA256

1ae1c1596fc7201777e6d937c1a28b61fd0ab68d4ce2594a3e89f9a97db3f3f2
SHA512

1c62a0713170aec53248eb1781cb6e304e48e3262e133024fae9e519a0e893ab2ef02b2e79796882af4339562288936a87e79148e62c5944b4102003f9750379
SSDEEP

1536:KvVte+7YkayZ+OttmxKLjWlSA8Zp5JAJjXSHoWLUzB3st9:KvVteka8+OtAcKlSRz51HoWIZa

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	1ae1c1596fc7201777e6d937c1a28b61fd0ab68d4ce2594a3e89f9a97db3f3f2.exe

Executes dropped EXE 1 IoCs

pid	Process
2592	jusched.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\69e6b4c3\jusched.exe	1ae1c1596fc7201777e6d937c1a28b61fd0ab68d4ce2594a3e89f9a97db3f3f2.exe
File created	C:\Program Files (x86)\69e6b4c3\69e6b4c3	1ae1c1596fc7201777e6d937c1a28b61fd0ab68d4ce2594a3e89f9a97db3f3f2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	1ae1c1596fc7201777e6d937c1a28b61fd0ab68d4ce2594a3e89f9a97db3f3f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 2592	3484	1ae1c1596fc7201777e6d937c1a28b61fd0ab68d4ce2594a3e89f9a97db3f3f2.exe	91
PID 3484 wrote to memory of 2592	3484	1ae1c1596fc7201777e6d937c1a28b61fd0ab68d4ce2594a3e89f9a97db3f3f2.exe	91
PID 3484 wrote to memory of 2592	3484	1ae1c1596fc7201777e6d937c1a28b61fd0ab68d4ce2594a3e89f9a97db3f3f2.exe	91

C:\Users\Admin\AppData\Local\Temp\1ae1c1596fc7201777e6d937c1a28b61fd0ab68d4ce2594a3e89f9a97db3f3f2.exe
"C:\Users\Admin\AppData\Local\Temp\1ae1c1596fc7201777e6d937c1a28b61fd0ab68d4ce2594a3e89f9a97db3f3f2.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Program Files (x86)\69e6b4c3\jusched.exe
  "C:\Program Files (x86)\69e6b4c3\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
1⤵
PID:3816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\69e6b4c3\69e6b4c3

Filesize
17B

MD5
209aa6c14d66621f3aa1cee03a8bf5dc

SHA1
0f5bce2a29d3306586934b6d846a172078ee8e66

SHA256
57ef9e3c809cf3ca41782d4c7119c3ae7e43ccbb1c00d978b745677f14b82c2e

SHA512
8b9fb2bcc8e8785a48d3fe212f852c2f108ef2ab20e9e2a61e9bba5857002abe9111e42411bfc573e50c126031b7ef0433bddfa357de2ca0814f7d31157b9c63

Download Submit
C:\Program Files (x86)\69e6b4c3\jusched.exe

Filesize
211KB

MD5
06029dff6e2d71bd88be417b9ed0559d

SHA1
2198bec7631865b556f912c005f53e70f193a89f

SHA256
abd60a181fade7d2693130449326ff2b7f4e2275f3090dbce6c29e4126bf53b7

SHA512
7ccad184127fc8c47ab58f7c3f64b8300239a2e9b09800f76a2f37488f924349031333f5d5a668e1612760236a0ad125ce9613f63dd74476cbd11e87d4c16560

Download Submit
memory/2592-13-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2592-16-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3484-0-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3484-15-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download