39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1

General

Target

39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe
Size

134KB
MD5

88e721f62470f8bd267810fbaa29104f
SHA1

ccfc0fa22d1e3feeeabc5ca090b76f58f67edada
SHA256

39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1
SHA512

f882ec0dd7f64a8c9c1b146e1b66fe217e1998b6e61df9450897c84b3b00cd8c2154336f3112e58bd47e3c11916efeb0f300d49c0bcc51ee1a23648ec5266f01

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

jusched.exesvchost.exe

pid process

2100 jusched.exe
3756 svchost.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/776-130-0x0000000000440000-0x00000000004B8000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe	upx
C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe	upx
behavioral2/memory/776-134-0x0000000000440000-0x00000000004B8000-memory.dmp	upx
behavioral2/memory/2100-135-0x0000000000950000-0x00000000009C8000-memory.dmp	upx
behavioral2/memory/2100-139-0x0000000000950000-0x00000000009C8000-memory.dmp	upx

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exejusched.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	jusched.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Java SE Platform Updater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Java SE Platform Updater\\jusched.exe\""	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

jusched.exe

pid	process
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe
2100	jusched.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exejusched.exe

description	pid	process	target process
PID 776 wrote to memory of 2100	776	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe	jusched.exe
PID 776 wrote to memory of 2100	776	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe	jusched.exe
PID 776 wrote to memory of 2100	776	39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe	jusched.exe
PID 2100 wrote to memory of 3756	2100	jusched.exe	svchost.exe
PID 2100 wrote to memory of 3756	2100	jusched.exe	svchost.exe
PID 2100 wrote to memory of 3756	2100	jusched.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe
"C:\Users\Admin\AppData\Local\Temp\39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:776
- C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe
  "C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe" C:\Users\Admin\AppData\Local\Temp\39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Users\Admin\AppData\Local\Temp\svchost.exe
    "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Executes dropped EXE
    PID:3756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
178KB

MD5
04d4986fe58edc324f7ed4a193242e2a

SHA1
72ce688ecca5f741f597773fb8640d3a7a98599c

SHA256
ef2d4c5dc95593b5096f1b5657c7649543e558eff47b3c66ae10ee71a73304a7

SHA512
5ae6a1588f25bba366bded951732be8dd3699ad5d6c56ba84c5ed44426b14021b8c2ff90d4c2161398fff79af6039011a18269dd7861f3ce3a89447661f30712

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
178KB

MD5
04d4986fe58edc324f7ed4a193242e2a

SHA1
72ce688ecca5f741f597773fb8640d3a7a98599c

SHA256
ef2d4c5dc95593b5096f1b5657c7649543e558eff47b3c66ae10ee71a73304a7

SHA512
5ae6a1588f25bba366bded951732be8dd3699ad5d6c56ba84c5ed44426b14021b8c2ff90d4c2161398fff79af6039011a18269dd7861f3ce3a89447661f30712

Download Submit
C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe

Filesize
134KB

MD5
88e721f62470f8bd267810fbaa29104f

SHA1
ccfc0fa22d1e3feeeabc5ca090b76f58f67edada

SHA256
39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1

SHA512
f882ec0dd7f64a8c9c1b146e1b66fe217e1998b6e61df9450897c84b3b00cd8c2154336f3112e58bd47e3c11916efeb0f300d49c0bcc51ee1a23648ec5266f01

Download Submit
C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe

Filesize
134KB

MD5
88e721f62470f8bd267810fbaa29104f

SHA1
ccfc0fa22d1e3feeeabc5ca090b76f58f67edada

SHA256
39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1

SHA512
f882ec0dd7f64a8c9c1b146e1b66fe217e1998b6e61df9450897c84b3b00cd8c2154336f3112e58bd47e3c11916efeb0f300d49c0bcc51ee1a23648ec5266f01

Download Submit
memory/776-130-0x0000000000440000-0x00000000004B8000-memory.dmp

Filesize
480KB

Download
memory/776-134-0x0000000000440000-0x00000000004B8000-memory.dmp

Filesize
480KB

Download
memory/2100-131-0x0000000000000000-mapping.dmp

Download
memory/2100-135-0x0000000000950000-0x00000000009C8000-memory.dmp

Filesize
480KB

Download
memory/2100-139-0x0000000000950000-0x00000000009C8000-memory.dmp

Filesize
480KB

Download
memory/3756-136-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads