Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
05-05-2021 01:48
Static task
static1
Behavioral task
behavioral1
Sample
f953b24631e8d163cc352274ef665f1bf2f6d81fb0e93e7a639a98337b4ae7e1.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
f953b24631e8d163cc352274ef665f1bf2f6d81fb0e93e7a639a98337b4ae7e1.exe
Resource
win10v20210408
General
-
Target
f953b24631e8d163cc352274ef665f1bf2f6d81fb0e93e7a639a98337b4ae7e1.exe
-
Size
23KB
-
MD5
0efaec7ff036a52301f75e8f20b9c470
-
SHA1
84c6d8b7c255ec9684e80f3d8ea03ce55591f84a
-
SHA256
f953b24631e8d163cc352274ef665f1bf2f6d81fb0e93e7a639a98337b4ae7e1
-
SHA512
d6e296e1eac96a73d9182d77c5c68afb2c493ff8f10fd1ac9cdf641551259a078049e5b35215a723ab03bb1fc08d41a7af91b1fa01869140bddfefbd24289c7b
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\igwhpS.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\igwhpS.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
igwhpS.exepid process 3028 igwhpS.exe -
Drops file in Program Files directory 64 IoCs
Processes:
igwhpS.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe igwhpS.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseCncProxy.exe igwhpS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe igwhpS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe igwhpS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe igwhpS.exe File opened for modification C:\Program Files\Windows Defender\MsMpEng.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe igwhpS.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java.exe igwhpS.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe igwhpS.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe igwhpS.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxMail.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe igwhpS.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe igwhpS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\OneConnect.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe igwhpS.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\SenseSampleUploader.exe igwhpS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe igwhpS.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe igwhpS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE igwhpS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Time.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE igwhpS.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe igwhpS.exe File opened for modification C:\Program Files\7-Zip\7zG.exe igwhpS.exe File opened for modification C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe igwhpS.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeHost.exe igwhpS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe igwhpS.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe igwhpS.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE igwhpS.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe igwhpS.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe igwhpS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe igwhpS.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe igwhpS.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{A50F5BA2-C1DE-4223-A03D-AB17178FF778}\89.0.4389.114_chrome_installer.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe igwhpS.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe igwhpS.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe igwhpS.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe igwhpS.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
f953b24631e8d163cc352274ef665f1bf2f6d81fb0e93e7a639a98337b4ae7e1.exeigwhpS.exedescription pid process target process PID 656 wrote to memory of 3028 656 f953b24631e8d163cc352274ef665f1bf2f6d81fb0e93e7a639a98337b4ae7e1.exe igwhpS.exe PID 656 wrote to memory of 3028 656 f953b24631e8d163cc352274ef665f1bf2f6d81fb0e93e7a639a98337b4ae7e1.exe igwhpS.exe PID 656 wrote to memory of 3028 656 f953b24631e8d163cc352274ef665f1bf2f6d81fb0e93e7a639a98337b4ae7e1.exe igwhpS.exe PID 3028 wrote to memory of 200 3028 igwhpS.exe cmd.exe PID 3028 wrote to memory of 200 3028 igwhpS.exe cmd.exe PID 3028 wrote to memory of 200 3028 igwhpS.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f953b24631e8d163cc352274ef665f1bf2f6d81fb0e93e7a639a98337b4ae7e1.exe"C:\Users\Admin\AppData\Local\Temp\f953b24631e8d163cc352274ef665f1bf2f6d81fb0e93e7a639a98337b4ae7e1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\igwhpS.exeC:\Users\Admin\AppData\Local\Temp\igwhpS.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\21fa4ba5.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\21fa4ba5.batMD5
c8b47666ca2f3783197ef7481a05cad5
SHA1d77b2b4596d43692da0823bf70e6a16713d4ce93
SHA25666dc14db21e621a4f34d1f1e7b5dbc8cdda5c2d058d11d7e0e0864557b853fbe
SHA512dc36b272803577df0f8f5ffa26859ba51710da3181efbe6fd113bee781ed67f81c9c318b346a68b2727d4a763130d030c242d1cbd673061e9ad31c84b356facc
-
C:\Users\Admin\AppData\Local\Temp\igwhpS.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\igwhpS.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/200-117-0x0000000000000000-mapping.dmp
-
memory/3028-114-0x0000000000000000-mapping.dmp