Analysis
-
max time kernel
74s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:44
Static task
static1
Behavioral task
behavioral1
Sample
15c86d9addf12cd01b56ccd956bb2716558450815f7d1ef2a515848e7240b6df.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
15c86d9addf12cd01b56ccd956bb2716558450815f7d1ef2a515848e7240b6df.exe
Resource
win10v20201028
General
-
Target
15c86d9addf12cd01b56ccd956bb2716558450815f7d1ef2a515848e7240b6df.exe
-
Size
1.5MB
-
MD5
0029b584f6340836dfba8d26a8171dac
-
SHA1
6fb2d7527254faa43bea8b33a6305472505f7842
-
SHA256
15c86d9addf12cd01b56ccd956bb2716558450815f7d1ef2a515848e7240b6df
-
SHA512
6d9ff5b2aed7b9702cd993a3f2ad4a4e1db8fb127bcacac4688ebe49f3cc9391060b278801d4856cb56846f02a7dfedbb9dc543ffddc94b2f3a96ebc910a7cfd
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
ichader.exeichader.exeichader.exepid process 3524 ichader.exe 384 ichader.exe 764 ichader.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\java = "C:\\Users\\Admin\\AppData\\Roaming\\IDM\\ichader.exe" reg.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ichader.exedescription pid process target process PID 3524 set thread context of 2360 3524 ichader.exe svchost.exe PID 3524 set thread context of 384 3524 ichader.exe ichader.exe PID 3524 set thread context of 764 3524 ichader.exe ichader.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svchost.exepid process 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe 2360 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ichader.exeichader.exedescription pid process Token: SeIncreaseQuotaPrivilege 764 ichader.exe Token: SeSecurityPrivilege 764 ichader.exe Token: SeTakeOwnershipPrivilege 764 ichader.exe Token: SeLoadDriverPrivilege 764 ichader.exe Token: SeSystemProfilePrivilege 764 ichader.exe Token: SeSystemtimePrivilege 764 ichader.exe Token: SeProfSingleProcessPrivilege 764 ichader.exe Token: SeIncBasePriorityPrivilege 764 ichader.exe Token: SeCreatePagefilePrivilege 764 ichader.exe Token: SeBackupPrivilege 764 ichader.exe Token: SeRestorePrivilege 764 ichader.exe Token: SeShutdownPrivilege 764 ichader.exe Token: SeDebugPrivilege 764 ichader.exe Token: SeSystemEnvironmentPrivilege 764 ichader.exe Token: SeChangeNotifyPrivilege 764 ichader.exe Token: SeRemoteShutdownPrivilege 764 ichader.exe Token: SeUndockPrivilege 764 ichader.exe Token: SeManageVolumePrivilege 764 ichader.exe Token: SeImpersonatePrivilege 764 ichader.exe Token: SeCreateGlobalPrivilege 764 ichader.exe Token: 33 764 ichader.exe Token: 34 764 ichader.exe Token: 35 764 ichader.exe Token: 36 764 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe Token: SeDebugPrivilege 384 ichader.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
ichader.exesvchost.exeichader.exeichader.exepid process 3524 ichader.exe 2360 svchost.exe 384 ichader.exe 764 ichader.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
ichader.exedescription pid target process PID 4068 wrote to memory of 2836 4068 reg.exe PID 4068 wrote to memory of 2836 4068 reg.exe PID 4068 wrote to memory of 2836 4068 reg.exe PID 2960 wrote to memory of 3524 2960 ichader.exe PID 2960 wrote to memory of 3524 2960 ichader.exe PID 2960 wrote to memory of 3524 2960 ichader.exe PID 3524 wrote to memory of 2360 3524 ichader.exe svchost.exe PID 3524 wrote to memory of 2360 3524 ichader.exe svchost.exe PID 3524 wrote to memory of 2360 3524 ichader.exe svchost.exe PID 3524 wrote to memory of 2360 3524 ichader.exe svchost.exe PID 3524 wrote to memory of 2360 3524 ichader.exe svchost.exe PID 3524 wrote to memory of 2360 3524 ichader.exe svchost.exe PID 3524 wrote to memory of 2360 3524 ichader.exe svchost.exe PID 3524 wrote to memory of 2360 3524 ichader.exe svchost.exe PID 3524 wrote to memory of 2360 3524 ichader.exe svchost.exe PID 3524 wrote to memory of 384 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 384 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 384 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 384 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 384 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 384 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 384 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 384 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 764 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 764 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 764 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 764 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 764 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 764 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 764 3524 ichader.exe ichader.exe PID 3524 wrote to memory of 764 3524 ichader.exe ichader.exe
Processes
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "java" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\IDM\ichader.exe" /f1⤵
- Adds Run key to start application
PID:2836
-
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:384 -
C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"C:\Users\Admin\AppData\Roaming\IDM\ichader.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:764