e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518

Analysis

max time kernel
134s
max time network
149s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07/11/2022, 21:12

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe
Size

519KB
MD5

0f4d09a6ab0b74402698c59957a7a990
SHA1

35858519cf0d4e5ded95d6920e914e32bc98fb2f
SHA256

e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518
SHA512

a15a8a81e944b44dc830228571076f7d937e37ed0dc904374eb22151dc5295c7fc5f39ec8dd55d2cc9077cb3f5ba222859c302e8859b8ccc136d70572275eabb
SSDEEP

3072:AX+0mFmIgvo4iZhha5rEaoL81iGq1bQdpt4zlsWjO+HbnmZGiWIySyUyygujBbKH:NHFU6hg5rEasqdpuzfjR7neGiGSeujQH

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1028	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1708	e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe
1708	e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\3993bd8b\jusched.exe	e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe
File created	C:\Program Files (x86)\3993bd8b\3993bd8b	e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe
File created	C:\Program Files (x86)\3993bd8b\info_a	e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1708 wrote to memory of 1028	1708	e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe	27
PID 1708 wrote to memory of 1028	1708	e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe	27
PID 1708 wrote to memory of 1028	1708	e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe	27
PID 1708 wrote to memory of 1028	1708	e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe	27

C:\Users\Admin\AppData\Local\Temp\e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe
"C:\Users\Admin\AppData\Local\Temp\e189e3b180a57841409f91968328f2d6617cd80e3fbe2d94f0f5b603cdb5c518.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Program Files (x86)\3993bd8b\jusched.exe
  "C:\Program Files (x86)\3993bd8b\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:1028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\3993bd8b\3993bd8b

Filesize
17B

MD5
bff3d8f76e182194c4a2abf1aabba9f3

SHA1
07e5b604bb505a800b3e0ac16fee483b70595768

SHA256
6bc8a4f93eaa1b3e7cfa696855bf6a852cf6555d694bc03e337261a27e58246f

SHA512
0c5def3bb01ed166d4135190e131c27be4b6039987e269b6c3fca07677b3c637868397f207df631a098182a6bd3c795e6dd34541f82c5ecd6062441af0af7f50

Download Submit
C:\Program Files (x86)\3993bd8b\info_a

Filesize
12B

MD5
9fa46acf09699ae84df0c6484c35194a

SHA1
8014f03311f64447466b613010f911768af84a9f

SHA256
866fcd9a43e35457cb726accb99a0839af604675475633da6ebc13a618f5fffe

SHA512
380b44e72ce42420ca2e0465f9cc6b83d606b3a01b0799851a3e129c5cf01ba2808818c9d6e151493680b9a41c4a0f0183751d50718da9a757a05d5dc8a37eec

Download Submit
C:\Program Files (x86)\3993bd8b\jusched.exe

Filesize
519KB

MD5
2ecf85e60afa5a06affa7c4bb79551c5

SHA1
da091893a741d56c1402213c73718d514f1adf76

SHA256
01de5bd7d3be34aa2da686112280869cf8fcde0793f73b8e5cdc7a253a1eda2a

SHA512
3dabf54ace9bfbdfd0ad6363146d5736bcaec23fbecbf04995ab7bb0f04ff1b930f71635a3e1bf9991cc1950ebb19ba694683841a7d031a480f2ff5789518318

Download Submit
\Program Files (x86)\3993bd8b\jusched.exe

Filesize
519KB

MD5
2ecf85e60afa5a06affa7c4bb79551c5

SHA1
da091893a741d56c1402213c73718d514f1adf76

SHA256
01de5bd7d3be34aa2da686112280869cf8fcde0793f73b8e5cdc7a253a1eda2a

SHA512
3dabf54ace9bfbdfd0ad6363146d5736bcaec23fbecbf04995ab7bb0f04ff1b930f71635a3e1bf9991cc1950ebb19ba694683841a7d031a480f2ff5789518318

Download Submit
\Program Files (x86)\3993bd8b\jusched.exe

Filesize
519KB

MD5
2ecf85e60afa5a06affa7c4bb79551c5

SHA1
da091893a741d56c1402213c73718d514f1adf76

SHA256
01de5bd7d3be34aa2da686112280869cf8fcde0793f73b8e5cdc7a253a1eda2a

SHA512
3dabf54ace9bfbdfd0ad6363146d5736bcaec23fbecbf04995ab7bb0f04ff1b930f71635a3e1bf9991cc1950ebb19ba694683841a7d031a480f2ff5789518318

Download Submit
memory/1028-62-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1028-64-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1708-54-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1708-55-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download
memory/1708-56-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download
memory/1708-61-0x0000000000400000-0x000000000046D000-memory.dmp

Filesize
436KB

Download