Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/12/2022, 18:34

General

  • Target

    b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe

  • Size

    64KB

  • MD5

    edf92f3f42d6cb634254b384c8c214de

  • SHA1

    18d42a714fa8a1fd2178e762ea8f5a02a4ec88f2

  • SHA256

    b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6

  • SHA512

    263af274f7133527bf2f44d786851a827c3d3091a76cd8310fde9d559fe1bc22eab870cfdf9ecef0b3644f8639d1912fc8374dc82a30e4a0d24a8e2463eaa6e6

  • SSDEEP

    768:6/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfLh:6RsvcdcQjosnvnZ6LQ1Eh

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe
    "C:\Users\Admin\AppData\Local\Temp\b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4316
    • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
      "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4656

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

    Filesize

    64KB

    MD5

    b9c3e9438dc3159882ced6f06fc6adc4

    SHA1

    a1d7140368b2733cf368ce1b743e8df369fca51c

    SHA256

    adf9f680fc2664d1adde8d260350ee50fa8c8c4c2e76fe18a42f2352b2051bb6

    SHA512

    cc809565833ae7a24d8025d2df03454bffa0fc92bcbdb5fa5c9bda5a1d5f979ab326e35e47b097741b6bb43c74fa9e38711f36a2a42a023a1b778943c654c500

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

    Filesize

    64KB

    MD5

    b9c3e9438dc3159882ced6f06fc6adc4

    SHA1

    a1d7140368b2733cf368ce1b743e8df369fca51c

    SHA256

    adf9f680fc2664d1adde8d260350ee50fa8c8c4c2e76fe18a42f2352b2051bb6

    SHA512

    cc809565833ae7a24d8025d2df03454bffa0fc92bcbdb5fa5c9bda5a1d5f979ab326e35e47b097741b6bb43c74fa9e38711f36a2a42a023a1b778943c654c500

  • memory/4316-132-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4316-136-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4656-137-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4656-138-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB