e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 03:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe
Size

327KB
MD5

5817244191c939f1c9fffd4ef7727eaa
SHA1

086c07b464feb61639462d8921f282d3a45f29d5
SHA256

e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b
SHA512

0d28fbab562363a3e4a0f5e2205fbff5a61eb3dd07cf7b890861e744ba41c3329814f7e2edb08eb8257ba625619905496f6572b54b0d111f8774729170369b65
SSDEEP

3072:P53mQkJtnP5I09qgmBBAWgjSvwN/ojW5NeboYXN/L3t+kS:NmxJtna2qgmBNgQwbekoN7wn

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3068	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2532	e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe
2532	e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\21ed04ae\jusched.exe	e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe
File created	C:\Program Files (x86)\21ed04ae\21ed04ae	e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 3068	2532	e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe	30
PID 2532 wrote to memory of 3068	2532	e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe	30
PID 2532 wrote to memory of 3068	2532	e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe	30
PID 2532 wrote to memory of 3068	2532	e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe	30

C:\Users\Admin\AppData\Local\Temp\e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe
"C:\Users\Admin\AppData\Local\Temp\e6f92c960d37b8094faa2dba5dfae5c8053727d019fee960f75412f39311e41b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files (x86)\21ed04ae\jusched.exe
  "C:\Program Files (x86)\21ed04ae\jusched.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\21ed04ae\21ed04ae

Filesize
17B

MD5
4d77d6b250ffb567743b8dbcdad695b8

SHA1
d5a8f98f9433f6d36c74df463cef3e2cf524462d

SHA256
7ec7a3a23890c3592f5b762aecf11adbf8831fad11b8048aedfa7315d599c5f2

SHA512
5655153049101fd67125d484c81f1ad30b44f36f00e3aabfe8d730a21661f4b394357b60da549289def4311b4cc7bd508d8fd6b8db254cd442b2152f8902bd71

Download Submit
\Program Files (x86)\21ed04ae\jusched.exe

Filesize
327KB

MD5
b6c3277ebdbbbd20a740b610bf64b1ba

SHA1
00bce4ca5951e07c9f211bc3304ea3a54d5e12ff

SHA256
ab9a7db043fed652d24c39d866bb6c03568091d476588d8436ef1b005bcfe5e1

SHA512
7f5a8d14662bba1ec743b44dc9304129e2b79a3cb8088fd0772ee59ed13639edd442e307dc1e8bc60155614acd4e98a1a1eb6a426737153ee16f2022a8b15e4d

Download Submit
memory/2532-0-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/2532-7-0x0000000002A60000-0x0000000002AB7000-memory.dmp

Filesize
348KB

Download
memory/2532-12-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3068-14-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3068-16-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download