Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
118s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 02:40
Static task
static1
Behavioral task
behavioral1
Sample
49f5368f5d533b0a9422926bf93e4e30N.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
49f5368f5d533b0a9422926bf93e4e30N.exe
Resource
win10v2004-20240802-en
General
-
Target
49f5368f5d533b0a9422926bf93e4e30N.exe
-
Size
245KB
-
MD5
49f5368f5d533b0a9422926bf93e4e30
-
SHA1
aa8b781c935ebcefbd8dcea8e2faa7e5ecca0078
-
SHA256
23631f91ff110875307a093809cbfb0813fd461b37c0fadbf9bbe8fc4c7446bd
-
SHA512
5014488c6b77c4bc594fba78da5ce5fd1807ef34fb842e448b9f214646a31ff3308c1a6f653ed70986f1aeca666e973a262149b1a9fe077a8166f7ecf7e643f7
-
SSDEEP
3072:JVHgCc4xGvbwcU9KQ2BBAHmaPxzVoTb5Ecvi5PZGIFBj:MCc4xGxWKQ2BonxfPDPj
Malware Config
Extracted
Protocol: ftp- Host:
ftp.byethost12.com - Port:
21 - Username:
b12_8082975 - Password:
951753zx
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation 49f5368f5d533b0a9422926bf93e4e30N.exe -
Executes dropped EXE 1 IoCs
pid Process 3548 jusched.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\bae9db32\jusched.exe 49f5368f5d533b0a9422926bf93e4e30N.exe File created C:\Program Files (x86)\bae9db32\bae9db32 49f5368f5d533b0a9422926bf93e4e30N.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Tasks\Update23.job 49f5368f5d533b0a9422926bf93e4e30N.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 49f5368f5d533b0a9422926bf93e4e30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 3744 wrote to memory of 3548 3744 49f5368f5d533b0a9422926bf93e4e30N.exe 91 PID 3744 wrote to memory of 3548 3744 49f5368f5d533b0a9422926bf93e4e30N.exe 91 PID 3744 wrote to memory of 3548 3744 49f5368f5d533b0a9422926bf93e4e30N.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\49f5368f5d533b0a9422926bf93e4e30N.exe"C:\Users\Admin\AppData\Local\Temp\49f5368f5d533b0a9422926bf93e4e30N.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Program Files (x86)\bae9db32\jusched.exe"C:\Program Files (x86)\bae9db32\jusched.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3548
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17B
MD5134c1d489094d6d3399f65b0e9aebc1f
SHA1612a57fbe6ed3ab9c15b39451171d813314a28d5
SHA25654f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781
SHA512b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed
-
Filesize
245KB
MD514e619cfd905e5de5821679e71ab66f5
SHA1bb57891a53b7c7ef99838dbc449bdd5deeb71c65
SHA2569de8df00c471e85a804135d21c5164308a86b797346a4c5006dc4e4b0c18661e
SHA512bc57505ac9ebba53a5c68b8cf3cd37fc27760258ad8294fb26d1d81fc80f025c6b3822adbbb1dcdcbb473e8775b00738cc371ca9d4074acdad0ec964d6698418