e86c570f79b224efed4875e6e34f50152ebfee53c105057a54181c092a5725b2

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-09-2022 17:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f3b8ee7118e287ed4befdbe45a691976.exe
Size

174KB
MD5

f3b8ee7118e287ed4befdbe45a691976
SHA1

289aef108fd2e03ae5b3c486794ea508e133d6b0
SHA256

e86c570f79b224efed4875e6e34f50152ebfee53c105057a54181c092a5725b2
SHA512

609ce24bdf42fb20cc883a163f4e256a3aa77d749b4763af7fdb44806d17f460fafad88b9d6fff4a9a85a4f95a80de2e05f00cdb815edb11100638f0ef717498
SSDEEP

3072:nyH99g4byc6H5c6HcT66vlmm+pDYuCeO8jWjFTw14Q2gu0TliwnN2QwEGqSlnUzj:nyH7xOc6H5c6HcT66vlmVcMOJjFUDRTb

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

pid	Process
1212	svchost.exe
3912	f3b8ee7118e287ed4befdbe45a691976.exe
2220	svchost.exe
4768	Au_.exe

Loads dropped DLL 4 IoCs

pid	Process
4768	Au_.exe
4768	Au_.exe
4768	Au_.exe
4768	Au_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	f3b8ee7118e287ed4befdbe45a691976.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2592 wrote to memory of 1212	2592	f3b8ee7118e287ed4befdbe45a691976.exe	80
PID 2592 wrote to memory of 1212	2592	f3b8ee7118e287ed4befdbe45a691976.exe	80
PID 2592 wrote to memory of 1212	2592	f3b8ee7118e287ed4befdbe45a691976.exe	80
PID 1212 wrote to memory of 3912	1212	svchost.exe	81
PID 1212 wrote to memory of 3912	1212	svchost.exe	81
PID 1212 wrote to memory of 3912	1212	svchost.exe	81
PID 3912 wrote to memory of 4768	3912	f3b8ee7118e287ed4befdbe45a691976.exe	83
PID 3912 wrote to memory of 4768	3912	f3b8ee7118e287ed4befdbe45a691976.exe	83
PID 3912 wrote to memory of 4768	3912	f3b8ee7118e287ed4befdbe45a691976.exe	83

C:\Users\Admin\AppData\Local\Temp\f3b8ee7118e287ed4befdbe45a691976.exe
"C:\Users\Admin\AppData\Local\Temp\f3b8ee7118e287ed4befdbe45a691976.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2592
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\f3b8ee7118e287ed4befdbe45a691976.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\f3b8ee7118e287ed4befdbe45a691976.exe
    "C:\Users\Admin\AppData\Local\Temp\f3b8ee7118e287ed4befdbe45a691976.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4768

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\f3b8ee7118e287ed4befdbe45a691976.exe

Filesize
139KB

MD5
57c620d83a558f32dded54ccc8ebe064

SHA1
e41b53585889ce4766221ba760392895f085ad92

SHA256
2a8fb5fe61993f1c21ca656b7c918c44c68d62310ded62cbc13772e84ae30af8

SHA512
436cc7a9761037b009f3e2883175984bf3eae71f4eb767d45f8c69e3c2436852d04853d29fc214c9652180a302849f534184f0227bbf08c8e942f4e716a80cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\f3b8ee7118e287ed4befdbe45a691976.exe

Filesize
139KB

MD5
57c620d83a558f32dded54ccc8ebe064

SHA1
e41b53585889ce4766221ba760392895f085ad92

SHA256
2a8fb5fe61993f1c21ca656b7c918c44c68d62310ded62cbc13772e84ae30af8

SHA512
436cc7a9761037b009f3e2883175984bf3eae71f4eb767d45f8c69e3c2436852d04853d29fc214c9652180a302849f534184f0227bbf08c8e942f4e716a80cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc745C.tmp\System.dll

Filesize
11KB

MD5
959ea64598b9a3e494c00e8fa793be7e

SHA1
40f284a3b92c2f04b1038def79579d4b3d066ee0

SHA256
03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b

SHA512
5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc745C.tmp\UserInfo.dll

Filesize
4KB

MD5
d16e06c5de8fb8213a0464568ed9852f

SHA1
d063690dc0d2c824f714acb5c4bcede3aa193f03

SHA256
728472ba312ae8af7f30d758ab473e0772477a68fcd1d2d547dafe6d8800d531

SHA512
60502bb65d91a1a895f38bd0f070738152af58ffa4ac80bac3954aa8aad9fda9666e773988cbd00ce4741d2454bf5f2e0474ce8ea18cfe863ec4c36d09d1e27a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc745C.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsc745C.tmp\nsDialogs.dll

Filesize
9KB

MD5
f7b92b78f1a00a872c8a38f40afa7d65

SHA1
872522498f69ad49270190c74cf3af28862057f2

SHA256
2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e

SHA512
3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
139KB

MD5
57c620d83a558f32dded54ccc8ebe064

SHA1
e41b53585889ce4766221ba760392895f085ad92

SHA256
2a8fb5fe61993f1c21ca656b7c918c44c68d62310ded62cbc13772e84ae30af8

SHA512
436cc7a9761037b009f3e2883175984bf3eae71f4eb767d45f8c69e3c2436852d04853d29fc214c9652180a302849f534184f0227bbf08c8e942f4e716a80cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

Filesize
139KB

MD5
57c620d83a558f32dded54ccc8ebe064

SHA1
e41b53585889ce4766221ba760392895f085ad92

SHA256
2a8fb5fe61993f1c21ca656b7c918c44c68d62310ded62cbc13772e84ae30af8

SHA512
436cc7a9761037b009f3e2883175984bf3eae71f4eb767d45f8c69e3c2436852d04853d29fc214c9652180a302849f534184f0227bbf08c8e942f4e716a80cac

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
13e083a9d53e948803694a603e69081a

SHA1
5f0926b43c970edad8b969cbec9cfebb5ad0a971

SHA256
305485ffc5c72617b5b4d6af8a69bc77574c05df4b21829e08bb3a6a2ffd16c5

SHA512
a2b4073ba2edafae7f276c2fb1279dd19f2be6dbe67ed1c9f94a082afca70286493b9c33e1fb705d7e1bab3fe66afc84173e9490751611b5c628970892d08814

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
13e083a9d53e948803694a603e69081a

SHA1
5f0926b43c970edad8b969cbec9cfebb5ad0a971

SHA256
305485ffc5c72617b5b4d6af8a69bc77574c05df4b21829e08bb3a6a2ffd16c5

SHA512
a2b4073ba2edafae7f276c2fb1279dd19f2be6dbe67ed1c9f94a082afca70286493b9c33e1fb705d7e1bab3fe66afc84173e9490751611b5c628970892d08814

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
13e083a9d53e948803694a603e69081a

SHA1
5f0926b43c970edad8b969cbec9cfebb5ad0a971

SHA256
305485ffc5c72617b5b4d6af8a69bc77574c05df4b21829e08bb3a6a2ffd16c5

SHA512
a2b4073ba2edafae7f276c2fb1279dd19f2be6dbe67ed1c9f94a082afca70286493b9c33e1fb705d7e1bab3fe66afc84173e9490751611b5c628970892d08814

Download Submit
memory/1212-132-0x0000000000000000-mapping.dmp

Download
memory/1212-140-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1212-136-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2220-141-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2220-151-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2592-134-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3912-137-0x0000000000000000-mapping.dmp

Download
memory/4768-143-0x0000000000000000-mapping.dmp

Download
memory/4768-150-0x0000000002331000-0x0000000002333000-memory.dmp

Filesize
8KB

Download