89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537

General

Target

89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe
Size

270KB
MD5

274a75731edc8dd17cac8824c7cfdc10
SHA1

305a8c443a4109731d659db046c9e99f40d31db0
SHA256

89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537
SHA512

5bcd72f3e9a4cd5972f8609d41ee2212f72970e1633ce8e0214c246c34c97179f0c18342add20149223cc6bd0afedf8d6c89ae7dd24f50db3e344f577467b112
SSDEEP

3072:853mQ7JtnP5I09qgmBBAWgjSvwN/oSWBAYEQ3/AeohItgsk:UmKJtna2qgmBNgQwGAw/SItg/

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

jusched.exe

pid process

1860 jusched.exe

pid	process
1860	jusched.exe

Loads dropped DLL 2 IoCs

Processes:

89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe

pid	process
364	89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe
364	89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000\Software\Microsoft\Windows\CurrentVersion\Run	89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe

Drops file in Program Files directory 2 IoCs

Processes:

89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe

description	ioc	process
File created	C:\Program Files (x86)\73f72996\jusched.exe	89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe
File created	C:\Program Files (x86)\73f72996\73f72996	89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe

Drops file in Windows directory 1 IoCs

Processes:

89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe

description ioc process

File created C:\Windows\Tasks\Update23.job 89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\Update23.job	89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe

description	pid	process	target process
PID 364 wrote to memory of 1860	364	89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe	jusched.exe
PID 364 wrote to memory of 1860	364	89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe	jusched.exe
PID 364 wrote to memory of 1860	364	89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe	jusched.exe
PID 364 wrote to memory of 1860	364	89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe	jusched.exe

C:\Users\Admin\AppData\Local\Temp\89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe
"C:\Users\Admin\AppData\Local\Temp\89dc7f9bbc4a0a041f15b7ad6f67df12e9ff8555e3f34be3c29d5b4dcd720537.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:364

C:\Program Files (x86)\73f72996\jusched.exe
"C:\Program Files (x86)\73f72996\jusched.exe"
2⤵
- Executes dropped EXE
PID:1860

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\73f72996\73f72996

Filesize
17B

MD5
4d77d6b250ffb567743b8dbcdad695b8

SHA1
d5a8f98f9433f6d36c74df463cef3e2cf524462d

SHA256
7ec7a3a23890c3592f5b762aecf11adbf8831fad11b8048aedfa7315d599c5f2

SHA512
5655153049101fd67125d484c81f1ad30b44f36f00e3aabfe8d730a21661f4b394357b60da549289def4311b4cc7bd508d8fd6b8db254cd442b2152f8902bd71

Download Submit
C:\Program Files (x86)\73f72996\jusched.exe

Filesize
270KB

MD5
fbddf88db21b1987c88f13d5d136cf4c

SHA1
08a3cab60245acb5d7beb61fe378704830747e9b

SHA256
7f22f3c4851d29ecdb41d47353ed52c348546838ffb9c7d7cc6f6f9c12f83888

SHA512
c50d34feee6405a1b235adb55bd3cd66b43a544da9c4396b476a6d9121da2e92cb8ce8f4c462eddb02038e9194c04e3aa20699a9e56fc0452b84dd4444d245b2

Download Submit
\Program Files (x86)\73f72996\jusched.exe

Filesize
270KB

MD5
fbddf88db21b1987c88f13d5d136cf4c

SHA1
08a3cab60245acb5d7beb61fe378704830747e9b

SHA256
7f22f3c4851d29ecdb41d47353ed52c348546838ffb9c7d7cc6f6f9c12f83888

SHA512
c50d34feee6405a1b235adb55bd3cd66b43a544da9c4396b476a6d9121da2e92cb8ce8f4c462eddb02038e9194c04e3aa20699a9e56fc0452b84dd4444d245b2

Download Submit
\Program Files (x86)\73f72996\jusched.exe

Filesize
270KB

MD5
fbddf88db21b1987c88f13d5d136cf4c

SHA1
08a3cab60245acb5d7beb61fe378704830747e9b

SHA256
7f22f3c4851d29ecdb41d47353ed52c348546838ffb9c7d7cc6f6f9c12f83888

SHA512
c50d34feee6405a1b235adb55bd3cd66b43a544da9c4396b476a6d9121da2e92cb8ce8f4c462eddb02038e9194c04e3aa20699a9e56fc0452b84dd4444d245b2

Download Submit
memory/364-54-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/364-55-0x0000000076681000-0x0000000076683000-memory.dmp

Filesize
8KB

Download
memory/364-60-0x0000000001E10000-0x0000000001E66000-memory.dmp

Filesize
344KB

Download
memory/364-61-0x0000000001E10000-0x0000000001E66000-memory.dmp

Filesize
344KB

Download
memory/364-63-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1860-58-0x0000000000000000-mapping.dmp

Download
memory/1860-62-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads