fd7b0ab8f0c2dab25a9652914d02846e32da3298ab43d9bbfa50aec311bccb02

General

Target

fd7b0ab8f0c2dab25a9652914d02846e32da3298ab43d9bbfa50aec311bccb02.exe
Size

92KB
MD5

ee5cd74c758b461f9112ebd7cac7bd8a
SHA1

dd5eeed5640773729d1eb86838769f244009c902
SHA256

fd7b0ab8f0c2dab25a9652914d02846e32da3298ab43d9bbfa50aec311bccb02
SHA512

a786db5e0383ae5b82aa6273984c61aadad0150e68e34009cdd8d18aa90bb61852ff7c809cc020dc3e530cd88834e7734756270faa0eca1c07a9f4c58bff6568

Score

8^/10

aspackv2

Malware Config

Signatures

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\KciTJVOA.exe	aspack_v212_v242
C:\Users\Admin\AppData\Local\Temp\KciTJVOA.exe	aspack_v212_v242

Executes dropped EXE 1 IoCs

Processes:

KciTJVOA.exe

pid process

3964 KciTJVOA.exe

pid	process
3964	KciTJVOA.exe

Drops file in Program Files directory 64 IoCs

Processes:

KciTJVOA.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Defender\ConfigSecurityPolicy.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxTsr.exe	KciTJVOA.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.14.2002.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_x64__8wekyb3d8bbwe\OneConnect.exe	KciTJVOA.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE	KciTJVOA.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1702.301.0_x64__8wekyb3d8bbwe\SoundRec.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.16112.11621.0_x64__8wekyb3d8bbwe\Music.UI.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_1.0.45.0_x64__8wekyb3d8bbwe\PurchaseApp.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE	KciTJVOA.exe
File opened for modification	C:\Program Files\Windows Defender\Offline\OfflineScannerShell.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1612.10312.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	KciTJVOA.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleCrashHandler64.exe	KciTJVOA.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Messaging_3.26.24002.0_x64__8wekyb3d8bbwe\MessagingApplication.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxAccounts.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\onenoteim.exe	KciTJVOA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	KciTJVOA.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\misc.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	KciTJVOA.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	KciTJVOA.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Windows Defender\NisSrv.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeHost.exe	KciTJVOA.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe	KciTJVOA.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fd7b0ab8f0c2dab25a9652914d02846e32da3298ab43d9bbfa50aec311bccb02.exeKciTJVOA.exe

description	pid	process	target process
PID 668 wrote to memory of 3964	668	fd7b0ab8f0c2dab25a9652914d02846e32da3298ab43d9bbfa50aec311bccb02.exe	KciTJVOA.exe
PID 668 wrote to memory of 3964	668	fd7b0ab8f0c2dab25a9652914d02846e32da3298ab43d9bbfa50aec311bccb02.exe	KciTJVOA.exe
PID 668 wrote to memory of 3964	668	fd7b0ab8f0c2dab25a9652914d02846e32da3298ab43d9bbfa50aec311bccb02.exe	KciTJVOA.exe
PID 3964 wrote to memory of 688	3964	KciTJVOA.exe	cmd.exe
PID 3964 wrote to memory of 688	3964	KciTJVOA.exe	cmd.exe
PID 3964 wrote to memory of 688	3964	KciTJVOA.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\fd7b0ab8f0c2dab25a9652914d02846e32da3298ab43d9bbfa50aec311bccb02.exe
"C:\Users\Admin\AppData\Local\Temp\fd7b0ab8f0c2dab25a9652914d02846e32da3298ab43d9bbfa50aec311bccb02.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:668

C:\Users\Admin\AppData\Local\Temp\KciTJVOA.exe
C:\Users\Admin\AppData\Local\Temp\KciTJVOA.exe
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3964

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\47d50e42.bat" "
3⤵
PID:688

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\47d50e42.bat
MD5
24db57d6f74fa3982f4a3b6602af5a13

SHA1
df3d756688c49a5510e29071a989886190d06a08

SHA256
8208c5c6fe3f5e87bace820ce1f253b73b4793b60d21b3171d8a6801ebe1b651

SHA512
8ab6904782d4f3b99817de06d6cac129669deaee7f99db1300f3eb28493de1fb90e03fc4fb9f8113fcbfd5a7437d42b7e77d4620f6300be3f529a4ccb671a613

Download Submit
C:\Users\Admin\AppData\Local\Temp\KciTJVOA.exe
MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KciTJVOA.exe
MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
memory/688-117-0x0000000000000000-mapping.dmp

Download
memory/3964-114-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads