f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc

Analysis

max time kernel
149s
max time network
157s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/10/2022, 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe
Size

144KB
MD5

6ce7ec00f1d0674f6107f4d281f13cd9
SHA1

5af8a4961b8d398c1038d1caa4ea9430465ab07b
SHA256

f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc
SHA512

9954fcc9b8c3c0d5284284abe81e9310b16533a811ad04725bc1c57096eddb8252581a184a2ac9e117d0eff0b6637c9eac4084f08d494b39d7a28b425ef25214
SSDEEP

768:j/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfLdB:jRsvcdcQjosnvnZ6LQ1Ef

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
griptoloji
Password:
741852

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1048	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1916	f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe
1916	f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe
1048	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 1048	1916	f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe	27
PID 1916 wrote to memory of 1048	1916	f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe	27
PID 1916 wrote to memory of 1048	1916	f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe	27
PID 1916 wrote to memory of 1048	1916	f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe	27

C:\Users\Admin\AppData\Local\Temp\f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe
"C:\Users\Admin\AppData\Local\Temp\f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1048

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
144KB

MD5
e90266a3b833bb05bb3fec149d422682

SHA1
df1fbcb58b6a9f24d6684f0a17455dbdd03b0504

SHA256
bc77fd3611b7ef09ab421708628fff3b22990b3770f67a4e0228e0bf70420494

SHA512
d983ec9ed3f9fe8887aff61b3401c75e6e37e8c9b8a10a3299073d81523de5f44ffccda64cef35c8f6c93f2b9b8b1a9928a8c73b88994c0402fe84cd4fd53829

Download Submit
\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
144KB

MD5
e90266a3b833bb05bb3fec149d422682

SHA1
df1fbcb58b6a9f24d6684f0a17455dbdd03b0504

SHA256
bc77fd3611b7ef09ab421708628fff3b22990b3770f67a4e0228e0bf70420494

SHA512
d983ec9ed3f9fe8887aff61b3401c75e6e37e8c9b8a10a3299073d81523de5f44ffccda64cef35c8f6c93f2b9b8b1a9928a8c73b88994c0402fe84cd4fd53829

Download Submit
\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
144KB

MD5
e90266a3b833bb05bb3fec149d422682

SHA1
df1fbcb58b6a9f24d6684f0a17455dbdd03b0504

SHA256
bc77fd3611b7ef09ab421708628fff3b22990b3770f67a4e0228e0bf70420494

SHA512
d983ec9ed3f9fe8887aff61b3401c75e6e37e8c9b8a10a3299073d81523de5f44ffccda64cef35c8f6c93f2b9b8b1a9928a8c73b88994c0402fe84cd4fd53829

Download Submit
memory/1048-61-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1048-63-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1916-54-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1916-55-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1916-60-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download