60a828dce91a199f720ab96f365be16e704b381eb535985923b2248a800ba0f0

Analysis

max time kernel
126s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09-04-2024 19:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7e914b106544ee25bf3969c31156716b.exe
Size

196KB
MD5

7e914b106544ee25bf3969c31156716b
SHA1

6975e0e86bfe68e43363501e63b0236b7582f799
SHA256

60a828dce91a199f720ab96f365be16e704b381eb535985923b2248a800ba0f0
SHA512

ef4e491b23fe85e01a199419c30df35ef2cb6d05e03b300f0ded7b5ffe7d3bf0a0746ef9face10c9382950e675c3d90bb7cc6cdb143c0b0c7e8d9ba6ec946fd6
SSDEEP

1536:sfVLuTnlTTy9uEGe9t2oKLjWlCu8i9pUJANjUSqoWZQnem:sfVLWlTTbEGe9AJKlCvIUuqoWqnb

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2940	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	7e914b106544ee25bf3969c31156716b.exe
2320	7e914b106544ee25bf3969c31156716b.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\a530a18e\jusched.exe	7e914b106544ee25bf3969c31156716b.exe
File created	C:\Program Files (x86)\a530a18e\a530a18e	7e914b106544ee25bf3969c31156716b.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	7e914b106544ee25bf3969c31156716b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 2940	2320	7e914b106544ee25bf3969c31156716b.exe	28
PID 2320 wrote to memory of 2940	2320	7e914b106544ee25bf3969c31156716b.exe	28
PID 2320 wrote to memory of 2940	2320	7e914b106544ee25bf3969c31156716b.exe	28
PID 2320 wrote to memory of 2940	2320	7e914b106544ee25bf3969c31156716b.exe	28

C:\Users\Admin\AppData\Local\Temp\7e914b106544ee25bf3969c31156716b.exe
"C:\Users\Admin\AppData\Local\Temp\7e914b106544ee25bf3969c31156716b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Program Files (x86)\a530a18e\jusched.exe
  "C:\Program Files (x86)\a530a18e\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\a530a18e\a530a18e

Filesize
17B

MD5
713de2425165c8df1702f4fa73675b7c

SHA1
8776000c93a63c318fd1dc5765010ced1568ffa7

SHA256
27969b723db5b2dd9c284c3351d884a535a92e6dadc44a425054fa76626a2343

SHA512
9b5327edc09bca4846029bda05502e34711ee843fbeccf3328253fcd2f1b399601eb613350c49e1d06098831d7b3dc8f5b2e1d1651b44e070ba70c8fedf6cf44

Download Submit
\Program Files (x86)\a530a18e\jusched.exe

Filesize
196KB

MD5
6ad0610d1f622842d63b3dd068582ca1

SHA1
db61acd16c5cef0a509ad8e8bf85c3c2960addd0

SHA256
fe41a44e4c2dba4379b6ef3e0ce62adb1cc50cf1e00444d63bde70faea92353a

SHA512
1968516644e990adc86577458da66e14699b28bffb167fba5302daa3f8385da71578186d8717a83802475026d35398c20569278284f7fbb2036251468ce556a9

Download Submit
memory/2320-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-12-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2320-13-0x0000000002830000-0x0000000002870000-memory.dmp

Filesize
256KB

Download
memory/2940-14-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download