a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3

Analysis

max time kernel
124s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 00:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe
Size

196KB
MD5

15000c34c7486e8752a944daf068bd70
SHA1

326a8528d489d951b745d436404587ec4a3141e1
SHA256

a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3
SHA512

34eafeaec968224a2e778e232b0599e75fe9816f2b650ef825b974bcb941ff6a5cc4d6a7d0565c6e06fd8dd4f64ae225d0559628d81fc3292a8b51a3bd4e198f
SSDEEP

1536:jZ/fgkAqJlV+n1EgGHo7P1YPx28Vayon5sn:j1gkZl0nt/P1YPx/on0

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

jusched.exe

pid process

4012 jusched.exe

pid	process
4012	jusched.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe

Drops file in Program Files directory 2 IoCs

Processes:

a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe

description	ioc	process
File created	C:\Program Files (x86)\f9b6cafe\jusched.exe	a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe
File created	C:\Program Files (x86)\f9b6cafe\f9b6cafe	a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe

Drops file in Windows directory 1 IoCs

Processes:

a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe

description ioc process

File created C:\Windows\Tasks\Update23.job a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\Update23.job	a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe

description	pid	process	target process
PID 1752 wrote to memory of 4012	1752	a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe	jusched.exe
PID 1752 wrote to memory of 4012	1752	a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe	jusched.exe
PID 1752 wrote to memory of 4012	1752	a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe	jusched.exe

C:\Users\Admin\AppData\Local\Temp\a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe
"C:\Users\Admin\AppData\Local\Temp\a2c549cdd28fc49eca71c79a8ecc7de45ebc6678b1e448736593507f6927abb3.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1752

C:\Program Files (x86)\f9b6cafe\jusched.exe
"C:\Program Files (x86)\f9b6cafe\jusched.exe"
2⤵
- Executes dropped EXE
PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\f9b6cafe\f9b6cafe
Filesize
17B

MD5
80e7928b124479791c52c09d831495f6

SHA1
94c8cb5ce4b1c1e70a2802efc22395c1003fc8bd

SHA256
a6bb92ad6bdd253818b2660e9befc8e3689b3bee61233f7a67a6ca0695acab12

SHA512
5183e48a8dc4f64277b7a0303f97b704ffa63dcc7256aaddb69994ef108f2f2922d9ec9a62eda403eed6c4f66dd719297c9d24e997f662eded63a49810493d2d

Download Submit
C:\Program Files (x86)\f9b6cafe\jusched.exe
Filesize
196KB

MD5
23a5f4f81dee010797d651aa7f373ffc

SHA1
086d3f6ce63f3c86968d441809fe39da5f113df7

SHA256
27f1a3d7dae8e410f3ebc19a153793fccc227f9c04d72ecf4ce6289747f1ae54

SHA512
1b74ff5d6e89cb9ef693c1dee7d8949302224b2041c8d6bb2beb0719d48ceb3dc30f64ee148b3d37035cfdb692e95e2285b1c0d1f911cef7fb524c71b3631fd6

Download Submit
C:\Program Files (x86)\f9b6cafe\jusched.exe
Filesize
196KB

MD5
23a5f4f81dee010797d651aa7f373ffc

SHA1
086d3f6ce63f3c86968d441809fe39da5f113df7

SHA256
27f1a3d7dae8e410f3ebc19a153793fccc227f9c04d72ecf4ce6289747f1ae54

SHA512
1b74ff5d6e89cb9ef693c1dee7d8949302224b2041c8d6bb2beb0719d48ceb3dc30f64ee148b3d37035cfdb692e95e2285b1c0d1f911cef7fb524c71b3631fd6

Download Submit
memory/4012-132-0x0000000000000000-mapping.dmp

Download