f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63

General

Target

f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe
Size

204KB
MD5

add03bc49b99d11338613001c707e422
SHA1

ddf346beed47b821cc6f05f71c8144204d9b35c6
SHA256

f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63
SHA512

f4d19d8d13f8cf9e3c53630434d8693090a9dded497f3129f0c6f20a6cbe474d289fa3de383680c3cd57ccbdea1d13f08507f17b06598cd99d6f2ef1e9c86d87
SSDEEP

1536:BSHcWgnQs8VMNvY3vy3QpTha55R8Vh2oLq4:B0cIs8mNvY63Qhha55doLq4

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.alizametal.com.tr
Port:
21
Username:
alizametal.com.tr
Password:
hd611

Extracted

Credentials

Protocol: ftp
Host:
ftp.yesimcopy.com
Port:
21
Username:
yesimcopy1
Password:
825cyf

Signatures

Executes dropped EXE 1 IoCs

Processes:

jusched.exe

pid	Process
2880	jusched.exe

Loads dropped DLL 2 IoCs

Processes:

f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe

pid	Process
2024	f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe
2024	f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe

Drops file in Program Files directory 3 IoCs

Processes:

f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe

description	ioc	Process
File created	C:\Program Files (x86)\29abcfaa\jusched.exe	f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe
File created	C:\Program Files (x86)\29abcfaa\29abcfaa	f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe
File created	C:\Program Files (x86)\29abcfaa\info_a	f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe

Drops file in Windows directory 1 IoCs

Processes:

f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe

description	ioc	Process
File created	C:\Windows\Tasks\2tdU3eap.job	f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exejusched.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe

description	pid	Process	procid_target
PID 2024 wrote to memory of 2880	2024	f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe	31
PID 2024 wrote to memory of 2880	2024	f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe	31
PID 2024 wrote to memory of 2880	2024	f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe	31
PID 2024 wrote to memory of 2880	2024	f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe	31

C:\Users\Admin\AppData\Local\Temp\f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe
"C:\Users\Admin\AppData\Local\Temp\f2207b746d6f3a6b86cea6da1664b0e42a242fa533ad763e58a9796b0c5a1c63.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2024
- C:\Program Files (x86)\29abcfaa\jusched.exe
  "C:\Program Files (x86)\29abcfaa\jusched.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\29abcfaa\29abcfaa

Filesize
17B

MD5
851925597482c48d6ebc2c8fc488ba8a

SHA1
26ea8d3f312e7a5fedb60239fb1efae58142defe

SHA256
8eeb055ee8dad09fb5f9251505c4098fe347194a30dcc04a72017ad483a6e03d

SHA512
606e8a4395a52e10a7f90255feb7d3dd445d3df9d49060862c5ede348036afbc6d97c474915cba6a51035a9a7dfb023839da87db92afd3b219758e1d5838bbcc

Download Submit
C:\Program Files (x86)\29abcfaa\info_a

Filesize
12B

MD5
83340c05ae7cd45b3f12b85c1ce66a54

SHA1
34f43d2e998ae3f8b583fec8eab4bd0ec474d9d2

SHA256
66f41e02a4d67e4044332a31a4ed8e0fefb2c2c9114e4e23929d742fce56089f

SHA512
7c6201d94e3fc00ea156e31081a798017400233e3ccd4673a6029419b31d6beb30903315dd3f9c2d86f54f038db551e2aa1e33dd81e781a57a48a24f91fcf84e

Download Submit
\Program Files (x86)\29abcfaa\jusched.exe

Filesize
204KB

MD5
f08f34205c1e2361856204285b37096f

SHA1
4d358ade33e4f27289450043cd2a5cd6d5f30df9

SHA256
572eb7388b45415ff9be59924a28d75d8ea8d1f08ec14c263a45c87be89bdacc

SHA512
7d4e1ac5ae05e79801291623bd9334a005dad6851e7c0840728fb4e8e1293f0a3a81b866f28ce011451e75bf1621b1870880474511b827116c3a1bb2a6b72359

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads