fb79c989819bf6be653c4cfd7649510d3ac9a46bdffd3e423e18532aae862b28

General

Target

81a5c467393bb9b7d92318f15b72711e.exe
Size

212KB
MD5

81a5c467393bb9b7d92318f15b72711e
SHA1

912e1d48fd128965526250626d7d090c4f773b28
SHA256

fb79c989819bf6be653c4cfd7649510d3ac9a46bdffd3e423e18532aae862b28
SHA512

da5e7337b67e2c119079ad3730d71348779f45d1b61a85b5e0e377579291b0752f24023d9797a92e32d6e179ea37c1147f1cfd3dfd999b03eb9d165abaa3b1cb
SSDEEP

6144:5yH7xOc6H5c6HcT66vlmkNCM9yZVnQpLuNEbLc0UY9N31ya:5aeuyZVnQpWEbyY9Nf

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4904	svchost.exe
4832	81a5c467393bb9b7d92318f15b72711e.exe
4220	svchost.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	81a5c467393bb9b7d92318f15b72711e.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 4904	552	81a5c467393bb9b7d92318f15b72711e.exe	84
PID 552 wrote to memory of 4904	552	81a5c467393bb9b7d92318f15b72711e.exe	84
PID 552 wrote to memory of 4904	552	81a5c467393bb9b7d92318f15b72711e.exe	84
PID 4904 wrote to memory of 4832	4904	svchost.exe	85
PID 4904 wrote to memory of 4832	4904	svchost.exe	85
PID 4904 wrote to memory of 4832	4904	svchost.exe	85

C:\Users\Admin\AppData\Local\Temp\81a5c467393bb9b7d92318f15b72711e.exe
"C:\Users\Admin\AppData\Local\Temp\81a5c467393bb9b7d92318f15b72711e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\81a5c467393bb9b7d92318f15b72711e.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\81a5c467393bb9b7d92318f15b72711e.exe
    "C:\Users\Admin\AppData\Local\Temp\81a5c467393bb9b7d92318f15b72711e.exe"
    3⤵
    - Executes dropped EXE
    PID:4832

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\81a5c467393bb9b7d92318f15b72711e.exe

Filesize
177KB

MD5
38ced7c7dca88182d3d8e02aaa889338

SHA1
c702b28c7b267d6034cd06ebfc2e7b10b6700aa9

SHA256
8b8bfe9d542b109edd6418d5679187abc1074e0c0f090c7ada0c608ce868d353

SHA512
473ccf1f9b3265c192384140a48bef06a65105ab1f7d63a274a0e06487aea477206514bce1258a3bd0b74329dd2b678c71028d6eee166a1a497dd42deaabf70d

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
83b4da0c5e91e676c355a34ad0fe73da

SHA1
09322303503ed0a70613110ca72e1bc790348882

SHA256
5ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110

SHA512
20183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
83b4da0c5e91e676c355a34ad0fe73da

SHA1
09322303503ed0a70613110ca72e1bc790348882

SHA256
5ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110

SHA512
20183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
83b4da0c5e91e676c355a34ad0fe73da

SHA1
09322303503ed0a70613110ca72e1bc790348882

SHA256
5ad575dccfe237328de529ea01d57917c5d639ed0d8454a01af98aaea9724110

SHA512
20183c78adbabf88ac8999521cc3e1884215f78c264f06cb017dd8749b995adc96559c5a9a39ecda3d2c34390cc5caf7dbf6b90b975d55e2ed129e1993eb5b08

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads