82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
09/05/2024, 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe
Size

41KB
MD5

8d027dce08fbf2ff4498fa353d99da40
SHA1

acbe225d7330987895a07b8633ad61b346834c53
SHA256

82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad
SHA512

e98b149daed94264e7860051e5af0882b6f841b71aef8e870cd83decdf35a63bd9329b816f67e6c38b2baab6af22c713ceb42125156cf3ad2ed82f888108c426
SSDEEP

768:xIP5WOMVs4PSV06ymNNC6S7Cm1n2OBGRIWNSE77DPQ1TTGfGYhH:xI0OGrOy6NvSpMZrQ1JG

Score

10^/10

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
griptoloji
Password:
741852

Signatures

Detects executables built or packed with MPress PE compressor 6 IoCs

resource	yara_rule
behavioral1/memory/2400-0-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/files/0x0038000000015cb8-5.dat	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2400-13-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2376-14-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2376-20-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral1/memory/2376-21-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress

Executes dropped EXE 1 IoCs

pid	Process
2376	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe
2400	82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe
2376	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2376	2400	82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe	28
PID 2400 wrote to memory of 2376	2400	82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe	28
PID 2400 wrote to memory of 2376	2400	82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe	28
PID 2400 wrote to memory of 2376	2400	82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe	28

C:\Users\Admin\AppData\Local\Temp\82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe
"C:\Users\Admin\AppData\Local\Temp\82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
41KB

MD5
be661de2875a8276342604c4270082c6

SHA1
dda9554cc6c8aacb2a3b54efa7ba0f994c969d8e

SHA256
7eebab8f355acd90ed61716f9bf65dcb3aa566ad2f6ef86fd19e1a8a0b0a1fb3

SHA512
7d0cef805e366fee67b96253694a93389f2587f34724b726c72376c3b7abb89d13c62c5b41bc47d2ce896f0a20c52070693b87dad924664afce907f003d84274

Download Submit
memory/2376-14-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2376-20-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2376-21-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2400-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/2400-13-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download