Analysis

  • max time kernel
    119s
  • max time network
    87s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 22:09

General

  • Target

    d5ca4a602c9711705f065be643e3eac5dad5e7cfbfaa0dcc8e10e21bfd1535b9N.exe

  • Size

    58KB

  • MD5

    bbf6513fb2d461e723b4c740f10995c0

  • SHA1

    249b4a23201e45872e10a311cd0fe4a3b49ec981

  • SHA256

    d5ca4a602c9711705f065be643e3eac5dad5e7cfbfaa0dcc8e10e21bfd1535b9

  • SHA512

    7e3e8b66f7bc0b29a482144144da0de081c7b469c68a3a82e7f38603f3b5f516bb8d5a04342a5b4b4eb0c82f8427867e60e66ad80557ba0266674a4443101598

  • SSDEEP

    1536:gQTIubHy5wQkJAejpzkGdxDLw3qMnd2wrt5:R4wPZpzNdxDL252kt5

Score
10/10

Malware Config

Extracted

Credentials

  • Protocol:
    ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d5ca4a602c9711705f065be643e3eac5dad5e7cfbfaa0dcc8e10e21bfd1535b9N.exe
    "C:\Users\Admin\AppData\Local\Temp\d5ca4a602c9711705f065be643e3eac5dad5e7cfbfaa0dcc8e10e21bfd1535b9N.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2212
    • C:\Program Files (x86)\6af37f7d\jusched.exe
      "C:\Program Files (x86)\6af37f7d\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2360

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\6af37f7d\6af37f7d

    Filesize

    13B

    MD5

    f253efe302d32ab264a76e0ce65be769

    SHA1

    768685ca582abd0af2fbb57ca37752aa98c9372b

    SHA256

    49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

    SHA512

    1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

  • \Program Files (x86)\6af37f7d\jusched.exe

    Filesize

    58KB

    MD5

    b9b84f52c7bd18818387d3c7b86229db

    SHA1

    261c153e530cc4569d9fa911f053194b6e506987

    SHA256

    22bd749aebbecae17b2040352489698b1b9547cf11fe6d33d437624251462fbd

    SHA512

    9cb1a2064cf2d98292972b827c55361e73530a37a0265604d1558e734b0bd3355715467ff496211395d0b3150267d9df1fa88ab86faff292d68fc90ecd0f9c57