98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1

General

Target

98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe
Size

2.4MB
MD5

0bbd09f1d3442b40e60fab8e7ff31b01
SHA1

389990f2f49874a802882627eae5fccb941951f2
SHA256

98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1
SHA512

7fd8fe38acd00d134a3652a3133f7ea10aeba95b20e8eabbc3dc666d7cf2e88c77349871fa41e57fae38d918d37b5b73e60200c1ac19faa9f9fbfe1e67b8e4b8
SSDEEP

49152:pD0iMG1TvFJ6w5tgtQwbkhxKKSOrq4kOskg586PQLq1z:JDFbJ55QQwbAtSOrDfskg9POq1z

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.ueuo.com
Port:
21
Username:
googgle.ueuo.com
Password:
741852

Extracted

Credentials

Protocol: ftp
Host:
ftp.alizametal.com.tr
Port:
21
Username:
alizametal.com.tr
Password:
hd611

Extracted

Credentials

Protocol: ftp
Host:
ftp.yesimcopy.com
Port:
21
Username:
yesimcopy1
Password:
825cyf

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1804	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2376	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe
2376	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 17 IoCs

pid	Process
2376	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe
2376	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe
1804	jusched.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\9d443a72\9d443a72	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe
File created	C:\Program Files (x86)\9d443a72\info_a	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe
File created	C:\Program Files (x86)\9d443a72\jusched.exe	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2376	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe
1804	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1804	2376	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe	30
PID 2376 wrote to memory of 1804	2376	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe	30
PID 2376 wrote to memory of 1804	2376	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe	30
PID 2376 wrote to memory of 1804	2376	98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe	30

C:\Users\Admin\AppData\Local\Temp\98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe
"C:\Users\Admin\AppData\Local\Temp\98d6c2bc40304ad10035107b40eda16a0c579adea30b8f0dd6fdf7b6c65d68f1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Program Files (x86)\9d443a72\jusched.exe
  "C:\Program Files (x86)\9d443a72\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\9d443a72\9d443a72

Filesize
17B

MD5
bc13ad0f8d1727f36fde832e28bf44bb

SHA1
258533f23fa6fce5055b1247b9b4cbc8d13233cf

SHA256
aeccd3a7dee3061696d55f53b027aa15e4e8f3d66b970dc353d0532fee21aef6

SHA512
0389aff4333a77fde96a5439f414b9c71e7cd94948d591debf8e53199f5e1683d016803ba292b1382d288239b8df1ac4cfa81ab95899160a2f5a7ffd77553f3f

Download Submit
C:\Program Files (x86)\9d443a72\info_a

Filesize
12B

MD5
60c19f74a3dbc975acebfc3211e772a3

SHA1
9f82a8a65476c889e61f363c2a1ea73ca7ddf761

SHA256
5aba63a08b8057518e097394bc5c1013d4f15988069c8fb588618aa9dddc0f65

SHA512
79ac06a74bcfae2c6f67c9bea16050f3d363678f6841f5f6e968cee48a392d8bdfc48bd4651e5408cb44f0de86b90bf7f93057a4ed46a2fccdec48e81e375f63

Download Submit
\Program Files (x86)\9d443a72\jusched.exe

Filesize
2.4MB

MD5
a3268cb44c35a252d2a45b64c608bd71

SHA1
034b28c3e04b79a42918aaab1abced41b48e4bd7

SHA256
970e75d1de884c50403d4eef3067fe506f2890b5da7ccab001c3aa4a0b8acf1e

SHA512
0d42fb70f14f2a308700e0a98fc879c75cab7a1ab6b77de45210c3ca5f20f2b4e6a6b1f526f76548c55c14f017e911e00fd390778eb47f4640d1e34919a80aac

Download Submit
memory/1804-30-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-26-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-18-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-36-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-35-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-34-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-21-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-23-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-22-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-24-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-25-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-33-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-32-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-28-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-29-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/1804-31-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/2376-0-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/2376-1-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2376-16-0x0000000004090000-0x0000000004ADB000-memory.dmp

Filesize
10.3MB

Download
memory/2376-14-0x000000007EBD0000-0x000000007EFA1000-memory.dmp

Filesize
3.8MB

Download
memory/2376-13-0x0000000000400000-0x0000000000E4B000-memory.dmp

Filesize
10.3MB

Download
memory/2376-15-0x0000000004090000-0x0000000004ADB000-memory.dmp

Filesize
10.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads