Analysis
-
max time kernel
156s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
-
submitted
30-07-2022 21:10
General
-
Target
6170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684.exe
-
Size
760KB
-
MD5
8629ef73d999bb67b6e403755371b19b
-
SHA1
a52f6baca6221930a4a9d98a12050bdb46218005
-
SHA256
6170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
-
SHA512
d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
Malware Config
Signatures
-
Executes dropped EXE 15 IoCs
-
UPX packed file 34 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 10 IoCs
-
AutoIT Executable 8 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious use of SetThreadContext 11 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 9 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684.exe"C:\Users\Admin\AppData\Local\Temp\6170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\jushed.exeC:\Users\Admin\AppData\Roaming\jushed.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\jushed.exe"C:\Users\Admin\AppData\Roaming\jushed.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe"C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exe" C:\Users\Admin\AppData\Roaming\jushed.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\jushed.exeC:\Users\Admin\AppData\Roaming\jushed.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\jushed.exe"C:\Users\Admin\AppData\Roaming\jushed.exe"6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"7⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\jushed.exe"C:\Users\Admin\AppData\Roaming\jushed.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4120 -s 3204⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\jushed.exe"C:\Users\Admin\AppData\Roaming\jushed.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2168 -s 3284⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\jushed.exe"C:\Users\Admin\AppData\Roaming\jushed.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2424 -s 3124⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\jushed.exe"C:\Users\Admin\AppData\Roaming\jushed.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 3124⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\jushed.exe"C:\Users\Admin\AppData\Roaming\jushed.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2864 -s 3244⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\jushed.exe"C:\Users\Admin\AppData\Roaming\jushed.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 3284⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\jushed.exe"C:\Users\Admin\AppData\Roaming\jushed.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1404 -s 3124⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\jushed.exe"C:\Users\Admin\AppData\Roaming\jushed.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4248 -s 3124⤵
- Program crash
-
C:\Users\Admin\AppData\Roaming\jushed.exe"C:\Users\Admin\AppData\Roaming\jushed.exe"3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 3284⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4120 -ip 41201⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2168 -ip 21681⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2424 -ip 24241⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1816 -ip 18161⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2864 -ip 28641⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4008 -ip 40081⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1404 -ip 14041⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4248 -ip 42481⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2280 -ip 22801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\res.icoMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\res.icoFilesize
134KB
MD5c3fb299fd88883c020d55eeaf5c3e453
SHA1f801a266e152d8538c82773a683502153b3e6bac
SHA256c471008a6c90ce3650f454e16bbcb17511d04c7e0fe868a2dce4f1678f140e0b
SHA512f80e6e05354e1a09e1e96572635d0c2ac0196ed895e8a20c4489f0eab35b3b89a11b4e69568cb7588b07916d19cc73c726bc480f9a3358af8ddee1904ad9ac9b
