Analysis
-
max time kernel
96s -
max time network
95s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 08:05
Static task
static1
Behavioral task
behavioral1
Sample
6edb9133_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6edb9133_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
6edb9133_by_Libranalysis.exe
-
Size
300KB
-
MD5
6edb9133df37ae1e10043831628b7913
-
SHA1
325db46f8db1b8f6187013b560b48a982a8425fe
-
SHA256
059608e22160cd34726c0c7f5d6c33394ddb814bc3673670d092223a5bc6181c
-
SHA512
9a13a4e5649955fe147a24306a4e84bb9d58a896f8ff187bf665ee8a8d6d743063140d29eb1d58462ebbd6a14dfe1808e765bb4e9809f18b0e87c3a0d15ec86b
Malware Config
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\VdzzmX.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\VdzzmX.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\VdzzmX.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\VdzzmX.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
VdzzmX.exepid process 1968 VdzzmX.exe -
Loads dropped DLL 2 IoCs
Processes:
6edb9133_by_Libranalysis.exepid process 1888 6edb9133_by_Libranalysis.exe 1888 6edb9133_by_Libranalysis.exe -
Drops file in Program Files directory 64 IoCs
Processes:
VdzzmX.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE VdzzmX.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE VdzzmX.exe File opened for modification C:\Program Files\7-Zip\7z.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre7\bin\jp2launcher.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe VdzzmX.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE VdzzmX.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre7\bin\java.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE VdzzmX.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe VdzzmX.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUME011.tmp\GoogleUpdateSetup.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe VdzzmX.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe VdzzmX.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe VdzzmX.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe VdzzmX.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe VdzzmX.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe VdzzmX.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE VdzzmX.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\89.0.4389.114_chrome_installer.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE VdzzmX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6edb9133_by_Libranalysis.exeVdzzmX.exedescription pid process target process PID 1888 wrote to memory of 1968 1888 6edb9133_by_Libranalysis.exe VdzzmX.exe PID 1888 wrote to memory of 1968 1888 6edb9133_by_Libranalysis.exe VdzzmX.exe PID 1888 wrote to memory of 1968 1888 6edb9133_by_Libranalysis.exe VdzzmX.exe PID 1888 wrote to memory of 1968 1888 6edb9133_by_Libranalysis.exe VdzzmX.exe PID 1968 wrote to memory of 1536 1968 VdzzmX.exe cmd.exe PID 1968 wrote to memory of 1536 1968 VdzzmX.exe cmd.exe PID 1968 wrote to memory of 1536 1968 VdzzmX.exe cmd.exe PID 1968 wrote to memory of 1536 1968 VdzzmX.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6edb9133_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\6edb9133_by_Libranalysis.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VdzzmX.exeC:\Users\Admin\AppData\Local\Temp\VdzzmX.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\482a2a8a.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\482a2a8a.batMD5
7b263661eb00360b6d9966ab85df5b15
SHA1d93bd4b1394c4f35e6081e958e1645587e0a691c
SHA256b38b18823696ed067532e708c668e28ba5a0e650687512be60ec5a61b9cd6278
SHA512d7c646b0ca1b51d1951847a672f819e53dc2d8066a99373d308fa7b3bd7a81b342b1cbbefc3420edc6e6b777ab399864f6a197b7a275d3485bc00ce5f2dbdd41
-
C:\Users\Admin\AppData\Local\Temp\VdzzmX.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\VdzzmX.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\VdzzmX.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\VdzzmX.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/1536-65-0x0000000000000000-mapping.dmp
-
memory/1968-61-0x0000000000000000-mapping.dmp
-
memory/1968-63-0x0000000075161000-0x0000000075163000-memory.dmpFilesize
8KB