7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2

General

Target

7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
Size

1.5MB
MD5

49b156bbea23cd6434d7829ed25b051a
SHA1

075007dabafb065909e0d7d1cb4a1ec05724e9ec
SHA256

7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2
SHA512

19dcbb72d9c3b065587731066bc4ad50968978c1569ae7aad8680722333555926a7977762674ec8d5d98add1c06b6e265b80687528b9689940dfc5c3f4c8460b

Score

8^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

ichader.exe

pid process

1904 ichader.exe

pid	process
1904	ichader.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1744-34-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1744-39-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/1744-40-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Loads dropped DLL 5 IoCs

Processes:

7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe

pid	process
1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\IDM\\ichader.exe"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe

description	pid	process	target process
PID 1492 set thread context of 1480	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	svchost.exe
PID 1492 set thread context of 1744	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

svchost.exe

pid	process
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe
1480	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exesvchost.exe7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exeichader.exe

pid	process
1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
1480	svchost.exe
1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
1904	ichader.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.execmd.exe

description	pid	process	target process
PID 1492 wrote to memory of 1480	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	svchost.exe
PID 1492 wrote to memory of 1480	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	svchost.exe
PID 1492 wrote to memory of 1480	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	svchost.exe
PID 1492 wrote to memory of 1480	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	svchost.exe
PID 1492 wrote to memory of 1480	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	svchost.exe
PID 1492 wrote to memory of 1480	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	svchost.exe
PID 1492 wrote to memory of 1480	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	svchost.exe
PID 1492 wrote to memory of 1480	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	svchost.exe
PID 1492 wrote to memory of 1480	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	svchost.exe
PID 1492 wrote to memory of 1480	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	svchost.exe
PID 1492 wrote to memory of 1744	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
PID 1492 wrote to memory of 1744	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
PID 1492 wrote to memory of 1744	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
PID 1492 wrote to memory of 1744	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
PID 1492 wrote to memory of 1744	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
PID 1492 wrote to memory of 1744	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
PID 1492 wrote to memory of 1744	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
PID 1492 wrote to memory of 1744	1492	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
PID 1744 wrote to memory of 1880	1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	cmd.exe
PID 1744 wrote to memory of 1880	1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	cmd.exe
PID 1744 wrote to memory of 1880	1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	cmd.exe
PID 1744 wrote to memory of 1880	1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	cmd.exe
PID 1880 wrote to memory of 1888	1880	cmd.exe	reg.exe
PID 1880 wrote to memory of 1888	1880	cmd.exe	reg.exe
PID 1880 wrote to memory of 1888	1880	cmd.exe	reg.exe
PID 1880 wrote to memory of 1888	1880	cmd.exe	reg.exe
PID 1744 wrote to memory of 1904	1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	ichader.exe
PID 1744 wrote to memory of 1904	1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	ichader.exe
PID 1744 wrote to memory of 1904	1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	ichader.exe
PID 1744 wrote to memory of 1904	1744	7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe	ichader.exe

C:\Users\Admin\AppData\Local\Temp\7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
"C:\Users\Admin\AppData\Local\Temp\7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\system32\svchost.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1480

C:\Users\Admin\AppData\Local\Temp\7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe
"C:\Users\Admin\AppData\Local\Temp\7e5ee35cbbe65bf740654be40f4ac3c6c891073b96afb658eb1a42e4736618d2.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\MIIUR.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:1880

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe" /f
4⤵
- Adds Run key to start application
PID:1888

C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MIIUR.bat
MD5
92353035f01403e26aa2ff51c3963238

SHA1
d13f167c73bfce23a2deab8ce7c4ce9f78759ff4

SHA256
2e72a8542f8f809bfb1e4adfb481c7c5e6dc00dda7970c74692ba8d83ea0a870

SHA512
74560e33477caae3c7bc13914e4ae3c6911bbcfe257b2833155c236a158db0aca17478beb9d97f648ff1ea566005260f511361771c74203195107f4e82cce7df

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
b785c2290f2479d8b040cd9a5b1f843b

SHA1
4eea4cdde8532fb28567825a86c3f161f4e6db5e

SHA256
3b32b442071dfd98011e25b2a3468ca770a2681f67b7cdba4b73ad904708466f

SHA512
8bc8beebe4c64dacf3145ccf33074dbecce030cef3b9e9e7d45bbda7728d223507cdb43d7acc00b229cbfe6d81e4555675409b8b3f3f885efb99873272347b75

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
b785c2290f2479d8b040cd9a5b1f843b

SHA1
4eea4cdde8532fb28567825a86c3f161f4e6db5e

SHA256
3b32b442071dfd98011e25b2a3468ca770a2681f67b7cdba4b73ad904708466f

SHA512
8bc8beebe4c64dacf3145ccf33074dbecce030cef3b9e9e7d45bbda7728d223507cdb43d7acc00b229cbfe6d81e4555675409b8b3f3f885efb99873272347b75

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
b785c2290f2479d8b040cd9a5b1f843b

SHA1
4eea4cdde8532fb28567825a86c3f161f4e6db5e

SHA256
3b32b442071dfd98011e25b2a3468ca770a2681f67b7cdba4b73ad904708466f

SHA512
8bc8beebe4c64dacf3145ccf33074dbecce030cef3b9e9e7d45bbda7728d223507cdb43d7acc00b229cbfe6d81e4555675409b8b3f3f885efb99873272347b75

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
b785c2290f2479d8b040cd9a5b1f843b

SHA1
4eea4cdde8532fb28567825a86c3f161f4e6db5e

SHA256
3b32b442071dfd98011e25b2a3468ca770a2681f67b7cdba4b73ad904708466f

SHA512
8bc8beebe4c64dacf3145ccf33074dbecce030cef3b9e9e7d45bbda7728d223507cdb43d7acc00b229cbfe6d81e4555675409b8b3f3f885efb99873272347b75

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
b785c2290f2479d8b040cd9a5b1f843b

SHA1
4eea4cdde8532fb28567825a86c3f161f4e6db5e

SHA256
3b32b442071dfd98011e25b2a3468ca770a2681f67b7cdba4b73ad904708466f

SHA512
8bc8beebe4c64dacf3145ccf33074dbecce030cef3b9e9e7d45bbda7728d223507cdb43d7acc00b229cbfe6d81e4555675409b8b3f3f885efb99873272347b75

Download Submit
\Users\Admin\AppData\Roaming\IDM\ichader.exe
MD5
b785c2290f2479d8b040cd9a5b1f843b

SHA1
4eea4cdde8532fb28567825a86c3f161f4e6db5e

SHA256
3b32b442071dfd98011e25b2a3468ca770a2681f67b7cdba4b73ad904708466f

SHA512
8bc8beebe4c64dacf3145ccf33074dbecce030cef3b9e9e7d45bbda7728d223507cdb43d7acc00b229cbfe6d81e4555675409b8b3f3f885efb99873272347b75

Download Submit
memory/1480-31-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1480-35-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1480-33-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1480-32-0x000000000040B000-mapping.dmp

Download
memory/1492-26-0x00000000006B8000-0x00000000006B9000-memory.dmp

Filesize
4KB

Download
memory/1492-12-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-17-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-18-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-19-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-22-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-23-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-24-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-25-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-2-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-27-0x00000000006B8000-0x00000000006B9000-memory.dmp

Filesize
4KB

Download
memory/1492-28-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-29-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-30-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-13-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-16-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-11-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-3-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-10-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-4-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-5-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-6-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-7-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-8-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1492-9-0x00000000006B6000-0x00000000006B7000-memory.dmp

Filesize
4KB

Download
memory/1744-40-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1744-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1744-36-0x00000000004085D0-mapping.dmp

Download
memory/1744-34-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/1880-43-0x0000000000000000-mapping.dmp

Download
memory/1888-45-0x0000000000000000-mapping.dmp

Download
memory/1904-51-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads