Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
85s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
2e9e752eb5829cd16d71a52eebd302c0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2e9e752eb5829cd16d71a52eebd302c0N.exe
Resource
win10v2004-20240802-en
General
-
Target
2e9e752eb5829cd16d71a52eebd302c0N.exe
-
Size
96KB
-
MD5
2e9e752eb5829cd16d71a52eebd302c0
-
SHA1
9aa59c56ee3008b2a302770cce3c138627342d9f
-
SHA256
08a036244da521e3d27dd1ec9e32f49c599781f85b83391f57d965de829dc12a
-
SHA512
7af11054ee681f7294706e05da55fb934a7f4d89d63c41676c9d81757b60e25fb8b89fcdcbda0dd3905206744aae8b1b3bca483121282e2f0483c14a9d415b2b
-
SSDEEP
768:p/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJi+vBU6u7DPQ1TTGfGYc+px:pRsvcdcQjosnvng6uQ1JW
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
griptoloji - Password:
741852
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2480 jusched.exe -
Loads dropped DLL 2 IoCs
pid Process 1996 2e9e752eb5829cd16d71a52eebd302c0N.exe 1996 2e9e752eb5829cd16d71a52eebd302c0N.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Java\jre-09\bin\UF 2e9e752eb5829cd16d71a52eebd302c0N.exe File created C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 2e9e752eb5829cd16d71a52eebd302c0N.exe File opened for modification C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 2e9e752eb5829cd16d71a52eebd302c0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e9e752eb5829cd16d71a52eebd302c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jusched.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe 2480 jusched.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1996 wrote to memory of 2480 1996 2e9e752eb5829cd16d71a52eebd302c0N.exe 29 PID 1996 wrote to memory of 2480 1996 2e9e752eb5829cd16d71a52eebd302c0N.exe 29 PID 1996 wrote to memory of 2480 1996 2e9e752eb5829cd16d71a52eebd302c0N.exe 29 PID 1996 wrote to memory of 2480 1996 2e9e752eb5829cd16d71a52eebd302c0N.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e9e752eb5829cd16d71a52eebd302c0N.exe"C:\Users\Admin\AppData\Local\Temp\2e9e752eb5829cd16d71a52eebd302c0N.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD5bb767a8c0170811a8704b91cdf90b977
SHA16cf77fc597714d6835a9f141aa54cc3d033f972e
SHA256bd7773933b6d9d8572471a82533c62e28d618988bc61759d25202f45cf6099be
SHA512eff3b4a9eb4772281b4c273db795b71a5253c73d85aa8295851329b1b0890bece7f62b49187afcbc68a125a9fd8b4cfa2a23f4f811eb47a21a52bea0b4405eee