Overview

overview

10

Static

static

3

41fc692d01...c8.exe

windows7-x64

10

41fc692d01...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-09-2024 05:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    41fc692d016b8ab749e38364a67897f316072604fac8b476b07ac4d2ca734cc8.exe

  • Size

    358KB

  • MD5

    e7609edb6ab6c4bef841d2375323c6d4

  • SHA1

    b2cda04fe3d6559348c626f58eb491385f177d51

  • SHA256

    41fc692d016b8ab749e38364a67897f316072604fac8b476b07ac4d2ca734cc8

  • SHA512

    5c1c09127f2620d71b3e4222d504103b99289e07bbd2d869943aa35050f2f3fb833421835e7507376b995806c2e38fecb1ad80f26636c06307c4c192ee9e353d

  • SSDEEP

    1536:EXscdri741fT/dQVJnsuv77P1Vg6u8jSZofgzd8MUp:EXpdr1f5QrnssP1Vg6eofgJ2

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.ueuo.com
  • Port:
    21
  • Username:
    googgle.ueuo.com
  • Password:
    741852

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.alizametal.com.tr
  • Port:
    21
  • Username:
    alizametal.com.tr
  • Password:
    hd611

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\41fc692d016b8ab749e38364a67897f316072604fac8b476b07ac4d2ca734cc8.exe
    "C:\Users\Admin\AppData\Local\Temp\41fc692d016b8ab749e38364a67897f316072604fac8b476b07ac4d2ca734cc8.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4820
    • C:\Program Files (x86)\e149f91e\jusched.exe
      "C:\Program Files (x86)\e149f91e\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5032

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\e149f91e\e149f91e
    Filesize

    17B

    MD5

    bc13ad0f8d1727f36fde832e28bf44bb

    SHA1

    258533f23fa6fce5055b1247b9b4cbc8d13233cf

    SHA256

    aeccd3a7dee3061696d55f53b027aa15e4e8f3d66b970dc353d0532fee21aef6

    SHA512

    0389aff4333a77fde96a5439f414b9c71e7cd94948d591debf8e53199f5e1683d016803ba292b1382d288239b8df1ac4cfa81ab95899160a2f5a7ffd77553f3f

    Download Submit

  • C:\Program Files (x86)\e149f91e\info_a
    Filesize

    12B

    MD5

    8ae53daee11debb22cbbc4bbbc7ecafd

    SHA1

    8ade7fb0712f12ff044fd3495d6d21e29c7016ae

    SHA256

    be7fc4868086b98f23c4d4f13024602e30173ea5bb2bb75fa64aaa2b679fe7e4

    SHA512

    fdc6d1ab7cee33ce07dc78354a5322c096320b63db2673a7a8ec4d53381bf70ffe2c05e6f081a03916685f389f4951cb726eb94b3166ffb7283cd85d69725c41

    Download Submit

  • C:\Program Files (x86)\e149f91e\jusched.exe
    Filesize

    358KB

    MD5

    59a8588d9f9065370ddb4858fd1f3a61

    SHA1

    1c1b58894d1a6bb6c34f0f22770288628d7a383e

    SHA256

    97bd7c44f3be9e6362011a52a579c3a58a163785c1feef9f1a3cb6070f69b7fd

    SHA512

    56564e38de88929608ae5d36219609028498f8a82fdb6c76c47e0498d7f6d50f4eca29707a55bcff219be3e11b62c0b1e81a0ae567c3fbc8f7aff4d24e7a29f0

    Download Submit

  • memory/4820-0-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/4820-15-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/5032-14-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download

  • memory/5032-18-0x0000000000400000-0x000000000046B000-memory.dmp

    Filesize

    428KB

    Download