82ae99ba93237ca3a716cf540aa1a311ea438c9f866a4806951487f70c709ca3

Analysis

max time kernel
120s
max time network
118s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 19:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

88cc1130824258a3af8a153dd930a150N.exe
Size

235KB
MD5

88cc1130824258a3af8a153dd930a150
SHA1

5ca943673dcc09bb277ea485a76d7d159c3e31f6
SHA256

82ae99ba93237ca3a716cf540aa1a311ea438c9f866a4806951487f70c709ca3
SHA512

3d800ff10eb6c550ed32b8d1f7274e1bb6efc28ce5d27f6b90ff751105018266a175404fd4a0b34688e3b213d52a1831a5f0b311554f60cd16d733d57769534a
SSDEEP

3072:GVHgCc4xGvbwcU9KQ2BBAHmaPxiVoDb5E7UcMLHx:3Cc4xGxWKQ2BonxZcMl

Score

10^/10

discovery

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.tripod.com
Port:
21
Username:
onthelinux
Password:
741852abc

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2296	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1996	88cc1130824258a3af8a153dd930a150N.exe
1996	88cc1130824258a3af8a153dd930a150N.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\c9e4cc35\c9e4cc35	88cc1130824258a3af8a153dd930a150N.exe
File created	C:\Program Files (x86)\c9e4cc35\jusched.exe	88cc1130824258a3af8a153dd930a150N.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	88cc1130824258a3af8a153dd930a150N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88cc1130824258a3af8a153dd930a150N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 2296	1996	88cc1130824258a3af8a153dd930a150N.exe	31
PID 1996 wrote to memory of 2296	1996	88cc1130824258a3af8a153dd930a150N.exe	31
PID 1996 wrote to memory of 2296	1996	88cc1130824258a3af8a153dd930a150N.exe	31
PID 1996 wrote to memory of 2296	1996	88cc1130824258a3af8a153dd930a150N.exe	31

C:\Users\Admin\AppData\Local\Temp\88cc1130824258a3af8a153dd930a150N.exe
"C:\Users\Admin\AppData\Local\Temp\88cc1130824258a3af8a153dd930a150N.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Program Files (x86)\c9e4cc35\jusched.exe
  "C:\Program Files (x86)\c9e4cc35\jusched.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\c9e4cc35\c9e4cc35

Filesize
17B

MD5
134c1d489094d6d3399f65b0e9aebc1f

SHA1
612a57fbe6ed3ab9c15b39451171d813314a28d5

SHA256
54f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781

SHA512
b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed

Download Submit
\Program Files (x86)\c9e4cc35\jusched.exe

Filesize
235KB

MD5
828f5676d85155d6cd10ea6d1c33ca81

SHA1
d42e2bbf20ba750f07b9cc2304b7b2cb930d081b

SHA256
5545f04123156dd9daf60b78d45fbd1d3ccde13706093b990ef1e5ade5e9473f

SHA512
f72bf9d0cda3f150ab94d75c8a6b65a1e098662678908dd45dafd87ab1173877fde2f6383e62e2b3a422351a2fba78785eaa2c260f3b9daa7a6bd384718d32a8

Download Submit
memory/1996-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1996-12-0x00000000029B0000-0x00000000029FC000-memory.dmp

Filesize
304KB

Download
memory/1996-14-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1996-7-0x00000000029B0000-0x00000000029FC000-memory.dmp

Filesize
304KB

Download
memory/2296-15-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/2296-16-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download