Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
05-05-2021 11:07
Static task
static1
Behavioral task
behavioral1
Sample
b546cedc_by_Libranalysis.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
b546cedc_by_Libranalysis.exe
Resource
win10v20210410
General
-
Target
b546cedc_by_Libranalysis.exe
-
Size
30KB
-
MD5
b546cedcb4435270fc5d6deba093ee84
-
SHA1
c477284f3a5c23df842a76d475ce998c149ac1bd
-
SHA256
30a6f22e80823e7cf9e472d687f4621bc1e9b3cadb9e21db665e15bc43ebafe1
-
SHA512
55b9a64f5bc29d40aab12ed631d52ce9fb33cffbd1469de808e5e96cd31117fd0ee73444044c658a08f7aaa6a071f7aa2e21d5d65d9fa5efed0cafec797ca0da
Malware Config
Signatures
-
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\dLMJbkj.exe aspack_v212_v242 \Users\Admin\AppData\Local\Temp\dLMJbkj.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\dLMJbkj.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\dLMJbkj.exe aspack_v212_v242 -
Executes dropped EXE 1 IoCs
Processes:
dLMJbkj.exepid process 2008 dLMJbkj.exe -
Loads dropped DLL 2 IoCs
Processes:
b546cedc_by_Libranalysis.exepid process 1056 b546cedc_by_Libranalysis.exe 1056 b546cedc_by_Libranalysis.exe -
Drops file in Program Files directory 64 IoCs
Processes:
dLMJbkj.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Google\Temp\GUME011.tmp\GoogleUpdateSetup.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE dLMJbkj.exe File opened for modification C:\Program Files\7-Zip\7z.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe dLMJbkj.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE dLMJbkj.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jre7\bin\policytool.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe dLMJbkj.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe dLMJbkj.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe dLMJbkj.exe File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe dLMJbkj.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE dLMJbkj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE dLMJbkj.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe dLMJbkj.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SCANPST.EXE dLMJbkj.exe File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE dLMJbkj.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdate.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe dLMJbkj.exe File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE dLMJbkj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE dLMJbkj.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe dLMJbkj.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateOnDemand.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe dLMJbkj.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe dLMJbkj.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe dLMJbkj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
b546cedc_by_Libranalysis.exedLMJbkj.exedescription pid process target process PID 1056 wrote to memory of 2008 1056 b546cedc_by_Libranalysis.exe dLMJbkj.exe PID 1056 wrote to memory of 2008 1056 b546cedc_by_Libranalysis.exe dLMJbkj.exe PID 1056 wrote to memory of 2008 1056 b546cedc_by_Libranalysis.exe dLMJbkj.exe PID 1056 wrote to memory of 2008 1056 b546cedc_by_Libranalysis.exe dLMJbkj.exe PID 2008 wrote to memory of 1064 2008 dLMJbkj.exe cmd.exe PID 2008 wrote to memory of 1064 2008 dLMJbkj.exe cmd.exe PID 2008 wrote to memory of 1064 2008 dLMJbkj.exe cmd.exe PID 2008 wrote to memory of 1064 2008 dLMJbkj.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b546cedc_by_Libranalysis.exe"C:\Users\Admin\AppData\Local\Temp\b546cedc_by_Libranalysis.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dLMJbkj.exeC:\Users\Admin\AppData\Local\Temp\dLMJbkj.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\16464797.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\16464797.batMD5
53e522354e1d7daec16db07611825648
SHA1399dafecbfab23fddca2d46bfab7bab787a4b53f
SHA256645eb554f1d9b2f7e0a8dd857ef2977b28bcc8b4c49eb9fd2d5fc10e5183fe78
SHA512e1770a9d0090bebd600a6267c4050d3e8d2c21bba3b4969789b682f5e1e857fafae68d6e14bf40be7610270ad385600f69fb907ade6cfc8f1ed88f1f27a53681
-
C:\Users\Admin\AppData\Local\Temp\dLMJbkj.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\dLMJbkj.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\dLMJbkj.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
\Users\Admin\AppData\Local\Temp\dLMJbkj.exeMD5
56b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/1056-60-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/1056-67-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1056-68-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/1064-69-0x0000000000000000-mapping.dmp
-
memory/2008-63-0x0000000000000000-mapping.dmp