Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
13-05-2021 12:58
Static task
static1
Behavioral task
behavioral1
Sample
76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc.exe
Resource
win7v20210408
Behavioral task
behavioral2
Sample
76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc.exe
Resource
win10v20210408
General
-
Target
76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc.exe
-
Size
58KB
-
MD5
b8773f418146adfc92a6917c55bef254
-
SHA1
d2f8bd0c221b1cbebde25f4957ed5eea99bb7ec5
-
SHA256
76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc
-
SHA512
9e66f7ff300c04541fdff72d5db7f11b3acb2a56badc6914b370f3cdee3ab7e19a447196e8277149ce2bf313744c2b04656ed2f8db2529a876d657b26d30f184
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jusched.exepid process 196 jusched.exe -
Drops file in Program Files directory 2 IoCs
Processes:
76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc.exedescription ioc process File created C:\Program Files (x86)\9ce2caed\jusched.exe 76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc.exe File created C:\Program Files (x86)\9ce2caed\9ce2caed 76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jusched.exepid process 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe 196 jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc.exedescription pid process target process PID 2840 wrote to memory of 196 2840 76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc.exe jusched.exe PID 2840 wrote to memory of 196 2840 76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc.exe jusched.exe PID 2840 wrote to memory of 196 2840 76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc.exe jusched.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc.exe"C:\Users\Admin\AppData\Local\Temp\76975b18a5657bafee53b5b0d30e70ab4a43ef59a181e1d20666772208644bdc.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Program Files (x86)\9ce2caed\jusched.exe"C:\Program Files (x86)\9ce2caed\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:196
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\9ce2caed\9ce2caedMD5
f253efe302d32ab264a76e0ce65be769
SHA1768685ca582abd0af2fbb57ca37752aa98c9372b
SHA25649dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA5121990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4
-
C:\Program Files (x86)\9ce2caed\jusched.exeMD5
b92582e02d1e69f72bb82ae8b04e7cda
SHA14c61144a2a6b3799edae12c00b728d9fe62fea7c
SHA256b8e828c6568d151fecc13a469a1e09e278ff653f0b78b7f2d411e36398e66cd7
SHA512e501ce65de18a4564e382e0db44a0ec42c58044def3dfcb55ccabc51cc67679e869b6a05c882670634ecfaee0914957737549189655192eb7cb7641acd4c6dbb
-
C:\Program Files (x86)\9ce2caed\jusched.exeMD5
b92582e02d1e69f72bb82ae8b04e7cda
SHA14c61144a2a6b3799edae12c00b728d9fe62fea7c
SHA256b8e828c6568d151fecc13a469a1e09e278ff653f0b78b7f2d411e36398e66cd7
SHA512e501ce65de18a4564e382e0db44a0ec42c58044def3dfcb55ccabc51cc67679e869b6a05c882670634ecfaee0914957737549189655192eb7cb7641acd4c6dbb
-
memory/196-114-0x0000000000000000-mapping.dmp