Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
11/04/2024, 04:33
Static task
static1
Behavioral task
behavioral1
Sample
f7ff365b9d69717a32a4450c7879de1bd630ef81cd67ca04ee85675a554ffe7d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f7ff365b9d69717a32a4450c7879de1bd630ef81cd67ca04ee85675a554ffe7d.exe
Resource
win10v2004-20240226-en
General
-
Target
f7ff365b9d69717a32a4450c7879de1bd630ef81cd67ca04ee85675a554ffe7d.exe
-
Size
34KB
-
MD5
f6da37246aa95224ea6d393617093e19
-
SHA1
b760d39479438372eba98e2801b30c1e9561e18f
-
SHA256
f7ff365b9d69717a32a4450c7879de1bd630ef81cd67ca04ee85675a554ffe7d
-
SHA512
f547e5686236e3d8006f0be8bd2a9db65e25c63c97cd15fbef47341fb60e3bacf8e51478aa08de0c78aa688f7b231dd32101f4a0fb74553b72474a711b3a05e0
-
SSDEEP
768:9qSqC8+N5ozQQLncwxWmNXMX3cX8wtgg/X/zCtgcgCEX8u/vSXrXrXrXrXrXyHX:9rqfzQQLamN88Fr277777YX
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
onthelinux - Password:
741852abc
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation f7ff365b9d69717a32a4450c7879de1bd630ef81cd67ca04ee85675a554ffe7d.exe -
Executes dropped EXE 1 IoCs
pid Process 3988 jusched.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\991ba1db\jusched.exe f7ff365b9d69717a32a4450c7879de1bd630ef81cd67ca04ee85675a554ffe7d.exe File created C:\Program Files (x86)\991ba1db\991ba1db f7ff365b9d69717a32a4450c7879de1bd630ef81cd67ca04ee85675a554ffe7d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe 3988 jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5032 wrote to memory of 3988 5032 f7ff365b9d69717a32a4450c7879de1bd630ef81cd67ca04ee85675a554ffe7d.exe 87 PID 5032 wrote to memory of 3988 5032 f7ff365b9d69717a32a4450c7879de1bd630ef81cd67ca04ee85675a554ffe7d.exe 87 PID 5032 wrote to memory of 3988 5032 f7ff365b9d69717a32a4450c7879de1bd630ef81cd67ca04ee85675a554ffe7d.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\f7ff365b9d69717a32a4450c7879de1bd630ef81cd67ca04ee85675a554ffe7d.exe"C:\Users\Admin\AppData\Local\Temp\f7ff365b9d69717a32a4450c7879de1bd630ef81cd67ca04ee85675a554ffe7d.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Program Files (x86)\991ba1db\jusched.exe"C:\Program Files (x86)\991ba1db\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3988
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD5f253efe302d32ab264a76e0ce65be769
SHA1768685ca582abd0af2fbb57ca37752aa98c9372b
SHA25649dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA5121990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4
-
Filesize
34KB
MD56d964d0d588510acf07cd9023d55aae2
SHA164c9dba065d2cce2b0c70d49adf0aabbb100aa5e
SHA25620541e99e3a05dfe82fd5ffed233364d2894d26f88a7eb84facbecaeb67116df
SHA5127f46dc30ed7db66fbca2515ac37e37af77b1775c501077f0873e5ea71129f67007cda845a0d844fb254b5b3d54086b894ac9e736edd0dc08cd6bb845474498e4