12c42cae4fcababe097a8d3ef2aea22e7c62b8ad61a5cc9c52eff1d11a7f4ea8

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/12/2023, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d99983f89dc32fda43d776cb33e3357.exe
Size

35KB
MD5

7d99983f89dc32fda43d776cb33e3357
SHA1

8cc20c7c9c44458ec7b2c776e57f4e25fc8dec58
SHA256

12c42cae4fcababe097a8d3ef2aea22e7c62b8ad61a5cc9c52eff1d11a7f4ea8
SHA512

8f9a26f2161f7d392de7639b587f6b30ed3fcd2bd3407fba612650ef2e32c7515e446dd61e64460552a6c709852474039a904cbcaa66088ffb2e37272ba80c2c
SSDEEP

768:NqQoj/dSzNVQ1mDNJWbKEdBMQXQ3Cn4eQQWrcwxZ:MQoj/YNJcAQW5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2900	jusched.exe

Loads dropped DLL 2 IoCs

pid	Process
456	7d99983f89dc32fda43d776cb33e3357.exe
456	7d99983f89dc32fda43d776cb33e3357.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-19\bin\jusched.exe	7d99983f89dc32fda43d776cb33e3357.exe
File created	C:\Program Files (x86)\Java\jre-19\bin\UF	7d99983f89dc32fda43d776cb33e3357.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe
2900	jusched.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 2900	456	7d99983f89dc32fda43d776cb33e3357.exe	28
PID 456 wrote to memory of 2900	456	7d99983f89dc32fda43d776cb33e3357.exe	28
PID 456 wrote to memory of 2900	456	7d99983f89dc32fda43d776cb33e3357.exe	28
PID 456 wrote to memory of 2900	456	7d99983f89dc32fda43d776cb33e3357.exe	28

C:\Users\Admin\AppData\Local\Temp\7d99983f89dc32fda43d776cb33e3357.exe
"C:\Users\Admin\AppData\Local\Temp\7d99983f89dc32fda43d776cb33e3357.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:456
- C:\Program Files (x86)\Java\jre-19\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-19\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre-19\bin\UF

Filesize
13B

MD5
f253efe302d32ab264a76e0ce65be769

SHA1
768685ca582abd0af2fbb57ca37752aa98c9372b

SHA256
49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd

SHA512
1990d20b462406bbadb22ba43f1ed9d0db6b250881d4ac89ad8cf6e43ca92b2fd31c3a15be1e6e149e42fdb46e58122c15bc7869a82c9490656c80df69fa77c4

Download Submit
C:\Program Files (x86)\Java\jre-19\bin\jusched.exe

Filesize
35KB

MD5
242e90e862a79e30680cbaad6e77fdfd

SHA1
218ba729a47f15916553315faaaec3925333c676

SHA256
998c25de3ac80ee1afcdc646e69699c789c34e37b5e639ac67a9fe25eec1c110

SHA512
9a372b63e1592442ce3b86f64799bcfd1613c17ef34564a54c4dc8823192fb69081c64445ffdc9d8c8c226b71e26cad276a4f4fae0fd6f77c6037945ab0eddbe

Download Submit
\Program Files (x86)\Java\jre-19\bin\jusched.exe

Filesize
20KB

MD5
43ed12bacb54e47444ec3d5caf7cd8b7

SHA1
042cd94a427f91e39fa62081c0940d60ea43acd5

SHA256
3e6bac3eb23683bea2b395d5f9e5ada9dd97221375b913bcb1bf04e32792b2a0

SHA512
f8bda8827078a6f0b74c3dc79d186dfdece5892bc2f4b0ae854bbd96ddca3a1ecb3f6cc1654127dc46a8d93e582b1a7e651e4d811439de1c69ae4a56ccb19350

Download Submit
\Program Files (x86)\Java\jre-19\bin\jusched.exe

Filesize
4KB

MD5
2a56d6f629e34150a9164b3a9a971828

SHA1
72ae50723a2ab0e16494ce54ee6239b4491342e6

SHA256
9496e3609d643f55c21d06688bdef93214d5e88304b14e46185536135aa61b55

SHA512
af872857a0aea262f57824d8a92bfaf5bf9166ba8855465c070e1598cae08bb84b0dce0e008d5407175cf13cc486459f5c3f72f9eb13070fb11497420f8338b9

Download Submit
memory/456-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/456-6-0x00000000003C0000-0x00000000003D9000-memory.dmp

Filesize
100KB

Download
memory/456-13-0x00000000003C0000-0x00000000003D9000-memory.dmp

Filesize
100KB

Download
memory/456-12-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2900-14-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download