Overview

overview

10

Static

static

10

c0d798a0fa...ef.exe

windows7-x64

10

c0d798a0fa...ef.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-03-2024 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0d798a0fa325d1373269a5bf069e04801738fdcb689fc068669617b62d4bbef.exe

  • Size

    96KB

  • MD5

    48b5d8ebc7103fb747d67b2a35d2bd6b

  • SHA1

    2d9ea045643a8a3be512625b93b26bd4728f708b

  • SHA256

    c0d798a0fa325d1373269a5bf069e04801738fdcb689fc068669617b62d4bbef

  • SHA512

    6b7b743da13306dae5005fab5233edc0f82f7c25240af802a31074c1c937fd3493ad5f7f835b21618d43b81421a2408478432474f5fe9ae7a92d4c520856758a

  • SSDEEP

    768:3/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJi+vBU6u7DPQ1TTGfGYc+p/:3RsvcdcQjosnvng6uQ1Jk

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Detects executables built or packed with MPress PE compressor 4 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0d798a0fa325d1373269a5bf069e04801738fdcb689fc068669617b62d4bbef.exe
    "C:\Users\Admin\AppData\Local\Temp\c0d798a0fa325d1373269a5bf069e04801738fdcb689fc068669617b62d4bbef.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
      "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:4692

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    96KB

    MD5

    8b14a9957dd510c14a2814fd3a84c60e

    SHA1

    ad819c40431fab8ecb893f7370318292095f134c

    SHA256

    e4694e1ff15549538344568f686c65ae50dcb5a67d1bb434b9185f480c3c1f13

    SHA512

    82f514c6a8e48020bb8f3474d396578c003980a76d5cccd4efe4f8ddd52b43a6a0ee2ca0541656ec76719e7d3adde1f015b1f2652f032772ee515472e320975f

    Download Submit

  • memory/940-0-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/940-11-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download

  • memory/4692-12-0x0000000000400000-0x0000000000474000-memory.dmp

    Filesize

    464KB

    Download