Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
17/08/2024, 07:04
Static task
static1
Behavioral task
behavioral1
Sample
2e9e752eb5829cd16d71a52eebd302c0N.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
2e9e752eb5829cd16d71a52eebd302c0N.exe
Resource
win10v2004-20240802-en
General
-
Target
2e9e752eb5829cd16d71a52eebd302c0N.exe
-
Size
96KB
-
MD5
2e9e752eb5829cd16d71a52eebd302c0
-
SHA1
9aa59c56ee3008b2a302770cce3c138627342d9f
-
SHA256
08a036244da521e3d27dd1ec9e32f49c599781f85b83391f57d965de829dc12a
-
SHA512
7af11054ee681f7294706e05da55fb934a7f4d89d63c41676c9d81757b60e25fb8b89fcdcbda0dd3905206744aae8b1b3bca483121282e2f0483c14a9d415b2b
-
SSDEEP
768:p/5inm+cd5rHemPXkqUEphjVuvios1rPr4adL0NqlJi+vBU6u7DPQ1TTGfGYc+px:pRsvcdcQjosnvng6uQ1JW
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
griptoloji - Password:
741852
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 2e9e752eb5829cd16d71a52eebd302c0N.exe -
Executes dropped EXE 1 IoCs
pid Process 3596 jusched.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 2e9e752eb5829cd16d71a52eebd302c0N.exe File opened for modification C:\Program Files (x86)\Java\jre-09\bin\jusched.exe 2e9e752eb5829cd16d71a52eebd302c0N.exe File created C:\Program Files (x86)\Java\jre-09\bin\UF 2e9e752eb5829cd16d71a52eebd302c0N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2e9e752eb5829cd16d71a52eebd302c0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jusched.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe 3596 jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3244 wrote to memory of 3596 3244 2e9e752eb5829cd16d71a52eebd302c0N.exe 89 PID 3244 wrote to memory of 3596 3244 2e9e752eb5829cd16d71a52eebd302c0N.exe 89 PID 3244 wrote to memory of 3596 3244 2e9e752eb5829cd16d71a52eebd302c0N.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\2e9e752eb5829cd16d71a52eebd302c0N.exe"C:\Users\Admin\AppData\Local\Temp\2e9e752eb5829cd16d71a52eebd302c0N.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3596
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
96KB
MD55e6a89871c7a8a92d90455680af96571
SHA1f24a4396e832821ca1db448059dfda4e92bebe39
SHA2565712b13f9de38327cf51081a869c99b33add412de6c05e0d7933e8825f47aa1e
SHA512117bd7bd35ac3e2d9bd374cee9bbffb30f6683de4106a60dc8cbbbb8ca6a5570f35a091ed9d15e8076e7e9475803f37d9d647ba7adf46b834fffc07cc1438898