57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9

Analysis

max time kernel
150s
max time network
118s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
01/05/2024, 21:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe
Size

41KB
MD5

58446d2e8ffbbc9e2e7899a997f79dcf
SHA1

6a4d47e1b1aa88755224928963a46b81bee5ee18
SHA256

57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9
SHA512

a4644a6e77229117f3861f9d7b80d064397e889f24852ccde432852e4581eba4d31d163d6966a7b5eb909c5ff47350aeac8c2971ac9ed60cf8002dd16506121a
SSDEEP

768:xIP5WOMVs4PSV06ymNNC6S7Cm1n2OBGRIWNSE77DPQ1TTGfGYhP:xI0OGrOy6NvSpMZrQ1JO

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
griptoloji
Password:
741852

Signatures

Detects executables built or packed with MPress PE compressor 7 IoCs

resource	yara_rule
behavioral1/memory/1940-0-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0032000000013a46-5.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/1940-13-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2956-14-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2956-15-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2956-20-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2956-21-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2956	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1940	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe
1940	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe
2956	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2956	1940	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe	28
PID 1940 wrote to memory of 2956	1940	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe	28
PID 1940 wrote to memory of 2956	1940	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe	28
PID 1940 wrote to memory of 2956	1940	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe	28

C:\Users\Admin\AppData\Local\Temp\57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe
"C:\Users\Admin\AppData\Local\Temp\57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
41KB

MD5
9a63d8aece9749ef512d3fc5c343736e

SHA1
d9dec69ca64e9a5426b4f4fd2ab54b43f8ecc995

SHA256
8ae427b5c8c067558f8938425b8c500818847651d31472857e08a0a7fa78ef72

SHA512
fd9649f71517c2038da704ca460f8c849830a2d4b4359ae60d344f1ad346d4cb7da5706a676e3754b7bd594b06b98733e40e0b31bbc09a38a1f08c54f0bc756c

Download Submit
memory/1940-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1940-13-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2956-14-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2956-15-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2956-20-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2956-21-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download