Overview

overview

10

Static

static

3

18e5b02e18...5N.exe

windows7-x64

10

18e5b02e18...5N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-10-2024 08:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18e5b02e188d3b4d72a5808bd8055410ff26601aa4953ae4cbd9c482d33a1495N.exe

  • Size

    244KB

  • MD5

    7772dd776f6f1dd6c4606d22a3a81170

  • SHA1

    872d64d114b9c32d17b707ac6babd9af58602a45

  • SHA256

    18e5b02e188d3b4d72a5808bd8055410ff26601aa4953ae4cbd9c482d33a1495

  • SHA512

    fb39bfa63761bcc3231e51f0174d3ab4912ae326463f6071d8438035ab41cafde3b697ae803ffa67bd3fb56fa985c325cd10511d02aec9e7bd33e6213cf5483e

  • SSDEEP

    1536:dvVte+7YkayZ+OttmxKLjWlSA8Zp5JAJjkrSHoW8MHCCSdCes+N9:dvVteka8+OtAcKlSRz5YHoWlHICt49

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.byethost12.com
  • Port:
    21
  • Username:
    b12_8082975
  • Password:
    951753zx

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18e5b02e188d3b4d72a5808bd8055410ff26601aa4953ae4cbd9c482d33a1495N.exe
    "C:\Users\Admin\AppData\Local\Temp\18e5b02e188d3b4d72a5808bd8055410ff26601aa4953ae4cbd9c482d33a1495N.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2528
    • C:\Program Files (x86)\cb6d78de\jusched.exe
      "C:\Program Files (x86)\cb6d78de\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\cb6d78de\cb6d78de
    Filesize

    17B

    MD5

    209aa6c14d66621f3aa1cee03a8bf5dc

    SHA1

    0f5bce2a29d3306586934b6d846a172078ee8e66

    SHA256

    57ef9e3c809cf3ca41782d4c7119c3ae7e43ccbb1c00d978b745677f14b82c2e

    SHA512

    8b9fb2bcc8e8785a48d3fe212f852c2f108ef2ab20e9e2a61e9bba5857002abe9111e42411bfc573e50c126031b7ef0433bddfa357de2ca0814f7d31157b9c63

    Download Submit

  • C:\Program Files (x86)\cb6d78de\jusched.exe
    Filesize

    244KB

    MD5

    11d165b370cdca387486988325bc2f8d

    SHA1

    520c776cc8a6dda7523f5f5c9c60c1329e19aaab

    SHA256

    7e1536a0f635be3872e5194b1527b065136075fa0101f0158219f78de677ab57

    SHA512

    5c5cf6563958efc30c98907c80de6b41cd64c9513c169be33538325ce88e68cfe0bda1c1fbf1d8de54e7863b9f1ba908579b9a6838995a81304e4c8de1628d29

    Download Submit

  • memory/2528-0-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2528-15-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/3516-13-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download

  • memory/3516-17-0x0000000000400000-0x000000000047E000-memory.dmp

    Filesize

    504KB

    Download