Analysis
-
max time kernel
130s -
max time network
132s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 02:38
Static task
static1
Behavioral task
behavioral1
Sample
5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exe
Resource
win10v20210408
General
-
Target
5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exe
-
Size
208KB
-
MD5
d5b127a5e33eb708ac8e8aece51d4ac5
-
SHA1
3a80aee844263f34d6151f613cf731bf8675d3be
-
SHA256
5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e
-
SHA512
5c06ae80cb4b1b29f3ea425be30ca4fde5b59b3bc3342bdc356deda5fd147989980ca1fe4a3676fda5dd88c328464edcefc27fc323fae2178d13db90684a0fd1
Malware Config
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\LRSVPJ.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\LRSVPJ.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\LRSVPJ.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\LRSVPJ.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
LRSVPJ.exepid process 1432 LRSVPJ.exe -
Loads dropped DLL 2 IoCs
Processes:
5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exepid process 1732 5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exe 1732 5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exe -
Drops file in Program Files directory 64 IoCs
Processes:
LRSVPJ.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe LRSVPJ.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe LRSVPJ.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE LRSVPJ.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe LRSVPJ.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe LRSVPJ.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE LRSVPJ.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe LRSVPJ.exe File opened for modification C:\Program Files\Mozilla Firefox\updater.exe LRSVPJ.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe LRSVPJ.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe LRSVPJ.exe File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE LRSVPJ.exe File opened for modification C:\Program Files\7-Zip\7zG.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe LRSVPJ.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe LRSVPJ.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\89.0.4389.114_chrome_installer.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE LRSVPJ.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe LRSVPJ.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe LRSVPJ.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{406E5475-62F1-42AB-B6F4-D17073AF9034}\89.0.4389.114_chrome_installer.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe LRSVPJ.exe File opened for modification C:\Program Files\Windows Mail\wab.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE LRSVPJ.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe LRSVPJ.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe LRSVPJ.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe LRSVPJ.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exeLRSVPJ.exedescription pid process target process PID 1732 wrote to memory of 1432 1732 5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exe LRSVPJ.exe PID 1732 wrote to memory of 1432 1732 5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exe LRSVPJ.exe PID 1732 wrote to memory of 1432 1732 5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exe LRSVPJ.exe PID 1732 wrote to memory of 1432 1732 5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exe LRSVPJ.exe PID 1432 wrote to memory of 1052 1432 LRSVPJ.exe cmd.exe PID 1432 wrote to memory of 1052 1432 LRSVPJ.exe cmd.exe PID 1432 wrote to memory of 1052 1432 LRSVPJ.exe cmd.exe PID 1432 wrote to memory of 1052 1432 LRSVPJ.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exe"C:\Users\Admin\AppData\Local\Temp\5e88a5b2618ce9af2e3e66714c6dbe1fd26ba8dc27aacfda6b61ccf423dcb14e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LRSVPJ.exeC:\Users\Admin\AppData\Local\Temp\LRSVPJ.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\3ed567b6.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3ed567b6.batMD5
adcb2d82da8f117ca859ffbb3e2ba30e
SHA17ff44b2587824f0a36bd467eaebd5204ebde5830
SHA2561ea255fa895270f3d8626e7294c47bd8fe065cfcc883e22772773a1865d219fb
SHA5125ac18ee326cfd53f22ff4073a98131e9eeab57476ce6010ee0f6d1d45c02d6132c3c9e3472a920ce8392cf116be085227f3573f95b476a50198b1aaaee0b81c3
-
C:\Users\Admin\AppData\Local\Temp\LRSVPJ.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\LRSVPJ.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\LRSVPJ.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\LRSVPJ.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/1052-67-0x0000000000000000-mapping.dmp
-
memory/1432-63-0x0000000000000000-mapping.dmp
-
memory/1732-60-0x0000000075161000-0x0000000075163000-memory.dmpFilesize
8KB