ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e

Analysis

max time kernel
145s
max time network
190s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04/12/2022, 13:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe
Size

256KB
MD5

af13df5cba65339c81af2e36e5c16458
SHA1

4b42f8a21a22a784abc144eccb60d242b1196270
SHA256

ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e
SHA512

38a76721852dfa0bced9f621059de54507d32b22a1cce3a9bc8180856d559c6a7ad28923676a0d4e7794dff313ca5e2fe1b3e1fe405f1d7f09046602b1c75c0c
SSDEEP

3072:P53mQkJtnP5I09qgmBBAWgjSvwN/oXWai:NmxJtna2qgmBNgQwGi

Score

8^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1992	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
1180	ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe
1180	ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Windows\CurrentVersion\Run	ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ba81df6\jusched.exe	ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe
File created	C:\Program Files (x86)\ba81df6\ba81df6	ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 1992	1180	ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe	28
PID 1180 wrote to memory of 1992	1180	ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe	28
PID 1180 wrote to memory of 1992	1180	ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe	28
PID 1180 wrote to memory of 1992	1180	ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe	28

C:\Users\Admin\AppData\Local\Temp\ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe
"C:\Users\Admin\AppData\Local\Temp\ddb1a4bdcd1594a1a031c667bd0f15083a96681c3338d3c1f2954a181c61a03e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files (x86)\ba81df6\jusched.exe
  "C:\Program Files (x86)\ba81df6\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:1992

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ba81df6\ba81df6

Filesize
17B

MD5
4d77d6b250ffb567743b8dbcdad695b8

SHA1
d5a8f98f9433f6d36c74df463cef3e2cf524462d

SHA256
7ec7a3a23890c3592f5b762aecf11adbf8831fad11b8048aedfa7315d599c5f2

SHA512
5655153049101fd67125d484c81f1ad30b44f36f00e3aabfe8d730a21661f4b394357b60da549289def4311b4cc7bd508d8fd6b8db254cd442b2152f8902bd71

Download Submit
C:\Program Files (x86)\ba81df6\jusched.exe

Filesize
256KB

MD5
7e65c3cb62b684ac0c269a81d3d4752c

SHA1
4b7f4dad9b30a48503ba30e88fcfb5a66f9fac96

SHA256
96891c4117013bd0c19d5899af40bd347cd94681de782f4dfee648264f1a0057

SHA512
e53920f0fc87903ac3863874db9da58de18de1bfbc3442d5aaba5868186f6840c7579f0007646a9ecaa6d2701b7d58fba83cc44696a5d2f817c0c4ed5820d2c1

Download Submit
\Program Files (x86)\ba81df6\jusched.exe

Filesize
256KB

MD5
7e65c3cb62b684ac0c269a81d3d4752c

SHA1
4b7f4dad9b30a48503ba30e88fcfb5a66f9fac96

SHA256
96891c4117013bd0c19d5899af40bd347cd94681de782f4dfee648264f1a0057

SHA512
e53920f0fc87903ac3863874db9da58de18de1bfbc3442d5aaba5868186f6840c7579f0007646a9ecaa6d2701b7d58fba83cc44696a5d2f817c0c4ed5820d2c1

Download Submit
\Program Files (x86)\ba81df6\jusched.exe

Filesize
256KB

MD5
7e65c3cb62b684ac0c269a81d3d4752c

SHA1
4b7f4dad9b30a48503ba30e88fcfb5a66f9fac96

SHA256
96891c4117013bd0c19d5899af40bd347cd94681de782f4dfee648264f1a0057

SHA512
e53920f0fc87903ac3863874db9da58de18de1bfbc3442d5aaba5868186f6840c7579f0007646a9ecaa6d2701b7d58fba83cc44696a5d2f817c0c4ed5820d2c1

Download Submit
memory/1180-54-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1180-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1180-60-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/1992-61-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download