a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2

Analysis

max time kernel
145s
max time network
177s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2.exe
Size

196KB
MD5

355dcffbb72b65779abc89571894f790
SHA1

b40f86d29f07167a38499c9efa70974b1c49c008
SHA256

a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2
SHA512

b2be35d7707d5aff2c3dff9f2e41a2f5ecd234a49e7f83a224c49f0afc98e94170131dd92d8205ffc32feceede62c64bc9111729c4b8f88516e9dae6b61946a1
SSDEEP

1536:ZZ/fgkAqJlV+n1EgGHo7P1YPx28VmyonpsP:Z1gkZl0nt/P1YPxDonI

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
900	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1976	a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2.exe
1976	a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\af40cff\jusched.exe	a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2.exe
File created	C:\Program Files (x86)\af40cff\af40cff	a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 900	1976	a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2.exe	28
PID 1976 wrote to memory of 900	1976	a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2.exe	28
PID 1976 wrote to memory of 900	1976	a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2.exe	28
PID 1976 wrote to memory of 900	1976	a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2.exe	28

C:\Users\Admin\AppData\Local\Temp\a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2.exe
"C:\Users\Admin\AppData\Local\Temp\a8c93d94cc7764d4162a7e9c8ea7087ddd7e87576c435cbe07636d6c95243eb2.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Program Files (x86)\af40cff\jusched.exe
  "C:\Program Files (x86)\af40cff\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\af40cff\af40cff

Filesize
17B

MD5
80e7928b124479791c52c09d831495f6

SHA1
94c8cb5ce4b1c1e70a2802efc22395c1003fc8bd

SHA256
a6bb92ad6bdd253818b2660e9befc8e3689b3bee61233f7a67a6ca0695acab12

SHA512
5183e48a8dc4f64277b7a0303f97b704ffa63dcc7256aaddb69994ef108f2f2922d9ec9a62eda403eed6c4f66dd719297c9d24e997f662eded63a49810493d2d

Download Submit
C:\Program Files (x86)\af40cff\jusched.exe

Filesize
197KB

MD5
3e8d3b697c31985658404d91584778b2

SHA1
2a95244485e080c04f083d11c4cc94f55df417ba

SHA256
8c97c5c6cc9826a59b6b1f7ec030b5f05cd6194ab3d8b428a716c46ce4c3ea4e

SHA512
2d68eb479efcc8a78e853b0b3e513a33b2e6b4adb21b6e9d747f013c6cfced25694ba19fdd97aa88a2fadd4e21e8dc8d105f7a1f0a9f69d1d8c73499aadb7028

Download Submit
\Program Files (x86)\af40cff\jusched.exe

Filesize
197KB

MD5
3e8d3b697c31985658404d91584778b2

SHA1
2a95244485e080c04f083d11c4cc94f55df417ba

SHA256
8c97c5c6cc9826a59b6b1f7ec030b5f05cd6194ab3d8b428a716c46ce4c3ea4e

SHA512
2d68eb479efcc8a78e853b0b3e513a33b2e6b4adb21b6e9d747f013c6cfced25694ba19fdd97aa88a2fadd4e21e8dc8d105f7a1f0a9f69d1d8c73499aadb7028

Download Submit
\Program Files (x86)\af40cff\jusched.exe

Filesize
197KB

MD5
3e8d3b697c31985658404d91584778b2

SHA1
2a95244485e080c04f083d11c4cc94f55df417ba

SHA256
8c97c5c6cc9826a59b6b1f7ec030b5f05cd6194ab3d8b428a716c46ce4c3ea4e

SHA512
2d68eb479efcc8a78e853b0b3e513a33b2e6b4adb21b6e9d747f013c6cfced25694ba19fdd97aa88a2fadd4e21e8dc8d105f7a1f0a9f69d1d8c73499aadb7028

Download Submit
memory/900-57-0x0000000000000000-mapping.dmp

Download
memory/1976-54-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download