57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9

Analysis

max time kernel
150s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 21:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe
Size

41KB
MD5

58446d2e8ffbbc9e2e7899a997f79dcf
SHA1

6a4d47e1b1aa88755224928963a46b81bee5ee18
SHA256

57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9
SHA512

a4644a6e77229117f3861f9d7b80d064397e889f24852ccde432852e4581eba4d31d163d6966a7b5eb909c5ff47350aeac8c2971ac9ed60cf8002dd16506121a
SSDEEP

768:xIP5WOMVs4PSV06ymNNC6S7Cm1n2OBGRIWNSE77DPQ1TTGfGYhP:xI0OGrOy6NvSpMZrQ1JO

Score

9^/10

Malware Config

Signatures

Detects executables built or packed with MPress PE compressor 6 IoCs

resource	yara_rule
behavioral2/memory/1416-0-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/files/0x000c000000023b75-6.dat	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1416-10-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/400-12-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/400-18-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/400-19-0x0000000000400000-0x0000000000473000-memory.dmp	INDICATOR_EXE_Packed_MPress

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\Control Panel\International\Geo\Nation	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe

Executes dropped EXE 1 IoCs

pid	Process
400	jusched.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe
400	jusched.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1416 wrote to memory of 400	1416	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe	87
PID 1416 wrote to memory of 400	1416	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe	87
PID 1416 wrote to memory of 400	1416	57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe	87

C:\Users\Admin\AppData\Local\Temp\57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe
"C:\Users\Admin\AppData\Local\Temp\57606f7e771a7470d6b39268eae5426f31b0b8eb8731f05c176af6a2c2aca2e9.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1416
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
41KB

MD5
66f9ba90be061fb501a6efb7930fe213

SHA1
3f088aaf28e86634a23b6f2268f79a3c6437cf17

SHA256
60bda96c8ed68bd83a7229a713ae1bf319abe1e6abb71b0c9da0421b800cad23

SHA512
365ad08d5299c6865ceef6b7fd34cee94f834d1392b403c8d6e9fccc7497467270899417c61f18268cd87ca4aa0a9a975cd83bfe4210f98807570517ada54ce1

Download Submit
memory/400-12-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/400-18-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/400-19-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1416-0-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download
memory/1416-10-0x0000000000400000-0x0000000000473000-memory.dmp

Filesize
460KB

Download