Analysis
-
max time kernel
149s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 22:23
Static task
static1
Behavioral task
behavioral1
Sample
4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe
Resource
win10v2004-20240508-en
General
-
Target
4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe
-
Size
45KB
-
MD5
0dd094ceff87bdd52472b25ba2422580
-
SHA1
18944002f4d4d0ed4a466821b65c847354cc9d17
-
SHA256
4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97
-
SHA512
a9fe5672464f9143204b953f2bae56a15bccce1660d55dda2694ac951df1128edaf86f6b7ddd7d2228b90c5ee484a8c3d56cc3e42a6f7bef247b4227c371f67e
-
SSDEEP
768:zIP5WOMVs4PSV06ymNNC6S7Cm1n2OBGRIWNSE77NPQ1TTGfGYy6KT:zI0OGrOy6NvSpMZVQ1J4KT
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
griptoloji - Password:
741852
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe -
Executes dropped EXE 1 IoCs
pid Process 3336 jusched.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe File opened for modification C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe File created C:\Program Files (x86)\Java\jre-09\bin\UF 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe 3336 jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3212 wrote to memory of 3336 3212 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe 87 PID 3212 wrote to memory of 3336 3212 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe 87 PID 3212 wrote to memory of 3336 3212 4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe"C:\Users\Admin\AppData\Local\Temp\4b1286480a8560d1a1e9bc8dcd0b9a2fabc07a3f42f5388e1c3ffc168d5ffc97.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3336
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD53ced9a40c4fe1e46047f3fef6572140d
SHA16d7d79117dca770724eff8a60c9a88c0ace03f94
SHA25619d600fcb655460d53ca72b1c6e04e21283012a3958109aeb6ee7766068f943a
SHA5121bb4fa25869d9b89194b33769371d13ef26d283e31a5061d6539ece92df59a61eaa729544f393d757137a6fcb2547c3f7420d35ed4e6e74c1add039e4fb00e60