Overview

overview

10

Static

static

3

06797dde9a...bb.exe

windows7-x64

10

06797dde9a...bb.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    20/11/2024, 19:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06797dde9ab6d4a5bde3eede6251f9c9bbcfc11ff76016f9f4f29cbc6cd6e8bb.exe

  • Size

    64KB

  • MD5

    f0e183b86ab8b9f3dd23614b6f8a887d

  • SHA1

    6927626bae28729ba6635d9daba5a7a4e3f9e0f4

  • SHA256

    06797dde9ab6d4a5bde3eede6251f9c9bbcfc11ff76016f9f4f29cbc6cd6e8bb

  • SHA512

    79c81db5c377089037c7d2ca2bf6c75b15a028e6747504fcca2dacb31023f4ed4096c2f403330186ab8bb1bae822c7530af92841fd6834ba453280f533d9392d

  • SSDEEP

    768:6zQYScGrIubHuYtv0xwYHw5FAe2QQncwx8Nwv92g3iVS77DeJRl05:8QTIubHR5wQQAc3iVS77my5

Score
10/10
discovery

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.tripod.com
  • Port:
    21
  • Username:
    onthelinux
  • Password:
    741852abc

Signatures

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\06797dde9ab6d4a5bde3eede6251f9c9bbcfc11ff76016f9f4f29cbc6cd6e8bb.exe
    "C:\Users\Admin\AppData\Local\Temp\06797dde9ab6d4a5bde3eede6251f9c9bbcfc11ff76016f9f4f29cbc6cd6e8bb.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Program Files (x86)\a486a924\jusched.exe
      "C:\Program Files (x86)\a486a924\jusched.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:1616

Network

  • flag-us
    DNS
    elegan_786444.el.funpic.org
    jusched.exe
    Remote address:
    8.8.8.8:53
    Request
    elegan_786444.el.funpic.org
    IN A
    Response
  • flag-us
    DNS
    griptoloji.host-ed.net
    jusched.exe
    Remote address:
    8.8.8.8:53
    Request
    griptoloji.host-ed.net
    IN A
    Response
  • flag-us
    DNS
    ftp.tripod.com
    jusched.exe
    Remote address:
    8.8.8.8:53
    Request
    ftp.tripod.com
    IN A
    Response
    ftp.tripod.com
    IN A
    209.202.252.54
  • 209.202.252.54:21
    ftp.tripod.com
    ftp
    jusched.exe
    303 B
     367 B
     6
    6
  • 209.202.252.54:21
    ftp.tripod.com
    jusched.exe
    190 B
     124 B
     4
    3
  • 8.8.8.8:53
    elegan_786444.el.funpic.org
    dns
    jusched.exe
    73 B
     138 B
     1
    1

    DNS Request

    elegan_786444.el.funpic.org

  • 8.8.8.8:53
    griptoloji.host-ed.net
    dns
    jusched.exe
    68 B
     124 B
     1
    1

    DNS Request

    griptoloji.host-ed.net

  • 8.8.8.8:53
    ftp.tripod.com
    dns
    jusched.exe
    60 B
     76 B
     1
    1

    DNS Request

    ftp.tripod.com

    DNS Response

    209.202.252.54

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\a486a924\a486a924
    Filesize

    13B

    MD5

    f253efe302d32ab264a76e0ce65be769

    SHA1

    768685ca582abd0af2fbb57ca37752aa98c9372b

    SHA256

    49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

    SHA512

    1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

    Download Submit

  • \Program Files (x86)\a486a924\jusched.exe
    Filesize

    64KB

    MD5

    d4400d366335e1848e886320809699cb

    SHA1

    d0f9f6ea0c69569742b1f635cc9e2fd672996e6d

    SHA256

    eb60811deab6216b019457bc8acdec2555c69af15fe380640ef15e50f6375c3f

    SHA512

    60edf1dc006517339c40bcc801441abcb10aa858a3286cb747581ffb256861efa2c09c221869403bb04d63806bfa1b75dfb0db31cc6463981823c6e506579017

    Download Submit

  • memory/1616-15-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2368-0-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2368-11-0x0000000000470000-0x000000000049C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2368-10-0x0000000000400000-0x000000000042C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/2368-14-0x0000000000470000-0x000000000049C000-memory.dmp

    Filesize

    176KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.