Analysis
-
max time kernel
124s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 00:35
Static task
static1
Behavioral task
behavioral1
Sample
a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe
Resource
win10v2004-20220812-en
General
-
Target
a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe
-
Size
196KB
-
MD5
15000c34c7486e8752a944daf068bd70
-
SHA1
326a8528d489d951b745d436404587ec4a3141e1
-
SHA256
a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3
-
SHA512
34eafeaec968224a2e778e232b0599e75fe9816f2b650ef825b974bcb941ff6a5cc4d6a7d0565c6e06fd8dd4f64ae225d0559628d81fc3292a8b51a3bd4e198f
-
SSDEEP
1536:jZ/fgkAqJlV+n1EgGHo7P1YPx28Vayon5sn:j1gkZl0nt/P1YPx/on0
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jusched.exepid process 4012 jusched.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe -
Drops file in Program Files directory 2 IoCs
Processes:
a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exedescription ioc process File created C:\Program Files (x86)\f9b6cafe\jusched.exe a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe File created C:\Program Files (x86)\f9b6cafe\f9b6cafe a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe -
Drops file in Windows directory 1 IoCs
Processes:
a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exedescription ioc process File created C:\Windows\Tasks\Update23.job a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exedescription pid process target process PID 1752 wrote to memory of 4012 1752 a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe jusched.exe PID 1752 wrote to memory of 4012 1752 a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe jusched.exe PID 1752 wrote to memory of 4012 1752 a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe jusched.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe"C:\Users\Admin\AppData\Local\Temp\a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\f9b6cafe\jusched.exe"C:\Program Files (x86)\f9b6cafe\jusched.exe"2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\f9b6cafe\f9b6cafeFilesize
17B
MD580e7928b124479791c52c09d831495f6
SHA194c8cb5ce4b1c1e70a2802efc22395c1003fc8bd
SHA256a6bb92ad6bdd253818b2660e9befc8e3689b3bee61233f7a67a6ca0695acab12
SHA5125183e48a8dc4f64277b7a0303f97b704ffa63dcc7256aaddb69994ef108f2f2922d9ec9a62eda403eed6c4f66dd719297c9d24e997f662eded63a49810493d2d
-
C:\Program Files (x86)\f9b6cafe\jusched.exeFilesize
196KB
MD523a5f4f81dee010797d651aa7f373ffc
SHA1086d3f6ce63f3c86968d441809fe39da5f113df7
SHA25627f1a3d7dae8e410f3ebc19a153793fccc227f9c04d72ecf4ce6289747f1ae54
SHA5121b74ff5d6e89cb9ef693c1dee7d8949302224b2041c8d6bb2beb0719d48ceb3dc30f64ee148b3d37035cfdb692e95e2285b1c0d1f911cef7fb524c71b3631fd6
-
C:\Program Files (x86)\f9b6cafe\jusched.exeFilesize
196KB
MD523a5f4f81dee010797d651aa7f373ffc
SHA1086d3f6ce63f3c86968d441809fe39da5f113df7
SHA25627f1a3d7dae8e410f3ebc19a153793fccc227f9c04d72ecf4ce6289747f1ae54
SHA5121b74ff5d6e89cb9ef693c1dee7d8949302224b2041c8d6bb2beb0719d48ceb3dc30f64ee148b3d37035cfdb692e95e2285b1c0d1f911cef7fb524c71b3631fd6
-
memory/4012-132-0x0000000000000000-mapping.dmp