68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
11/10/2022, 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a.exe
Size

61KB
MD5

78ac96474e7782c3778711e97bdb16e0
SHA1

b415f9a0da7ff296fde3ea0204703e5603185d27
SHA256

68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a
SHA512

f753884bcdd6667ccd9926e9fa076b322e88b8df122b45f75a3179f41dce1bc3a3bbec8c6e28cd21440395792f4528525ba4cd3ad5e94dd1acbfb984d9c807ca
SSDEEP

768:bzQYScGrIubHuYtvdxwYHw5FAe2Qoncwx99LDDJ6PFiartuQ:fQTIubHy5wQoh9Kiax

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1560	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
2020	68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a.exe
2020	68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\d1455f79\jusched.exe	68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a.exe
File created	C:\Program Files (x86)\d1455f79\d1455f79	68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe
1560	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 1560	2020	68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a.exe	28
PID 2020 wrote to memory of 1560	2020	68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a.exe	28
PID 2020 wrote to memory of 1560	2020	68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a.exe	28
PID 2020 wrote to memory of 1560	2020	68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a.exe	28

C:\Users\Admin\AppData\Local\Temp\68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a.exe
"C:\Users\Admin\AppData\Local\Temp\68b826bb7aa10fea464dd20a8ae8550c9b2d34a57e164d352afd9c8448ee4e9a.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Program Files (x86)\d1455f79\jusched.exe
  "C:\Program Files (x86)\d1455f79\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1560

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\d1455f79\d1455f79

Filesize
13B

MD5
f253efe302d32ab264a76e0ce65be769

SHA1
768685ca582abd0af2fbb57ca37752aa98c9372b

SHA256
49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

SHA512
1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

Download Submit
C:\Program Files (x86)\d1455f79\jusched.exe

Filesize
61KB

MD5
21492bd1a17f51eecbed9117c36e356b

SHA1
c7a372408add1ce710bdcb5a1a54a3de275c9972

SHA256
2f19b4d397634e8931c7f3b00cc1ecab43a3c7d9712f7744e2fe9169f57d1f6b

SHA512
39cb335169245866f627c8966d541981039ecc8fd932a2fd69a47bb1a419450ff92c6b0aab17331f42a189ae1bd77f421640d7b7c51c9c1cf577cb3398e21352

Download Submit
\Program Files (x86)\d1455f79\jusched.exe

Filesize
61KB

MD5
21492bd1a17f51eecbed9117c36e356b

SHA1
c7a372408add1ce710bdcb5a1a54a3de275c9972

SHA256
2f19b4d397634e8931c7f3b00cc1ecab43a3c7d9712f7744e2fe9169f57d1f6b

SHA512
39cb335169245866f627c8966d541981039ecc8fd932a2fd69a47bb1a419450ff92c6b0aab17331f42a189ae1bd77f421640d7b7c51c9c1cf577cb3398e21352

Download Submit
\Program Files (x86)\d1455f79\jusched.exe

Filesize
61KB

MD5
21492bd1a17f51eecbed9117c36e356b

SHA1
c7a372408add1ce710bdcb5a1a54a3de275c9972

SHA256
2f19b4d397634e8931c7f3b00cc1ecab43a3c7d9712f7744e2fe9169f57d1f6b

SHA512
39cb335169245866f627c8966d541981039ecc8fd932a2fd69a47bb1a419450ff92c6b0aab17331f42a189ae1bd77f421640d7b7c51c9c1cf577cb3398e21352

Download Submit
memory/1560-61-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2020-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2020-55-0x00000000756B1000-0x00000000756B3000-memory.dmp

Filesize
8KB

Download
memory/2020-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download