Analysis
-
max time kernel
149s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe
Resource
win10v2004-20240508-en
General
-
Target
4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe
-
Size
45KB
-
MD5
0dd094ceff87bdd52472b25ba2422580
-
SHA1
18944002f4d4d0ed4a466821b65c847354cc9d17
-
SHA256
4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97
-
SHA512
a9fe5672464f9143204b953f2bae56a15bccce1660d55dda2694ac951df1128edaf86f6b7ddd7d2228b90c5ee484a8c3d56cc3e42a6f7bef247b4227c371f67e
-
SSDEEP
768:zIP5WOMVs4PSV06ymNNC6S7Cm1n2OBGRIWNSE77NPQ1TTGfGYy6KT:zI0OGrOy6NvSpMZVQ1J4KT
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
griptoloji - Password:
741852
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2108 jusched.exe -
Loads dropped DLL 2 IoCs
pid Process 836 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe 836 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe File opened for modification C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe File created C:\Program Files (x86)\Java\jre-09\bin\UF 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe 2108 jusched.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 836 wrote to memory of 2108 836 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe 28 PID 836 wrote to memory of 2108 836 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe 28 PID 836 wrote to memory of 2108 836 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe 28 PID 836 wrote to memory of 2108 836 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe"C:\Users\Admin\AppData\Local\Temp\4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2108
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5a1ee414d187c2b588527488c6500a8c4
SHA12840d5cb7bff61ffffaf0d398a664b8415726da6
SHA2565cb317d4f241280bbe8510d07e95fd90454c84dd4015db752a9788d480ed5135
SHA51270c8ff6904cb3e23f3fca4e33b31ce4bf1605122a5667ff0eff789813e629f5b61ddb8e0f29a09bb7c7f12edaf980f6ec287868c6855dd08476d2898376629f4