Analysis
-
max time kernel
152s -
max time network
192s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 17:33
Static task
static1
Behavioral task
behavioral1
Sample
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe
Resource
win10v2004-20220812-en
General
-
Target
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe
-
Size
35KB
-
MD5
e80e355de71bf1f6092ab27f6e674c8b
-
SHA1
b780a5b00dce8e8d17def50917abf0028a12c60b
-
SHA256
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591
-
SHA512
292bc38ae278f6bff9ecbd34a45daf0cf95b0c2b9d233ffb13d81f951bca8195ded8d4c4641e4790b514ddf17cf524e8e93b0f1c32f7067661cceb451dd4d0c8
-
SSDEEP
768:zqqYMYa/TMfwvmjdZBMZXQ3Qin4e/Q7hcwxC:+qYMz2wvdivQ7Y
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jusched.exepid process 2004 jusched.exe -
Loads dropped DLL 2 IoCs
Processes:
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exepid process 1452 c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe 1452 c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe -
Drops file in Program Files directory 2 IoCs
Processes:
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exedescription ioc process File created C:\Program Files (x86)\Java\jre-20\bin\jusched.exe c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe File created C:\Program Files (x86)\Java\jre-20\bin\UF c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jusched.exepid process 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe 2004 jusched.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exedescription pid process target process PID 1452 wrote to memory of 2004 1452 c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe jusched.exe PID 1452 wrote to memory of 2004 1452 c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe jusched.exe PID 1452 wrote to memory of 2004 1452 c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe jusched.exe PID 1452 wrote to memory of 2004 1452 c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe jusched.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe"C:\Users\Admin\AppData\Local\Temp\c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Java\jre-20\bin\jusched.exe"C:\Program Files (x86)\Java\jre-20\bin\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Java\jre-20\bin\UFFilesize
13B
MD5f253efe302d32ab264a76e0ce65be769
SHA1768685ca582abd0af2fbb57ca37752aa98c9372b
SHA25649dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA5121990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4
-
C:\Program Files (x86)\Java\jre-20\bin\jusched.exeFilesize
35KB
MD52026cd94bc462fa26db23103110e401d
SHA1061ffd7d1d89a5a43f28c6d750b7979153f5805d
SHA256cd031f100f6b5e3645a8aec8fa93f52576569394a658e7859ebe2d58440f4fb0
SHA5120cb69260b87fd025a60c0bea96786c23d227cd2cfba7521e3a731e6dcac7787c7755b87af88ddb32a66d7bbe580a222dfa05c958d352984d2f3e463b2bb02221
-
\Program Files (x86)\Java\jre-20\bin\jusched.exeFilesize
35KB
MD52026cd94bc462fa26db23103110e401d
SHA1061ffd7d1d89a5a43f28c6d750b7979153f5805d
SHA256cd031f100f6b5e3645a8aec8fa93f52576569394a658e7859ebe2d58440f4fb0
SHA5120cb69260b87fd025a60c0bea96786c23d227cd2cfba7521e3a731e6dcac7787c7755b87af88ddb32a66d7bbe580a222dfa05c958d352984d2f3e463b2bb02221
-
\Program Files (x86)\Java\jre-20\bin\jusched.exeFilesize
35KB
MD52026cd94bc462fa26db23103110e401d
SHA1061ffd7d1d89a5a43f28c6d750b7979153f5805d
SHA256cd031f100f6b5e3645a8aec8fa93f52576569394a658e7859ebe2d58440f4fb0
SHA5120cb69260b87fd025a60c0bea96786c23d227cd2cfba7521e3a731e6dcac7787c7755b87af88ddb32a66d7bbe580a222dfa05c958d352984d2f3e463b2bb02221
-
memory/1452-54-0x0000000076941000-0x0000000076943000-memory.dmpFilesize
8KB
-
memory/2004-57-0x0000000000000000-mapping.dmp