-
C:\Users\Admin\AppData\Local\Temp\res.icoFilesize
134KB
MD5c3fb299fd88883c020d55eeaf5c3e453
SHA1f801a266e152d8538c82773a683502153b3e6bac
SHA256c471008a6c90ce3650f454e16bbcb17511d04c7e0fe868a2dce4f1678f140e0b
SHA512f80e6e05354e1a09e1e96572635d0c2ac0196ed895e8a20c4489f0eab35b3b89a11b4e69568cb7588b07916d19cc73c726bc480f9a3358af8ddee1904ad9ac9b
-
C:\Users\Admin\AppData\Local\Temp\res.ico2Filesize
134KB
MD5c3fb299fd88883c020d55eeaf5c3e453
SHA1f801a266e152d8538c82773a683502153b3e6bac
SHA256c471008a6c90ce3650f454e16bbcb17511d04c7e0fe868a2dce4f1678f140e0b
SHA512f80e6e05354e1a09e1e96572635d0c2ac0196ed895e8a20c4489f0eab35b3b89a11b4e69568cb7588b07916d19cc73c726bc480f9a3358af8ddee1904ad9ac9b
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
178KB
MD504d4986fe58edc324f7ed4a193242e2a
SHA172ce688ecca5f741f597773fb8640d3a7a98599c
SHA256ef2d4c5dc95593b5096f1b5657c7649543e558eff47b3c66ae10ee71a73304a7
SHA5125ae6a1588f25bba366bded951732be8dd3699ad5d6c56ba84c5ed44426b14021b8c2ff90d4c2161398fff79af6039011a18269dd7861f3ce3a89447661f30712
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
178KB
MD504d4986fe58edc324f7ed4a193242e2a
SHA172ce688ecca5f741f597773fb8640d3a7a98599c
SHA256ef2d4c5dc95593b5096f1b5657c7649543e558eff47b3c66ae10ee71a73304a7
SHA5125ae6a1588f25bba366bded951732be8dd3699ad5d6c56ba84c5ed44426b14021b8c2ff90d4c2161398fff79af6039011a18269dd7861f3ce3a89447661f30712
-
C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\Java SE Platform Updater\jusched.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
C:\Users\Admin\AppData\Roaming\jushed.exeFilesize
760KB
MD58629ef73d999bb67b6e403755371b19b
SHA1a52f6baca6221930a4a9d98a12050bdb46218005
SHA2566170b02c4866e58fb621b325b3d03d9935b2fe4daf7e3b5472d5d3bd261ab684
SHA512d4b9395110b200caac0bbe4aee14f2c0feaaa1c5a9c0bff790bcd10091f34cadc7be0831a08284dd72bf51eaa13029db57bd8b4faba432752ca13a49f2d7393b
-
memory/1148-172-0x0000000000000000-mapping.dmp
-
memory/1404-200-0x0000000000000000-mapping.dmp
-
memory/1588-144-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1588-145-0x00000000000D0000-0x0000000000148000-memory.dmpFilesize
480KB
-
memory/1588-149-0x00000000000D0000-0x0000000000148000-memory.dmpFilesize
480KB
-
memory/1588-143-0x00000000000D0000-0x0000000000148000-memory.dmpFilesize
480KB
-
memory/1588-138-0x0000000000000000-mapping.dmp
-
memory/1588-139-0x00000000000D0000-0x0000000000148000-memory.dmpFilesize
480KB
-
memory/1588-142-0x00000000000D0000-0x0000000000148000-memory.dmpFilesize
480KB
-
memory/1760-131-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1760-130-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1760-136-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1816-185-0x0000000000000000-mapping.dmp
-
memory/1924-161-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1924-135-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/1924-132-0x0000000000000000-mapping.dmp
-
memory/2168-175-0x0000000000000000-mapping.dmp
-
memory/2280-210-0x0000000000000000-mapping.dmp
-
memory/2424-180-0x0000000000000000-mapping.dmp
-
memory/2556-151-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/2556-146-0x0000000000000000-mapping.dmp
-
memory/2556-159-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/2864-190-0x0000000000000000-mapping.dmp
-
memory/2956-170-0x00000000000D0000-0x0000000000148000-memory.dmpFilesize
480KB
-
memory/2956-164-0x0000000000000000-mapping.dmp
-
memory/4008-195-0x0000000000000000-mapping.dmp
-
memory/4120-152-0x00000000000D0000-0x0000000000148000-memory.dmpFilesize
480KB
-
memory/4120-150-0x0000000000000000-mapping.dmp
-
memory/4120-155-0x00000000000D0000-0x0000000000148000-memory.dmpFilesize
480KB
-
memory/4248-205-0x0000000000000000-mapping.dmp
-
memory/4276-157-0x0000000000000000-mapping.dmp
-
memory/4276-160-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB
-
memory/4276-171-0x0000000000400000-0x00000000004B6000-memory.dmpFilesize
728KB