69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322

Analysis

max time kernel
137s
max time network
140s
resource
win7v191014

Sharing

Copy URL

Twitter E-mail

General

Target

69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322
Sample

191025-b5ev5jw2le
SHA256

69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322

Score

N/A

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe

Drops startup file 1 IoCs

description	ioc	pid	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\start.bat	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe

Drops file in system dir 64 IoCs

description	ioc	pid	Process
File opened for modification	C:\Program Files\DECRYPT_INFORMATION.html	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\DECRYPT_INFORMATION.html	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File renamed	C:\Program Files\7-Zip\descript.ion => C:\Program Files\7-Zip\descript.ion[[email protected]].HRM	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File renamed	C:\Program Files\7-Zip\7zCon.sfx => C:\Program Files\7-Zip\7zCon.sfx[[email protected]].HRM	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File renamed	C:\Program Files\7-Zip\History.txt => C:\Program Files\7-Zip\History.txt[[email protected]].HRM	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File renamed	C:\Program Files\7-Zip\7z.sfx => C:\Program Files\7-Zip\7z.sfx[[email protected]].HRM	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File renamed	C:\Program Files\7-Zip\7-zip.chm => C:\Program Files\7-Zip\7-zip.chm[[email protected]].HRM	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\Common Files\DECRYPT_INFORMATION.html	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lv.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe

Drops Office document 30 IoCs

description	ioc	pid	Process
File opened for modification	C:\Program Files\ConvertFromGet.xla	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\MountBlock.xltx	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\PublishCopy.ppt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Program Files\UseSkip.xps	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Desktop\DisableReceive.ppt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\Are.docx	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Desktop\StopUnregister.docx	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SubmitConvertTo.ppsm	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\ImportOut.ppt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\UnlockConvertTo.potm	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\SuspendEdit.xlt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Downloads\StepMeasure.pub	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Downloads\UninstallStart.xps	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\UninstallClear.ppsm	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\These.docx	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\SplitAssert.xls	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\PopRevoke.potx	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\ExportPush.dotx	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\Recently.docx	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\LimitRead.ppt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\ConvertSubmit.xls	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\UnblockUnprotect.xlsx	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\Opened.docx	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\Files.docx	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Documents\WaitSelect.dotm	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Music\RemoveOut.pot	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Music\MeasureSearch.xltm	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Music\ApproveTest.xlt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Music\LimitGet.xlt	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
File opened for modification	C:\Users\Admin\Music\RestoreConvertTo.xltm	1300	69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe

C:\Users\Admin\AppData\Local\Temp\69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe
"C:\Users\Admin\AppData\Local\Temp\69b5938df875b1cc5879e0a8fbcff35ddd6a4a72448f65f5a60e4782bc386322.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops startup file
- Drops file in system dir
- Drops Office document
PID:1300

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads