Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
19/09/2022, 22:03
Static task
static1
Behavioral task
behavioral1
Sample
2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe
Resource
win10v2004-20220901-en
General
-
Target
2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe
-
Size
35KB
-
MD5
a595da27123d990e04d34cd593def9f3
-
SHA1
1e3086e6a00217293d9a767e8a9fa3fcd2c18ce4
-
SHA256
2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7
-
SHA512
8f2e4d65e9bc000b858de2564983d2d51f8108181107ef9fbd4108761acb6a3fffdbfa586f7e491c2e57a76c616ca90cfaea636e63af4129af12914601fd137f
-
SSDEEP
768:mzQYScGrIubHuYtvdxwYHw5FAe2QQncwxQM:gQTIubHy5wQQ7
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
onthelinux - Password:
741852abc
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4184 jusched.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\ac4ccb84\jusched.exe 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe File created C:\Program Files (x86)\ac4ccb84\ac4ccb84 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe 4184 jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3368 wrote to memory of 4184 3368 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe 88 PID 3368 wrote to memory of 4184 3368 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe 88 PID 3368 wrote to memory of 4184 3368 2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe"C:\Users\Admin\AppData\Local\Temp\2e9bbf284ccbc74074e8a01169e304a06a76d168a961500289fc0584513176f7.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Program Files (x86)\ac4ccb84\jusched.exe"C:\Program Files (x86)\ac4ccb84\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4184
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD5f253efe302d32ab264a76e0ce65be769
SHA1768685ca582abd0af2fbb57ca37752aa98c9372b
SHA25649dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA5121990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4
-
Filesize
35KB
MD5ec8e973568485087ba06bc0fe5b6dc23
SHA1a18b0b6a7287f17dd1a0cb3c4a1b022ee0c5d1e5
SHA256b75509cad9643bccf6621303f36ba4bf7e7d4016e715220d452f81ed54d45a21
SHA512d11bbb36b16cf6ad6713e8023b1e8f7c261b245608f3f2dd40419124c9cb41e7a9e9fdc7619bd1c14eafe8dada465e19fa0c42b3917fb78d0b5ee65415c542f8
-
Filesize
35KB
MD5ec8e973568485087ba06bc0fe5b6dc23
SHA1a18b0b6a7287f17dd1a0cb3c4a1b022ee0c5d1e5
SHA256b75509cad9643bccf6621303f36ba4bf7e7d4016e715220d452f81ed54d45a21
SHA512d11bbb36b16cf6ad6713e8023b1e8f7c261b245608f3f2dd40419124c9cb41e7a9e9fdc7619bd1c14eafe8dada465e19fa0c42b3917fb78d0b5ee65415c542f8