Analysis
-
max time kernel
64s -
max time network
67s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 01:43
Static task
static1
Behavioral task
behavioral1
Sample
fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exe
Resource
win10v20210408
General
-
Target
fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exe
-
Size
123KB
-
MD5
17ecc03660333b453b7cd0fe2886089c
-
SHA1
01c9d8f4c9e28bd8c33b0a89f614f690f4c07dcf
-
SHA256
fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154
-
SHA512
ff4fa12d75672baa3b63305f386ef17bef680a98591b40eeff58da2082cbdd55ae8763b7d1c9ea975061570adaa20cae0ab4357e5482eb7eb55e1fac54b2b184
Malware Config
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\IoZHGq.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\IoZHGq.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\IoZHGq.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\IoZHGq.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
IoZHGq.exepid process 2024 IoZHGq.exe -
Loads dropped DLL 2 IoCs
Processes:
fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exepid process 1104 fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exe 1104 fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exe -
Drops file in Program Files directory 64 IoCs
Processes:
IoZHGq.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe IoZHGq.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE IoZHGq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe IoZHGq.exe File opened for modification C:\Program Files\Windows Mail\wab.exe IoZHGq.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\misc.exe IoZHGq.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jre7\bin\klist.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe IoZHGq.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateBroker.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe IoZHGq.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE IoZHGq.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE IoZHGq.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe IoZHGq.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe IoZHGq.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe IoZHGq.exe File opened for modification C:\Program Files\7-Zip\7z.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe IoZHGq.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateSetup.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE IoZHGq.exe File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe IoZHGq.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe IoZHGq.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe IoZHGq.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe IoZHGq.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exeIoZHGq.exedescription pid process target process PID 1104 wrote to memory of 2024 1104 fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exe IoZHGq.exe PID 1104 wrote to memory of 2024 1104 fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exe IoZHGq.exe PID 1104 wrote to memory of 2024 1104 fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exe IoZHGq.exe PID 1104 wrote to memory of 2024 1104 fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exe IoZHGq.exe PID 2024 wrote to memory of 1168 2024 IoZHGq.exe cmd.exe PID 2024 wrote to memory of 1168 2024 IoZHGq.exe cmd.exe PID 2024 wrote to memory of 1168 2024 IoZHGq.exe cmd.exe PID 2024 wrote to memory of 1168 2024 IoZHGq.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exe"C:\Users\Admin\AppData\Local\Temp\fc1c4f173d0a2f217744a5b0f6419a02a9fd5ac364332e6ef463ac6edb91d154.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IoZHGq.exeC:\Users\Admin\AppData\Local\Temp\IoZHGq.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\09ae56c5.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\09ae56c5.batMD5
fa2ca493ca85486622b9da55b73c50c3
SHA193ed3c1b7d45fb2583c25f3784adad9ae91870a4
SHA256e515186dabd2b62cd5ea25fdd0ff56c44787cf1a9e081db568385d7c9284f1af
SHA5129668e48fe969cffe1cc8592593b097efaccc429aae46f59812a0ed0fbe34cb3e5d682602b9007f6a04f2bf3a4e86b0b6809b87ca0eab8c81dda86309b6d0c26e
-
C:\Users\Admin\AppData\Local\Temp\IoZHGq.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\IoZHGq.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\IoZHGq.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\IoZHGq.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/1168-65-0x0000000000000000-mapping.dmp
-
memory/2024-61-0x0000000000000000-mapping.dmp
-
memory/2024-63-0x0000000076E11000-0x0000000076E13000-memory.dmpFilesize
8KB