39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1

General

Target

39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe
Size

134KB
MD5

88e721f62470f8bd267810fbaa29104f
SHA1

ccfc0fa22d1e3feeeabc5ca090b76f58f67edada
SHA256

39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1
SHA512

f882ec0dd7f64a8c9c1b146e1b66fe217e1998b6e61df9450897c84b3b00cd8c2154336f3112e58bd47e3c11916efeb0f300d49c0bcc51ee1a23648ec5266f01

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

jusched.exesvchost.exe

pid process

1672 jusched.exe
1228 svchost.exe

pid	process
1672	jusched.exe
1228	svchost.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe	upx
behavioral1/memory/904-59-0x0000000000AF0000-0x0000000000B68000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe	upx
behavioral1/memory/1672-60-0x0000000001080000-0x00000000010F8000-memory.dmp	upx
behavioral1/memory/1672-65-0x0000000001080000-0x00000000010F8000-memory.dmp	upx

Deletes itself 1 IoCs

Processes:

jusched.exe

pid process

1672 jusched.exe
Loads dropped DLL 2 IoCs

Processes:

39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exejusched.exe

pid process

904 39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe
1672 jusched.exe

pid	process
1672	jusched.exe

pid	process
904	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe
1672	jusched.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java SE Platform Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Java SE Platform Updater\\jusched.exe\""	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

jusched.exe

pid process

1672 jusched.exe

pid	process
1672	jusched.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exejusched.exe

description	pid	process	target process
PID 904 wrote to memory of 1672	904	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe	jusched.exe
PID 904 wrote to memory of 1672	904	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe	jusched.exe
PID 904 wrote to memory of 1672	904	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe	jusched.exe
PID 904 wrote to memory of 1672	904	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe	jusched.exe
PID 904 wrote to memory of 1672	904	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe	jusched.exe
PID 904 wrote to memory of 1672	904	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe	jusched.exe
PID 904 wrote to memory of 1672	904	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe	jusched.exe
PID 1672 wrote to memory of 1228	1672	jusched.exe	svchost.exe
PID 1672 wrote to memory of 1228	1672	jusched.exe	svchost.exe
PID 1672 wrote to memory of 1228	1672	jusched.exe	svchost.exe
PID 1672 wrote to memory of 1228	1672	jusched.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe
"C:\Users\Admin\AppData\Local\Temp\39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:904

C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe
"C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe" C:\Users\Admin\AppData\Local\Temp\39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe
2⤵
- Executes dropped EXE
- Deletes itself
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
3⤵
- Executes dropped EXE
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
178KB

MD5
04d4986fe58edc324f7ed4a193242e2a

SHA1
72ce688ecca5f741f597773fb8640d3a7a98599c

SHA256
ef2d4c5dc95593b5096f1b5657c7649543e558eff47b3c66ae10ee71a73304a7

SHA512
5ae6a1588f25bba366bded951732be8dd3699ad5d6c56ba84c5ed44426b14021b8c2ff90d4c2161398fff79af6039011a18269dd7861f3ce3a89447661f30712

Download Submit
C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe
Filesize
134KB

MD5
88e721f62470f8bd267810fbaa29104f

SHA1
ccfc0fa22d1e3feeeabc5ca090b76f58f67edada

SHA256
39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1

SHA512
f882ec0dd7f64a8c9c1b146e1b66fe217e1998b6e61df9450897c84b3b00cd8c2154336f3112e58bd47e3c11916efeb0f300d49c0bcc51ee1a23648ec5266f01

Download Submit
\Users\Admin\AppData\Local\Temp\svchost.exe
Filesize
178KB

MD5
04d4986fe58edc324f7ed4a193242e2a

SHA1
72ce688ecca5f741f597773fb8640d3a7a98599c

SHA256
ef2d4c5dc95593b5096f1b5657c7649543e558eff47b3c66ae10ee71a73304a7

SHA512
5ae6a1588f25bba366bded951732be8dd3699ad5d6c56ba84c5ed44426b14021b8c2ff90d4c2161398fff79af6039011a18269dd7861f3ce3a89447661f30712

Download Submit
\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe
Filesize
134KB

MD5
88e721f62470f8bd267810fbaa29104f

SHA1
ccfc0fa22d1e3feeeabc5ca090b76f58f67edada

SHA256
39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1

SHA512
f882ec0dd7f64a8c9c1b146e1b66fe217e1998b6e61df9450897c84b3b00cd8c2154336f3112e58bd47e3c11916efeb0f300d49c0bcc51ee1a23648ec5266f01

Download Submit
memory/904-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/904-59-0x0000000000AF0000-0x0000000000B68000-memory.dmp

Filesize
480KB

Download
memory/1228-62-0x0000000000000000-mapping.dmp

Download
memory/1672-56-0x0000000000000000-mapping.dmp

Download
memory/1672-60-0x0000000001080000-0x00000000010F8000-memory.dmp

Filesize
480KB

Download
memory/1672-65-0x0000000001080000-0x00000000010F8000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads