e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1

Analysis

max time kernel
150s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
17/06/2024, 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe
Size

114KB
MD5

f46d782a83335b05c178404fd5ec0273
SHA1

7a5093765410935eedbaa7b49ad4782f41367305
SHA256

e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1
SHA512

25827c3b543da6b07ce85b811bf4cb6fa05aa7b7ea4a386374702aa2225284c5cf10e04dfcbc0f6d8d0cacab57e7bcf883ecaffeeabcf7046a5ecd8c87e72786
SSDEEP

768:3x/5inm+cd5rHemPXKqUEphjVuvios1rPr4adL0NqlJMU6wiK1rEKlcIQ1TTGfou:3xRsvcdCQjosnvnZ6grfQ1b4J

Score

9^/10

upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 4 IoCs

resource	yara_rule
behavioral2/memory/548-0-0x0000000000400000-0x000000000044C000-memory.dmp	UPX
behavioral2/files/0x000c0000000006c5-6.dat	UPX
behavioral2/memory/1468-11-0x0000000000400000-0x000000000044C000-memory.dmp	UPX
behavioral2/memory/548-12-0x0000000000400000-0x000000000044C000-memory.dmp	UPX

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe

Executes dropped EXE 1 IoCs

pid	Process
1468	jusched.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/548-0-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/files/0x000c0000000006c5-6.dat	upx
behavioral2/memory/1468-11-0x0000000000400000-0x000000000044C000-memory.dmp	upx
behavioral2/memory/548-12-0x0000000000400000-0x000000000044C000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\UF	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe
File created	C:\Program Files (x86)\Java\jre-09\bin\jusched.exe	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe
1468	jusched.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1468	548	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe	85
PID 548 wrote to memory of 1468	548	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe	85
PID 548 wrote to memory of 1468	548	e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe	85

C:\Users\Admin\AppData\Local\Temp\e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe
"C:\Users\Admin\AppData\Local\Temp\e472915725751e2ff9b6e8543e3fff1712e71d5b3c6d5653d0bd552be72a52a1.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:548
- C:\Program Files (x86)\Java\jre-09\bin\jusched.exe
  "C:\Program Files (x86)\Java\jre-09\bin\jusched.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java\jre-09\bin\jusched.exe

Filesize
114KB

MD5
7d60c7f87244a6c4eb17d9ac56234519

SHA1
9fe23f93590e23bad69e81a092fd1bec4c95f3b8

SHA256
917597ffbaacca18b1c25c6648bcc41d196399efc5e61f1b0a960812c848125a

SHA512
d5fbfaa3bfd02b285bfc78baf553141051a90d13dd5202a2332543c49d430d5bce9729535c9f19cb5da88b13f875ee61392a8b8e0c93e67de30c45fa75f4cde9

Download Submit
memory/548-0-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/548-12-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download
memory/1468-11-0x0000000000400000-0x000000000044C000-memory.dmp

Filesize
304KB

Download