Analysis
-
max time kernel
72s -
max time network
70s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
03/10/2022, 19:07
Static task
static1
Behavioral task
behavioral1
Sample
450a5777951ba46f37e5587e372e43c847e76b00c370077c367d30af10ef41dc.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
450a5777951ba46f37e5587e372e43c847e76b00c370077c367d30af10ef41dc.exe
Resource
win10v2004-20220812-en
General
-
Target
450a5777951ba46f37e5587e372e43c847e76b00c370077c367d30af10ef41dc.exe
-
Size
130KB
-
MD5
20b6cef19462a6232744e77d1edccf26
-
SHA1
c6a6e02ebee52899d3b33d7362a1ed5ded072c27
-
SHA256
450a5777951ba46f37e5587e372e43c847e76b00c370077c367d30af10ef41dc
-
SHA512
158135eeb8176f48285bcfe1d0f142b8e159cbb565eb594d6ae3a7a5d6fcbeea0bf4f67b77da530db29fe1650f755b243e0d56b348346714d4f3e789f1d3ee5e
-
SSDEEP
3072:NtI74o0bB/W/e9PR4GC7+ZSsrZUcHQgsm2fGCH:3I749bBea6GS+brZUoAG
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x00140000000054ab-58.dat aspack_v212_v242 behavioral1/files/0x00140000000054ab-56.dat aspack_v212_v242 behavioral1/files/0x00140000000054ab-55.dat aspack_v212_v242 behavioral1/files/0x00140000000054ab-60.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 1776 iLwyZfL.exe -
Loads dropped DLL 2 IoCs
pid Process 2036 450a5777951ba46f37e5587e372e43c847e76b00c370077c367d30af10ef41dc.exe 2036 450a5777951ba46f37e5587e372e43c847e76b00c370077c367d30af10ef41dc.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE iLwyZfL.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe iLwyZfL.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe iLwyZfL.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe iLwyZfL.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe iLwyZfL.exe File opened for modification C:\Program Files\Windows Defender\MpCmdRun.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe iLwyZfL.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe iLwyZfL.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSPUB.EXE iLwyZfL.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jre7\bin\tnameserv.exe iLwyZfL.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe iLwyZfL.exe File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE iLwyZfL.exe File opened for modification C:\Program Files (x86)\Windows Mail\wab.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe iLwyZfL.exe File opened for modification C:\Program Files\Windows Defender\MSASCui.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE iLwyZfL.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe iLwyZfL.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE iLwyZfL.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE iLwyZfL.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe iLwyZfL.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2036 wrote to memory of 1776 2036 450a5777951ba46f37e5587e372e43c847e76b00c370077c367d30af10ef41dc.exe 28 PID 2036 wrote to memory of 1776 2036 450a5777951ba46f37e5587e372e43c847e76b00c370077c367d30af10ef41dc.exe 28 PID 2036 wrote to memory of 1776 2036 450a5777951ba46f37e5587e372e43c847e76b00c370077c367d30af10ef41dc.exe 28 PID 2036 wrote to memory of 1776 2036 450a5777951ba46f37e5587e372e43c847e76b00c370077c367d30af10ef41dc.exe 28 PID 1776 wrote to memory of 316 1776 iLwyZfL.exe 31 PID 1776 wrote to memory of 316 1776 iLwyZfL.exe 31 PID 1776 wrote to memory of 316 1776 iLwyZfL.exe 31 PID 1776 wrote to memory of 316 1776 iLwyZfL.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\450a5777951ba46f37e5587e372e43c847e76b00c370077c367d30af10ef41dc.exe"C:\Users\Admin\AppData\Local\Temp\450a5777951ba46f37e5587e372e43c847e76b00c370077c367d30af10ef41dc.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\iLwyZfL.exeC:\Users\Admin\AppData\Local\Temp\iLwyZfL.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\46353f1f.bat" "3⤵PID:316
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
189B
MD5477913dc10f6a11c511d4408251765c3
SHA1075cb5eb602af0477cabe674cb13d4b1731f8f37
SHA2564b5ba9b022c14a1674ff32c48911119e16d89fd0af29b9c952299e4f264c990b
SHA512600ad39372100067c84a74bf0cd923b7b640125f58b8077d2799a1e7da76a2ff2e38fa03c95f92bc40ab4aff5b2eb977b2f79403bf3beb662478084fe5955d31
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
Filesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e