Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
24-11-2022 00:35
General
-
Target
b123d481020439b084064e532e6a158a38fd9c4a279478cda6a2a4929cc59672.exe
-
Size
196KB
-
MD5
2ebee12be851ff81ad38c76e079b6340
-
SHA1
76b2f46f7289f657bff71d63521ca307a80f8022
-
SHA256
b123d481020439b084064e532e6a158a38fd9c4a279478cda6a2a4929cc59672
-
SHA512
01b33bc21ffd43ef4f6199bf0db2eb0b78d105c618a8aee891e05ca944e4a601ba1b7ee03466d57b3285926638038d27045b4eb9e1dbcf510ef314404c2e2062
-
SSDEEP
1536:aXBYjfC24mFVsIgvo3X4iZpTha5VlA8mP7aoL8E:aX+0mFmIgvo4iZhha5r6aoL8E
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b123d481020439b084064e532e6a158a38fd9c4a279478cda6a2a4929cc59672.exe"C:\Users\Admin\AppData\Local\Temp\b123d481020439b084064e532e6a158a38fd9c4a279478cda6a2a4929cc59672.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\c3fa0e79\jusched.exe"C:\Program Files (x86)\c3fa0e79\jusched.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\c3fa0e79\c3fa0e79Filesize
17B
MD5bff3d8f76e182194c4a2abf1aabba9f3
SHA107e5b604bb505a800b3e0ac16fee483b70595768
SHA2566bc8a4f93eaa1b3e7cfa696855bf6a852cf6555d694bc03e337261a27e58246f
SHA5120c5def3bb01ed166d4135190e131c27be4b6039987e269b6c3fca07677b3c637868397f207df631a098182a6bd3c795e6dd34541f82c5ecd6062441af0af7f50
-
C:\Program Files (x86)\c3fa0e79\info_aFilesize
12B
MD5731a92fb0c843b25e3e0a8c7e25825a4
SHA13f6b3f5086389639e803483fd1f8bff83e66fb55
SHA256f9dd2c0a06f428f7ba2dc7cde9d174d4394f3b73ab2a52c18c2efa6ba7c830b4
SHA512f571a0bd097b35a586c940d8a5156680933ab1b6b72c18ed43653efe14dc7113085afeec2dbaff0633b99d4e08ea245a405af8593aa3b453ee3c3b1d7bbb17b9
-
C:\Program Files (x86)\c3fa0e79\jusched.exeFilesize
196KB
MD517611647b61cc6309317c4a1f2455cf5
SHA19cc50aa8308f798c18d7470abc02975af3d70725
SHA256fb1cc6e6646301b390d74fe3d720d65b4de32d60c64a957f875eaa318f777cd7
SHA51296f7ff9aad5d773118c46518879485b45de75f740028d58dcaf8b3dab2b80f2a52ff182c0c4baf6e3927e528ba7a7321166f1bc469bb9775005e84590a9f7216
-
C:\Program Files (x86)\c3fa0e79\jusched.exeFilesize
196KB
MD517611647b61cc6309317c4a1f2455cf5
SHA19cc50aa8308f798c18d7470abc02975af3d70725
SHA256fb1cc6e6646301b390d74fe3d720d65b4de32d60c64a957f875eaa318f777cd7
SHA51296f7ff9aad5d773118c46518879485b45de75f740028d58dcaf8b3dab2b80f2a52ff182c0c4baf6e3927e528ba7a7321166f1bc469bb9775005e84590a9f7216
-
memory/4348-132-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4348-133-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4348-136-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4768-134-0x0000000000000000-mapping.dmp
-
memory/4768-138-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB
-
memory/4768-140-0x0000000000400000-0x0000000000466000-memory.dmpFilesize
408KB