8766e669aab07c4e6f56397446b6ebc6b7c37931ad5a813d0312d92ed2b67e0e

General

Target

start_here_win.exe
Size

521KB
MD5

da9f07b300f7ff62ca475ff279f3b485
SHA1

445535ba3062dca5c2907f862e451870e77b1290
SHA256

8766e669aab07c4e6f56397446b6ebc6b7c37931ad5a813d0312d92ed2b67e0e
SHA512

53e96040b74e83ad2aea37c2aa07b9b0222c5fecee9b4897a1f14e571d1ea8cbca853f4d880f07a75bb403d9ba85504235869def779346b2e1af51073b767aed

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 64 IoCs

Processes:

start_here_win.exe

description	ioc	process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE	start_here_win.exe
File opened for modification	C:\Program Files\7-Zip\g7zFM.exe	start_here_win.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	start_here_win.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	start_here_win.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\gchrome.exe.sig	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjabswitch.ico	start_here_win.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	start_here_win.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	start_here_win.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\gmisc.exe	start_here_win.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\fr-FR\ShapeCollector.exe.mui	start_here_win.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	start_here_win.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gidlj.exe	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	start_here_win.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	start_here_win.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gjava-rmi.exe	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	start_here_win.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjsadebugd.ico	start_here_win.exe
File created	C:\Program Files\7-Zip\7z.exe	start_here_win.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	start_here_win.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\gsetup.exe	start_here_win.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\iexplore.exe.mui	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjar.ico	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjavafxpackager.ico	start_here_win.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gjsadebugd.exe	start_here_win.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\gmisc.ico	start_here_win.exe
File opened for modification	C:\Program Files\7-Zip\g7zG.exe	start_here_win.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	start_here_win.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gjavafxpackager.exe	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjstack.ico	start_here_win.exe
File created	C:\Program Files\Mozilla Firefox\gcrashreporter.ico	start_here_win.exe
File opened for modification	C:\Program Files\Windows Defender\it-IT\OfflineScannerShell.exe.mui	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjjs.ico	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\gcom.oracle.jmc.executable.win32.win32.x86_64_5.ico	start_here_win.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	start_here_win.exe
File opened for modification	C:\Program Files\7-Zip\gUninstall.exe	start_here_win.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\gappvcleaner.ico	start_here_win.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\it-IT\msinfo32.exe.mui	start_here_win.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	start_here_win.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	start_here_win.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\gchrome.exe.ico	start_here_win.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\gjar.exe	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjhat.ico	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	start_here_win.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\gjstat.ico	start_here_win.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\gjabswitch.exe	start_here_win.exe
File opened for modification	C:\Program Files\Mozilla Firefox\RCXB032.tmp	start_here_win.exe
File opened for modification	C:\Program Files\SuspendSkip.exe	start_here_win.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	start_here_win.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ja-JP\InputPersonalization.exe.mui	start_here_win.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\es-ES\msinfo32.exe.mui	start_here_win.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\gelevation_service.exe	start_here_win.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\RCXAB55.tmp	start_here_win.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\gAppSharingHookController.exe	start_here_win.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	start_here_win.exe
File created	C:\Program Files\7-Zip\gUninstall.ico	start_here_win.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\gIntegratedOffice.ico	start_here_win.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\en-US\InputPersonalization.exe.mui	start_here_win.exe

Drops file in Windows directory 1 IoCs

Processes:

start_here_win.exe

description ioc process

File opened for modification C:\Windows\bfsvc.exe start_here_win.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\bfsvc.exe	start_here_win.exe

C:\Users\Admin\AppData\Local\Temp\start_here_win.exe
"C:\Users\Admin\AppData\Local\Temp\start_here_win.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
PID:3864

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads