Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2022 17:33
Static task
static1
Behavioral task
behavioral1
Sample
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe
Resource
win10v2004-20220812-en
General
-
Target
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe
-
Size
35KB
-
MD5
e80e355de71bf1f6092ab27f6e674c8b
-
SHA1
b780a5b00dce8e8d17def50917abf0028a12c60b
-
SHA256
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591
-
SHA512
292bc38ae278f6bff9ecbd34a45daf0cf95b0c2b9d233ffb13d81f951bca8195ded8d4c4641e4790b514ddf17cf524e8e93b0f1c32f7067661cceb451dd4d0c8
-
SSDEEP
768:zqqYMYa/TMfwvmjdZBMZXQ3Qin4e/Q7hcwxC:+qYMz2wvdivQ7Y
Malware Config
Extracted
Protocol: ftp- Host:
ftp.tripod.com - Port:
21 - Username:
onthelinux - Password:
741852abc
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
jusched.exepid process 2360 jusched.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe -
Drops file in Program Files directory 2 IoCs
Processes:
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exedescription ioc process File created C:\Program Files (x86)\Java\jre-20\bin\jusched.exe c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe File created C:\Program Files (x86)\Java\jre-20\bin\UF c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
jusched.exepid process 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe 2360 jusched.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exedescription pid process target process PID 3028 wrote to memory of 2360 3028 c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe jusched.exe PID 3028 wrote to memory of 2360 3028 c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe jusched.exe PID 3028 wrote to memory of 2360 3028 c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe jusched.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe"C:\Users\Admin\AppData\Local\Temp\c56196c49acd5e6e47368f45f9873e873e38a8d4fc8f4a4f77498c415aeff591.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Java\jre-20\bin\jusched.exe"C:\Program Files (x86)\Java\jre-20\bin\jusched.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Java\jre-20\bin\UFFilesize
13B
MD5f253efe302d32ab264a76e0ce65be769
SHA1768685ca582abd0af2fbb57ca37752aa98c9372b
SHA25649dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd
SHA5121990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4
-
C:\Program Files (x86)\Java\jre-20\bin\jusched.exeFilesize
35KB
MD5834f5ad232c7845204c44565f93f6fcb
SHA166337651a8b4a0ea598f9cb2fa70081d114b086a
SHA25617a6ac7c1c9af31c0a5ba0f098161c361992af439f7e3fc2eec4b3e3223bb802
SHA512791f3ce0e0e53c83cfdd4b057e97f72f4368b4d569f3d7e3cac56c3c9119fdbb509836b2e68b270828a68f29e439718e43a74b219abef9d0553def3465e7ee19
-
C:\Program Files (x86)\Java\jre-20\bin\jusched.exeFilesize
35KB
MD5834f5ad232c7845204c44565f93f6fcb
SHA166337651a8b4a0ea598f9cb2fa70081d114b086a
SHA25617a6ac7c1c9af31c0a5ba0f098161c361992af439f7e3fc2eec4b3e3223bb802
SHA512791f3ce0e0e53c83cfdd4b057e97f72f4368b4d569f3d7e3cac56c3c9119fdbb509836b2e68b270828a68f29e439718e43a74b219abef9d0553def3465e7ee19
-
memory/2360-132-0x0000000000000000-mapping.dmp