Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
99s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system -
submitted
07/07/2024, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
60466f2e633d503c3fa5dc10a05a7754bbf5540afb6f23ff3c994e3a29dc1ae2.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
60466f2e633d503c3fa5dc10a05a7754bbf5540afb6f23ff3c994e3a29dc1ae2.exe
Resource
win10v2004-20240704-en
General
-
Target
60466f2e633d503c3fa5dc10a05a7754bbf5540afb6f23ff3c994e3a29dc1ae2.exe
-
Size
75KB
-
MD5
966a001eda473cc07c99395b4d196b64
-
SHA1
ac0bb6c3af76aa0974cdbaa60b5436b7fe3a75e4
-
SHA256
60466f2e633d503c3fa5dc10a05a7754bbf5540afb6f23ff3c994e3a29dc1ae2
-
SHA512
f5aa9dc3af84ed2b8a7a7c5f22daf8bb349ddfa18be1c0f2045cf42f93ce0ca0a2f4237d6e48803c45048fe8e2db72e30b45424e6fcb4be2f987e127ce5800db
-
SSDEEP
1536:EQTIubHy5wQkNZgHLl7qJc2fiMIRZprDa8ibxBefEc:d4wPNaLlqy2MtDMBIr
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
onthelinux - Password:
741852abc
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\Control Panel\International\Geo\Nation 60466f2e633d503c3fa5dc10a05a7754bbf5540afb6f23ff3c994e3a29dc1ae2.exe -
Executes dropped EXE 1 IoCs
pid Process 1548 jusched.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\bc7a468a\jusched.exe 60466f2e633d503c3fa5dc10a05a7754bbf5540afb6f23ff3c994e3a29dc1ae2.exe File created C:\Program Files (x86)\bc7a468a\bc7a468a 60466f2e633d503c3fa5dc10a05a7754bbf5540afb6f23ff3c994e3a29dc1ae2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe 1548 jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5036 wrote to memory of 1548 5036 60466f2e633d503c3fa5dc10a05a7754bbf5540afb6f23ff3c994e3a29dc1ae2.exe 86 PID 5036 wrote to memory of 1548 5036 60466f2e633d503c3fa5dc10a05a7754bbf5540afb6f23ff3c994e3a29dc1ae2.exe 86 PID 5036 wrote to memory of 1548 5036 60466f2e633d503c3fa5dc10a05a7754bbf5540afb6f23ff3c994e3a29dc1ae2.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\60466f2e633d503c3fa5dc10a05a7754bbf5540afb6f23ff3c994e3a29dc1ae2.exe"C:\Users\Admin\AppData\Local\Temp\60466f2e633d503c3fa5dc10a05a7754bbf5540afb6f23ff3c994e3a29dc1ae2.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Program Files (x86)\bc7a468a\jusched.exe"C:\Program Files (x86)\bc7a468a\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
13B
MD5f253efe302d32ab264a76e0ce65be769
SHA1768685ca582abd0af2fbb57ca37752aa98c9372b
SHA25649dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA5121990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4
-
Filesize
75KB
MD542dae42b5c42708adf40ebdd9af421a7
SHA11fbbee0b0dbdf5144a95fb0b68bd6f69f0ffe0f2
SHA256e13aee5a0cad2153be77215d4d1c18c9c418f506a182db3335370934ac896e66
SHA5120d235195be1a4e5dadc76d15179279c3b6a421a7fc1cde4b9584bed6c802f9706124d5a903eacd7e0578bb7e89df156edcad38f005abde3ed8b92a40fbb211f4