Analysis

  • max time kernel
    157s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/06/2024, 23:44

General

  • Target

    764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe

  • Size

    93KB

  • MD5

    1911082266c5156d3229cdbef261f8dc

  • SHA1

    11e3ccbe66eee9250c1f35a0a238420e4dd5827d

  • SHA256

    764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617

  • SHA512

    ab4f03abb95e2e77c21033c935c14177441d61fc4f38ab3eb0225a25f11ba23ecd8b44f7450612802eef3d664ab08c51bd1daa55637b55f507eabe54a1e5f955

  • SSDEEP

    1536:8QTIubHR5wQgAl3YxgUdqiUA6lpW/TvEd/cjEpcuy3Ua0:1Pw/dgU1x6l0Lsco83c

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Detects executables packed with VMProtect. 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe
    "C:\Users\Admin\AppData\Local\Temp\764d8565eeac3cb947a8809835a02f46c71c8a257c3c511635283e51a2513617.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4444
    • C:\Program Files (x86)\da742b0c\jusched.exe
      "C:\Program Files (x86)\da742b0c\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4816
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4064 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:3396

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\da742b0c\da742b0c

            Filesize

            13B

            MD5

            f253efe302d32ab264a76e0ce65be769

            SHA1

            768685ca582abd0af2fbb57ca37752aa98c9372b

            SHA256

            49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

            SHA512

            1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

          • C:\Program Files (x86)\da742b0c\jusched.exe

            Filesize

            93KB

            MD5

            15143b9587945079a54e4c75d5f7e0f7

            SHA1

            b258c71cfcbfb625faacfed7452c56a5e3213ebb

            SHA256

            40f12bf35f69c1871790a744daf38b124c10aa767dca15d531c9b5272ff879b8

            SHA512

            cc4e261055ffd27ae51fe15ec5d18ac1fe622f907a741cd834dc4ae7b024dae7efc4b8cb496b00ef5dcb191e344b6004f3832c8e2f6f5f9f975867868be196fd

          • memory/4444-0-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

          • memory/4444-11-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB

          • memory/4816-10-0x0000000000400000-0x000000000042C000-memory.dmp

            Filesize

            176KB