Overview

overview

10

Static

static

3

dfd9c5513c...0N.exe

windows7-x64

10

dfd9c5513c...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-09-2024 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfd9c5513c1c04555d274b8e27ca42d0N.exe

  • Size

    306KB

  • MD5

    dfd9c5513c1c04555d274b8e27ca42d0

  • SHA1

    1bc606e4212f80b8f802c2cb1bc276ddc32e9075

  • SHA256

    8d6ef83c290e549c32ba59da65bcc8f4e10de20189854008f325987ae9f7b461

  • SHA512

    1f51afef4b7e1fc7078a9101ef0ac09056c4314037777de68eb2e04396f643aa0f80978ae49b470a0159d8668e306f761bbb2d10cbbac1142079259849e22004

  • SSDEEP

    3072:tVHgCc4xGvbwcU9KQ2BBAHmaPxvVo4b5E/g:QCc4xGxWKQ2BonxIg

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfd9c5513c1c04555d274b8e27ca42d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\dfd9c5513c1c04555d274b8e27ca42d0N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Program Files (x86)\773a5857\jusched.exe
      "C:\Program Files (x86)\773a5857\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\773a5857\773a5857
    Filesize

    17B

    MD5

    134c1d489094d6d3399f65b0e9aebc1f

    SHA1

    612a57fbe6ed3ab9c15b39451171d813314a28d5

    SHA256

    54f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781

    SHA512

    b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed

    Download Submit

  • C:\Program Files (x86)\773a5857\jusched.exe
    Filesize

    306KB

    MD5

    b09b71b387243d7b6ad73057609ff114

    SHA1

    7feba822cc3a3155cf98d32621449982d772e4bd

    SHA256

    508ff9c3218aca96795d18e5bd2a94b2b5f56c41392cd8b682ab67cebc418d3f

    SHA512

    255e8c409893129e38e86cee1278c38760a0a09297992ce3f59e2f34c82ed763bd0be8fc0e6c9fbba959e9e2b3938058360ac13865b3dd896c89911e5c1a2d71

    Download Submit

  • memory/1256-0-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1256-15-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/4828-14-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/4828-16-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download