Overview

overview

10

Static

static

3

dfd9c5513c...0N.exe

windows7-x64

10

dfd9c5513c...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/09/2024, 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dfd9c5513c1c04555d274b8e27ca42d0N.exe

  • Size

    306KB

  • MD5

    dfd9c5513c1c04555d274b8e27ca42d0

  • SHA1

    1bc606e4212f80b8f802c2cb1bc276ddc32e9075

  • SHA256

    8d6ef83c290e549c32ba59da65bcc8f4e10de20189854008f325987ae9f7b461

  • SHA512

    1f51afef4b7e1fc7078a9101ef0ac09056c4314037777de68eb2e04396f643aa0f80978ae49b470a0159d8668e306f761bbb2d10cbbac1142079259849e22004

  • SSDEEP

    3072:tVHgCc4xGvbwcU9KQ2BBAHmaPxvVo4b5E/g:QCc4xGxWKQ2BonxIg

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dfd9c5513c1c04555d274b8e27ca42d0N.exe
    "C:\Users\Admin\AppData\Local\Temp\dfd9c5513c1c04555d274b8e27ca42d0N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2068
    • C:\Program Files (x86)\2295d5e3\jusched.exe
      "C:\Program Files (x86)\2295d5e3\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2916

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\2295d5e3\2295d5e3
    Filesize

    17B

    MD5

    134c1d489094d6d3399f65b0e9aebc1f

    SHA1

    612a57fbe6ed3ab9c15b39451171d813314a28d5

    SHA256

    54f9150d1268f7b4b83dd9fc3ec32274bf749715a5806ff3ca5262f5427d6781

    SHA512

    b09bf60e4850d05261d81a124a647dd111f42480224eae8a3bd2f64736c38119953703f868ad34194a7ae6dad6aabff4081ba73df262bbe9f5327867c56a48ed

    Download Submit

  • \Program Files (x86)\2295d5e3\jusched.exe
    Filesize

    306KB

    MD5

    13c92f589f0aeb991d4dfc7e82300ab3

    SHA1

    3b5df2b34a4de7bdd8d27435174b2eee6956232e

    SHA256

    29c7105f352514d9e5f1f979bb6bbac86a92b5c8ffa4ea29da8b3495bb7e04d3

    SHA512

    1742735bb0002ec75d7c65c2736ffddc2b3c0bb22dd3bbb4e089513bd8c3a457b3252d880e42bde22f25199124fcec7d697a873797d4e76d3ed3ac37e6c38257

    Download Submit

  • memory/2068-0-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2068-7-0x0000000002A60000-0x0000000002ABE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2068-12-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2916-14-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2916-15-0x0000000000400000-0x000000000045E000-memory.dmp

    Filesize

    376KB

    Download