cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4

Analysis

max time kernel
170s
max time network
182s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30/11/2022, 23:49

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4.exe
Size

1.1MB
MD5

a97e986c7cb1677f21c04b94d8bf5ad6
SHA1

8ac497688ab1b3cb9323fcb161af9ffd1d758185
SHA256

cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4
SHA512

68590ef8223776476dd50b870430a1211e71152b9bfe4d5f84bce64ad6950ed7946f69b79c2781395c9cbae02183de678e85ff147a13fd4376c6458832e650fa
SSDEEP

768:O/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfLw:ORsvcdcQjosnvnZ6LQ1Ew

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
griptoloji
Password:
741852

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2028	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1748	cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4.exe
1748	cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe
2028	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 2028	1748	cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4.exe	27
PID 1748 wrote to memory of 2028	1748	cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4.exe	27
PID 1748 wrote to memory of 2028	1748	cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4.exe	27
PID 1748 wrote to memory of 2028	1748	cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4.exe	27

C:\Users\Admin\AppData\Local\Temp\cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4.exe
"C:\Users\Admin\AppData\Local\Temp\cb2da95f12635030c237ae01fc61de2283693b82b348f5d099f5d5508604a7d4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
1.1MB

MD5
25c6b86cec112878c3afdb5a8882e84a

SHA1
12e2cd4ce0357348c866f14c09a087d238c8add6

SHA256
d368609712b45fb620bab0cc94125c44cc05822a949fcb8cdb17fe218c274c09

SHA512
7b1e1bfa218532545054b83a4e68bbb742f38afe355c678cadbfa32e6520786b553c9ff689f24c554e0d9d794f263651ab7a0fd5a8a2ed9feab8d626fa52e6db

Download Submit
\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
1.1MB

MD5
25c6b86cec112878c3afdb5a8882e84a

SHA1
12e2cd4ce0357348c866f14c09a087d238c8add6

SHA256
d368609712b45fb620bab0cc94125c44cc05822a949fcb8cdb17fe218c274c09

SHA512
7b1e1bfa218532545054b83a4e68bbb742f38afe355c678cadbfa32e6520786b553c9ff689f24c554e0d9d794f263651ab7a0fd5a8a2ed9feab8d626fa52e6db

Download Submit
\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
1.1MB

MD5
25c6b86cec112878c3afdb5a8882e84a

SHA1
12e2cd4ce0357348c866f14c09a087d238c8add6

SHA256
d368609712b45fb620bab0cc94125c44cc05822a949fcb8cdb17fe218c274c09

SHA512
7b1e1bfa218532545054b83a4e68bbb742f38afe355c678cadbfa32e6520786b553c9ff689f24c554e0d9d794f263651ab7a0fd5a8a2ed9feab8d626fa52e6db

Download Submit
memory/1748-54-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1748-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1748-60-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2028-61-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2028-63-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download