Overview

overview

10

Static

static

3

bde72e5954...0N.exe

windows7-x64

10

bde72e5954...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    108s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09/09/2024, 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bde72e595400943f1f4f05e9d83e1af0N.exe

  • Size

    426KB

  • MD5

    bde72e595400943f1f4f05e9d83e1af0

  • SHA1

    d361fba5ae2db05e7e5a25b570d81d837dc12bc6

  • SHA256

    ec6618122fb76359cf92bf3661a5853849c6e506f9d55b1b31f0283dc92cf7a7

  • SHA512

    6c7bd41c6f1cf723f0f2dc0262d61797edbfe8f6fe6334e22b6e5c8b20c99e4ebeac73409ecdf2ee91fa1bfd41fcbeddb4971500f6f0cff3e08959641a71ead2

  • SSDEEP

    1536:SwQgHSLYUWjzlZLXf4QJpUT0mSBAgapetc8o/Kdgo+QGuG3gvh1nwp:SBIS3WjzrLXQQJKgmSBAVpet2Ago+l3

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bde72e595400943f1f4f05e9d83e1af0N.exe
    "C:\Users\Admin\AppData\Local\Temp\bde72e595400943f1f4f05e9d83e1af0N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1860
    • C:\Program Files (x86)\5cabb5ac\jusched.exe
      "C:\Program Files (x86)\5cabb5ac\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2964

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\5cabb5ac\5cabb5ac
    Filesize

    17B

    MD5

    2130fee70fc3f7c10d5279f96f98ad1e

    SHA1

    4307cef89171fa230048ea22546802198d888780

    SHA256

    3506e286f6223ccaf1665d4e457b712abeb527266ff28327ce60e37b9fbeb404

    SHA512

    67fa1bb31028ff3ba125f184207499b9205f58c9eef2ac948f5824475515c396b3d5f93e207cb96deffe1aedb286b1f935cc689c5d84449e51c517da1cffe2e5

    Download Submit

  • \Program Files (x86)\5cabb5ac\jusched.exe
    Filesize

    426KB

    MD5

    8f22ba397ee99e5919719869fb2942ac

    SHA1

    1e57dedf720edb77b31f5543d3e115118651718d

    SHA256

    fba3d69f3f30e05b9823abcf096e88e2e6e55660157bf941dae3573d2f377dc2

    SHA512

    0b39a3d91a510e4c828e3737fab60c95db4ebf2aeebb0fd2310337aa1e0454ecd7e3ce7a768de6240b96acf57fc22c244ebb726571441e19597e13044c0200b2

    Download Submit

  • memory/1860-0-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1860-7-0x0000000002AD0000-0x0000000002B4B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/1860-13-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2964-14-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/2964-16-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download