Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
09/05/2024, 00:55
Static task
static1
Behavioral task
behavioral1
Sample
82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe
Resource
win10v2004-20240508-en
General
-
Target
82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe
-
Size
41KB
-
MD5
8d027dce08fbf2ff4498fa353d99da40
-
SHA1
acbe225d7330987895a07b8633ad61b346834c53
-
SHA256
82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad
-
SHA512
e98b149daed94264e7860051e5af0882b6f841b71aef8e870cd83decdf35a63bd9329b816f67e6c38b2baab6af22c713ceb42125156cf3ad2ed82f888108c426
-
SSDEEP
768:xIP5WOMVs4PSV06ymNNC6S7Cm1n2OBGRIWNSE77DPQ1TTGfGYhH:xI0OGrOy6NvSpMZrQ1JG
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
griptoloji - Password:
741852
Signatures
-
Detects executables built or packed with MPress PE compressor 7 IoCs
resource yara_rule behavioral2/memory/4788-0-0x0000000000400000-0x0000000000473000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/files/0x0005000000022abb-6.dat INDICATOR_EXE_Packed_MPress behavioral2/memory/4788-11-0x0000000000400000-0x0000000000473000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3136-13-0x0000000000400000-0x0000000000473000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3136-14-0x0000000000400000-0x0000000000473000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3136-19-0x0000000000400000-0x0000000000473000-memory.dmp INDICATOR_EXE_Packed_MPress behavioral2/memory/3136-20-0x0000000000400000-0x0000000000473000-memory.dmp INDICATOR_EXE_Packed_MPress -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe -
Executes dropped EXE 1 IoCs
pid Process 3136 jusched.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe File opened for modification C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe File created C:\Program Files (x86)\Java\jre-09\bin\UF 82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe 3136 jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4788 wrote to memory of 3136 4788 82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe 82 PID 4788 wrote to memory of 3136 4788 82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe 82 PID 4788 wrote to memory of 3136 4788 82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe"C:\Users\Admin\AppData\Local\Temp\82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3136
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
41KB
MD5243b5ffb93d2f59c8328f2bb80f85532
SHA179e505fbbe919939f6ea20666e4aa673f8396451
SHA256cefcc602444d6fe5e919aa5a3dcf18df547b82e7c83c40a8ee1945e0552d9ee8
SHA51238b25e9ea9c22d458f5ba517a9e9ae933e80683cac4a0e3aa475804a8a4b9f6e076f38ed3bd377d5c35694dc1fad2a34a8b5de004b16017622cc7d55eb95ea23