Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05/12/2022, 18:34
Static task
static1
Behavioral task
behavioral1
Sample
b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe
Resource
win10v2004-20220901-en
General
-
Target
b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe
-
Size
64KB
-
MD5
edf92f3f42d6cb634254b384c8c214de
-
SHA1
18d42a714fa8a1fd2178e762ea8f5a02a4ec88f2
-
SHA256
b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6
-
SHA512
263af274f7133527bf2f44d786851a827c3d3091a76cd8310fde9d559fe1bc22eab870cfdf9ecef0b3644f8639d1912fc8374dc82a30e4a0d24a8e2463eaa6e6
-
SSDEEP
768:6/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJMU60+ppQ1TTGfLh:6RsvcdcQjosnvnZ6LQ1Eh
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
griptoloji - Password:
741852
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4656 jusched.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Java\jre-09\bin\jusched.exe b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe File opened for modification C:\Program Files (x86)\Java\jre-09\bin\jusched.exe b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe File created C:\Program Files (x86)\Java\jre-09\bin\UF b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe 4656 jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4316 wrote to memory of 4656 4316 b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe 82 PID 4316 wrote to memory of 4656 4316 b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe 82 PID 4316 wrote to memory of 4656 4316 b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe"C:\Users\Admin\AppData\Local\Temp\b8aa601a8170430b2aa72e1cf172041089a673972ec16a2ea4c43168ececdaf6.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4656
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5b9c3e9438dc3159882ced6f06fc6adc4
SHA1a1d7140368b2733cf368ce1b743e8df369fca51c
SHA256adf9f680fc2664d1adde8d260350ee50fa8c8c4c2e76fe18a42f2352b2051bb6
SHA512cc809565833ae7a24d8025d2df03454bffa0fc92bcbdb5fa5c9bda5a1d5f979ab326e35e47b097741b6bb43c74fa9e38711f36a2a42a023a1b778943c654c500
-
Filesize
64KB
MD5b9c3e9438dc3159882ced6f06fc6adc4
SHA1a1d7140368b2733cf368ce1b743e8df369fca51c
SHA256adf9f680fc2664d1adde8d260350ee50fa8c8c4c2e76fe18a42f2352b2051bb6
SHA512cc809565833ae7a24d8025d2df03454bffa0fc92bcbdb5fa5c9bda5a1d5f979ab326e35e47b097741b6bb43c74fa9e38711f36a2a42a023a1b778943c654c500