Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 08:29
Static task
static1
Behavioral task
behavioral1
Sample
f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe
Resource
win10v2004-20220812-en
General
-
Target
f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe
-
Size
144KB
-
MD5
6ce7ec00f1d0674f6107f4d281f13cd9
-
SHA1
5af8a4961b8d398c1038d1caa4ea9430465ab07b
-
SHA256
f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc
-
SHA512
9954fcc9b8c3c0d5284284abe81e9310b16533a811ad04725bc1c57096eddb8252581a184a2ac9e117d0eff0b6637c9eac4084f08d494b39d7a28b425ef25214
-
SSDEEP
768:j/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfLdB:jRsvcdcQjosnvnZ6LQ1Ef
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
griptoloji - Password:
741852
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1048 jusched.exe -
Loads dropped DLL 2 IoCs
pid Process 1916 f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe 1916 f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Java\jre-09\bin\jusched.exe f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe File opened for modification C:\Program Files (x86)\Java\jre-09\bin\jusched.exe f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe File created C:\Program Files (x86)\Java\jre-09\bin\UF f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe 1048 jusched.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1916 wrote to memory of 1048 1916 f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe 27 PID 1916 wrote to memory of 1048 1916 f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe 27 PID 1916 wrote to memory of 1048 1916 f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe 27 PID 1916 wrote to memory of 1048 1916 f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe"C:\Users\Admin\AppData\Local\Temp\f26217509b502c0d726d54440cd83aadde9481f367410eaa49ceafefae95b6bc.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1048
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144KB
MD5e90266a3b833bb05bb3fec149d422682
SHA1df1fbcb58b6a9f24d6684f0a17455dbdd03b0504
SHA256bc77fd3611b7ef09ab421708628fff3b22990b3770f67a4e0228e0bf70420494
SHA512d983ec9ed3f9fe8887aff61b3401c75e6e37e8c9b8a10a3299073d81523de5f44ffccda64cef35c8f6c93f2b9b8b1a9928a8c73b88994c0402fe84cd4fd53829
-
Filesize
144KB
MD5e90266a3b833bb05bb3fec149d422682
SHA1df1fbcb58b6a9f24d6684f0a17455dbdd03b0504
SHA256bc77fd3611b7ef09ab421708628fff3b22990b3770f67a4e0228e0bf70420494
SHA512d983ec9ed3f9fe8887aff61b3401c75e6e37e8c9b8a10a3299073d81523de5f44ffccda64cef35c8f6c93f2b9b8b1a9928a8c73b88994c0402fe84cd4fd53829
-
Filesize
144KB
MD5e90266a3b833bb05bb3fec149d422682
SHA1df1fbcb58b6a9f24d6684f0a17455dbdd03b0504
SHA256bc77fd3611b7ef09ab421708628fff3b22990b3770f67a4e0228e0bf70420494
SHA512d983ec9ed3f9fe8887aff61b3401c75e6e37e8c9b8a10a3299073d81523de5f44ffccda64cef35c8f6c93f2b9b8b1a9928a8c73b88994c0402fe84cd4fd53829