Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

82e3e724c2...ad.exe

windows7-x64

10

82e3e724c2...ad.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/05/2024, 00:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe

  • Size

    41KB

  • MD5

    8d027dce08fbf2ff4498fa353d99da40

  • SHA1

    acbe225d7330987895a07b8633ad61b346834c53

  • SHA256

    82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad

  • SHA512

    e98b149daed94264e7860051e5af0882b6f841b71aef8e870cd83decdf35a63bd9329b816f67e6c38b2baab6af22c713ceb42125156cf3ad2ed82f888108c426

  • SSDEEP

    768:xIP5WOMVs4PSV06ymNNC6S7Cm1n2OBGRIWNSE77DPQ1TTGfGYhH:xI0OGrOy6NvSpMZrQ1JG

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    griptoloji
  • Password:
    741852

Signatures

  • Detects executables built or packed with MPress PE compressor 7 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe
    "C:\Users\Admin\AppData\Local\Temp\82e3e724c2f8e7e411a9d88797fc0baf3ffdf21d7b2772b5fdf4b7548bf683ad.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:4788
    • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
      "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      PID:3136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
    Filesize

    41KB

    MD5

    243b5ffb93d2f59c8328f2bb80f85532

    SHA1

    79e505fbbe919939f6ea20666e4aa673f8396451

    SHA256

    cefcc602444d6fe5e919aa5a3dcf18df547b82e7c83c40a8ee1945e0552d9ee8

    SHA512

    38b25e9ea9c22d458f5ba517a9e9ae933e80683cac4a0e3aa475804a8a4b9f6e076f38ed3bd377d5c35694dc1fad2a34a8b5de004b16017622cc7d55eb95ea23

    Download Submit

  • memory/3136-13-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3136-14-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3136-19-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/3136-20-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4788-0-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download

  • memory/4788-11-0x0000000000400000-0x0000000000473000-memory.dmp

    Filesize

    460KB

    Download