Analysis
-
max time kernel
110s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
05-05-2021 08:05
Static task
static1
Behavioral task
behavioral1
Sample
6edb9133_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
6edb9133_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
6edb9133_by_Libranalysis.exe
-
Size
300KB
-
MD5
6edb9133df37ae1e10043831628b7913
-
SHA1
325db46f8db1b8f6187013b560b48a982a8425fe
-
SHA256
059608e22160cd34726c0c7f5d6c33394ddb814bc3673670d092223a5bc6181c
-
SHA512
9a13a4e5649955fe147a24306a4e84bb9d58a896f8ff187bf665ee8a8d6d743063140d29eb1d58462ebbd6a14dfe1808e765bb4e9809f18b0e87c3a0d15ec86b
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\VdzzmX.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\VdzzmX.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
VdzzmX.exepid process 1904 VdzzmX.exe -
Drops file in Program Files directory 64 IoCs
Processes:
VdzzmX.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE VdzzmX.exe File opened for modification C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe VdzzmX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Windows.Photos_16.511.8780.0_x64__8wekyb3d8bbwe\Microsoft.Photos.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe VdzzmX.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe VdzzmX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe VdzzmX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\89.0.4389.114_chrome_installer.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java.exe VdzzmX.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE VdzzmX.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe VdzzmX.exe File opened for modification C:\Program Files\Windows Defender\MSASCuiL.exe VdzzmX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_1.1702.21039.0_x64__8wekyb3d8bbwe\3DViewer.ResourceResolver.exe VdzzmX.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxAccounts.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msotd.exe VdzzmX.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{E687748C-6A62-4AE0-B6D7-7B85689627E9}\89.0.4389.114_chrome_installer.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\Wordconv.exe VdzzmX.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVLP.exe VdzzmX.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxTsr.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE VdzzmX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_1.4.101.0_x64__8wekyb3d8bbwe\Microsoft.StickyNotes.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe VdzzmX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_1.0.16328.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe VdzzmX.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE VdzzmX.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\HxCalendarAppImm.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe VdzzmX.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe VdzzmX.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.15.2003.0_x64__8wekyb3d8bbwe\GameBar.exe VdzzmX.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe VdzzmX.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe VdzzmX.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6edb9133_by_Libranalysis.exeVdzzmX.exedescription pid process target process PID 3180 wrote to memory of 1904 3180 6edb9133_by_Libranalysis.exe VdzzmX.exe PID 3180 wrote to memory of 1904 3180 6edb9133_by_Libranalysis.exe VdzzmX.exe PID 3180 wrote to memory of 1904 3180 6edb9133_by_Libranalysis.exe VdzzmX.exe PID 1904 wrote to memory of 3748 1904 VdzzmX.exe cmd.exe PID 1904 wrote to memory of 3748 1904 VdzzmX.exe cmd.exe PID 1904 wrote to memory of 3748 1904 VdzzmX.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6edb9133_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\6edb9133_by_Libranalysis.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VdzzmX.exeC:\Users\Admin\AppData\Local\Temp\VdzzmX.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\752f12e2.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\752f12e2.batMD5
ade0e65b968138948c9f5fe7000fc520
SHA16a2851c6895fe505ea11e7db6c0253dc3e5977a6
SHA256ebc7a8b7dce77a376bd5396630d183c19973b3064eac8805a25188c6caf5e01b
SHA512ac74a73d4e36541f9131d594a0d160f8778f100f5e9b9fe821bceca7c136bcc5bcc0896cb7948d9b02d019916e1ae575f141f5920377ea2932b739d9c5cad738
-
C:\Users\Admin\AppData\Local\Temp\VdzzmX.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\VdzzmX.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/1904-114-0x0000000000000000-mapping.dmp
-
memory/3748-117-0x0000000000000000-mapping.dmp