3604a4e5d8d1eaae0a16f2120edd13ebf9c62153264bffb0d50d249306b29ff9

General

Target

9ca94bcf9448384b4c6b3f4126fe80b0N.exe
Size

41KB
MD5

9ca94bcf9448384b4c6b3f4126fe80b0
SHA1

34c68bdb2a594607a94e878976a99451971e9d93
SHA256

3604a4e5d8d1eaae0a16f2120edd13ebf9c62153264bffb0d50d249306b29ff9
SHA512

27d886d07b63ad99e93a61557e12bd8bdcee44324eec00d33a389f65cb02b78679a6262eeb6d3b6762d29d21ef388bf3c527ff509018f4e3d282d3c302e055be
SSDEEP

768:MQRN7awRcu5mkU6Ev0v6WiXwkFG+lPETDnbcuyD7Ua/vy8X:1hawRcu5mkU6Ecv6kkFGkETDnouy8a/r

Score

10^/10

discovery upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.alizametal.com.tr
Port:
21
Username:
alizametal.com.tr
Password:
hd611

Extracted

Credentials

Protocol: ftp
Host:
ftp.yesimcopy.com
Port:
21
Username:
yesimcopy1
Password:
825cyf

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2748	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
3068	9ca94bcf9448384b4c6b3f4126fe80b0N.exe
3068	9ca94bcf9448384b4c6b3f4126fe80b0N.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3068-0-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/3068-8-0x0000000002940000-0x0000000002986000-memory.dmp	upx
behavioral1/files/0x0028000000016d0a-6.dat	upx
behavioral1/memory/3068-15-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2748-17-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2748-23-0x0000000000400000-0x0000000000446000-memory.dmp	upx
behavioral1/memory/2748-24-0x0000000000400000-0x0000000000446000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\7dd61d0c\jusched.exe	9ca94bcf9448384b4c6b3f4126fe80b0N.exe
File created	C:\Program Files (x86)\7dd61d0c\7dd61d0c	9ca94bcf9448384b4c6b3f4126fe80b0N.exe
File created	C:\Program Files (x86)\7dd61d0c\info_a	9ca94bcf9448384b4c6b3f4126fe80b0N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\2tdU3eap.job	9ca94bcf9448384b4c6b3f4126fe80b0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ca94bcf9448384b4c6b3f4126fe80b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 2748	3068	9ca94bcf9448384b4c6b3f4126fe80b0N.exe	30
PID 3068 wrote to memory of 2748	3068	9ca94bcf9448384b4c6b3f4126fe80b0N.exe	30
PID 3068 wrote to memory of 2748	3068	9ca94bcf9448384b4c6b3f4126fe80b0N.exe	30
PID 3068 wrote to memory of 2748	3068	9ca94bcf9448384b4c6b3f4126fe80b0N.exe	30

C:\Users\Admin\AppData\Local\Temp\9ca94bcf9448384b4c6b3f4126fe80b0N.exe
"C:\Users\Admin\AppData\Local\Temp\9ca94bcf9448384b4c6b3f4126fe80b0N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Program Files (x86)\7dd61d0c\jusched.exe
  "C:\Program Files (x86)\7dd61d0c\jusched.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\7dd61d0c\7dd61d0c

Filesize
17B

MD5
851925597482c48d6ebc2c8fc488ba8a

SHA1
26ea8d3f312e7a5fedb60239fb1efae58142defe

SHA256
8eeb055ee8dad09fb5f9251505c4098fe347194a30dcc04a72017ad483a6e03d

SHA512
606e8a4395a52e10a7f90255feb7d3dd445d3df9d49060862c5ede348036afbc6d97c474915cba6a51035a9a7dfb023839da87db92afd3b219758e1d5838bbcc

Download Submit
C:\Program Files (x86)\7dd61d0c\info_a

Filesize
12B

MD5
68c9e8b378e7c23f52bab32585c0d47c

SHA1
bfa98e7c80f0f352a2641d8413c5df3d0a722698

SHA256
69d84872dc8454335ade5dd9e41a33442dbb9a5703498fd5b6ecf174d3a8d1a8

SHA512
dd564a5ef524191b3127de61a7203c98de71f13efc075fe0bf693a144f394da07b006b23b93f5e3ee5377c996b5ab976c36ec3199ff8da25f16b062438fa0ffa

Download Submit
\Program Files (x86)\7dd61d0c\jusched.exe

Filesize
41KB

MD5
86c021f66a80956172fb6ac7e7894e7e

SHA1
d653e1368cad4df96aa9571e68326256a26755bd

SHA256
c7c35bf60f2e726a7a81c7f2220c62eb8911ccc998214f6460bf272f917d850c

SHA512
77c91e735efd662e1eabc2abc21b07023ffadff833781c0e65fc8af3fd84f11227fdb2164b762df95536520f7b10e5ff06052f9aefa4fc5e791b65bf40417cda

Download Submit
memory/2748-17-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2748-23-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2748-24-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3068-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/3068-8-0x0000000002940000-0x0000000002986000-memory.dmp

Filesize
280KB

Download
memory/3068-15-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads