6e1c9f3c56ac2e7340ebc8d29ac2a4e6a0cb40b5442be00aa0e2bd38b3a868c1

Analysis

max time kernel
150s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 14:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

146c23e2fa312567aabb9dad355e98d9_JC.exe
Size

397KB
MD5

146c23e2fa312567aabb9dad355e98d9
SHA1

b2a8b373939d7e3bee10f02040414a5018faba46
SHA256

6e1c9f3c56ac2e7340ebc8d29ac2a4e6a0cb40b5442be00aa0e2bd38b3a868c1
SHA512

0e923be9a5bff27614f28ac92b7d37393f2b694152f617f703d169e1912b46d3b13fe6b33feee267997a53b922c3bb5e13ebbee2399896c0a28637f5e84681ac
SSDEEP

1536:cXBYjfC24mFVsIgvo3X4iZpTha5VlA8mw7aoL8lYTjipvF2lR:cX+0mFmIgvo4iZhha5rZaoL8lYvQd2lR

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000\Control Panel\International\Geo\Nation	146c23e2fa312567aabb9dad355e98d9_JC.exe

Executes dropped EXE 1 IoCs

pid	Process
4356	jusched.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\2980e751\jusched.exe	146c23e2fa312567aabb9dad355e98d9_JC.exe
File created	C:\Program Files (x86)\2980e751\2980e751	146c23e2fa312567aabb9dad355e98d9_JC.exe
File created	C:\Program Files (x86)\2980e751\info_a	146c23e2fa312567aabb9dad355e98d9_JC.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\Update23.job	146c23e2fa312567aabb9dad355e98d9_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4832 wrote to memory of 4356	4832	146c23e2fa312567aabb9dad355e98d9_JC.exe	97
PID 4832 wrote to memory of 4356	4832	146c23e2fa312567aabb9dad355e98d9_JC.exe	97
PID 4832 wrote to memory of 4356	4832	146c23e2fa312567aabb9dad355e98d9_JC.exe	97

C:\Users\Admin\AppData\Local\Temp\146c23e2fa312567aabb9dad355e98d9_JC.exe
"C:\Users\Admin\AppData\Local\Temp\146c23e2fa312567aabb9dad355e98d9_JC.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4832
- C:\Program Files (x86)\2980e751\jusched.exe
  "C:\Program Files (x86)\2980e751\jusched.exe"
  2⤵
  - Executes dropped EXE
  PID:4356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\2980e751\2980e751

Filesize
17B

MD5
bff3d8f76e182194c4a2abf1aabba9f3

SHA1
07e5b604bb505a800b3e0ac16fee483b70595768

SHA256
6bc8a4f93eaa1b3e7cfa696855bf6a852cf6555d694bc03e337261a27e58246f

SHA512
0c5def3bb01ed166d4135190e131c27be4b6039987e269b6c3fca07677b3c637868397f207df631a098182a6bd3c795e6dd34541f82c5ecd6062441af0af7f50

Download Submit
C:\Program Files (x86)\2980e751\info_a

Filesize
12B

MD5
539c61a0e6e73f24318f12735051b96c

SHA1
54cfac3bfd45cdbff808aa7db49bf584a1411591

SHA256
ef081f338dab3407328dbb36b7ae48b544d96c8d085751691d2d555038ab6302

SHA512
77439277aaabbccd66cadf0239e5039bf388bde0a29b6a839e49039f5e05a70eaeffa76c847830da55bf2f6e10a6416295c9defab2e8a3ff8a7e9232df8cfcb8

Download Submit
C:\Program Files (x86)\2980e751\jusched.exe

Filesize
397KB

MD5
8ba94201f60cfd87ae596548f41ebc4b

SHA1
f692e709d7af38dcbcd9e3bdf76c856735669ffb

SHA256
a1384e67f3c6a53d602df13b6f4694cb1e3c511953c9afcde66e47aa5f3c9a30

SHA512
c5290a8b2fbf7989c27100d90250a4f117db66bd52dd7022190dff7c74b63bbb96b515146deae7850a0c1934bb71df13e86dc77a46b5bb4f60d5c8e83c6a3f72

Download Submit
C:\Program Files (x86)\2980e751\jusched.exe

Filesize
397KB

MD5
8ba94201f60cfd87ae596548f41ebc4b

SHA1
f692e709d7af38dcbcd9e3bdf76c856735669ffb

SHA256
a1384e67f3c6a53d602df13b6f4694cb1e3c511953c9afcde66e47aa5f3c9a30

SHA512
c5290a8b2fbf7989c27100d90250a4f117db66bd52dd7022190dff7c74b63bbb96b515146deae7850a0c1934bb71df13e86dc77a46b5bb4f60d5c8e83c6a3f72

Download Submit
C:\Program Files (x86)\2980e751\jusched.exe

Filesize
397KB

MD5
8ba94201f60cfd87ae596548f41ebc4b

SHA1
f692e709d7af38dcbcd9e3bdf76c856735669ffb

SHA256
a1384e67f3c6a53d602df13b6f4694cb1e3c511953c9afcde66e47aa5f3c9a30

SHA512
c5290a8b2fbf7989c27100d90250a4f117db66bd52dd7022190dff7c74b63bbb96b515146deae7850a0c1934bb71df13e86dc77a46b5bb4f60d5c8e83c6a3f72

Download Submit
memory/4356-14-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4356-18-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4832-0-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/4832-17-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download