Analysis
-
max time kernel
157s -
max time network
164s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02/06/2024, 23:44
Static task
static1
Behavioral task
behavioral1
Sample
764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe
Resource
win10v2004-20240226-en
General
-
Target
764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe
-
Size
93KB
-
MD5
1911082266c5156d3229cdbef261f8dc
-
SHA1
11e3ccbe66eee9250c1f35a0a238420e4dd5827d
-
SHA256
764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617
-
SHA512
ab4f03abb95e2e77c21033c935c14177441d61fc4f38ab3eb0225a25f11ba23ecd8b44f7450612802eef3d664ab08c51bd1daa55637b55f507eabe54a1e5f955
-
SSDEEP
1536:8QTIubHR5wQgAl3YxgUdqiUA6lpW/TvEd/cjEpcuy3Ua0:1Pw/dgU1x6l0Lsco83c
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
onthelinux - Password:
741852abc
Signatures
-
Detects executables packed with VMProtect. 1 IoCs
resource yara_rule behavioral2/files/0x0008000000023243-6.dat INDICATOR_EXE_Packed_VMProtect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe -
Executes dropped EXE 1 IoCs
pid Process 4816 jusched.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\da742b0c\jusched.exe 764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe File created C:\Program Files (x86)\da742b0c\da742b0c 764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe 4816 jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4444 wrote to memory of 4816 4444 764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe 93 PID 4444 wrote to memory of 4816 4444 764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe 93 PID 4444 wrote to memory of 4816 4444 764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe"C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4444 -
C:\Program Files (x86)\da742b0c\jusched.exe"C:\Program Files (x86)\da742b0c\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:3396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD5f253efe302d32ab264a76e0ce65be769
SHA1768685ca582abd0af2fbb57ca37752aa98c9372b
SHA25649dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA5121990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4
-
Filesize
93KB
MD515143b9587945079a54e4c75d5f7e0f7
SHA1b258c71cfcbfb625faacfed7452c56a5e3213ebb
SHA25640f12bf35f69c1871790a744daf38b124c10aa767dca15d531c9b5272ff879b8
SHA512cc4e261055ffd27ae51fe15ec5d18ac1fe622f907a741cd834dc4ae7b024dae7efc4b8cb496b00ef5dcb191e344b6004f3832c8e2f6f5f9f975867868be196fd