Analysis
-
max time kernel
47s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 03:17
Static task
static1
Behavioral task
behavioral1
Sample
22ae5ed3dfaa5d3b199418f2b9648e7f742f3223d7948bc298ebf8c2edf2618a.exe
Resource
win7-20220901-en
windows7-x64
5 signatures
150 seconds
Behavioral task
behavioral2
Sample
22ae5ed3dfaa5d3b199418f2b9648e7f742f3223d7948bc298ebf8c2edf2618a.exe
Resource
win10v2004-20220812-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
22ae5ed3dfaa5d3b199418f2b9648e7f742f3223d7948bc298ebf8c2edf2618a.exe
-
Size
144KB
-
MD5
80494e8dc046c051a3613f5df97eb2e1
-
SHA1
eab828ba9283ea86f1f532e1d0bfd97568e88665
-
SHA256
22ae5ed3dfaa5d3b199418f2b9648e7f742f3223d7948bc298ebf8c2edf2618a
-
SHA512
4314e7226851c860ba3776d7126486a88bcd85bb1ccfb3dff7b3f91465cd4bc12f75521e201cb21b79d8e8e5dcfed85fa6618575d3670d4dcc5336c328dce273
-
SSDEEP
3072:69B1XWAnsOQ6TN1ZgvSRI8jU5713K3qpVPg7dbKToN:41RnsO17MeI8wL3WqpV45bKTo
Score
8/10
Malware Config
Signatures
-
resource yara_rule behavioral1/files/0x000500000000b2d2-55.dat aspack_v212_v242 behavioral1/files/0x000500000000b2d2-57.dat aspack_v212_v242 -
Executes dropped EXE 1 IoCs
pid Process 628 611929c5.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe 611929c5.exe File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe 611929c5.exe File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe 611929c5.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe 611929c5.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe 611929c5.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe 611929c5.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe 611929c5.exe File opened for modification C:\Program Files\Windows Mail\wab.exe 611929c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SELFCERT.EXE 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe 611929c5.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe 611929c5.exe File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe 611929c5.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe 611929c5.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe 611929c5.exe File opened for modification C:\Program Files\Windows Mail\WinMail.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe 611929c5.exe File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe 611929c5.exe File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe 611929c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE 611929c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe 611929c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\VPREVIEW.EXE 611929c5.exe File opened for modification C:\Program Files\Java\jre7\bin\jabswitch.exe 611929c5.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe 611929c5.exe File opened for modification C:\Program Files\7-Zip\7z.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe 611929c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE 611929c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE 611929c5.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe 611929c5.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe 611929c5.exe File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE 611929c5.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe 611929c5.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 611929c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe 611929c5.exe File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe 611929c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe 611929c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE 611929c5.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe 611929c5.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe 611929c5.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe 611929c5.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe 611929c5.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 960 wrote to memory of 628 960 22ae5ed3dfaa5d3b199418f2b9648e7f742f3223d7948bc298ebf8c2edf2618a.exe 27 PID 960 wrote to memory of 628 960 22ae5ed3dfaa5d3b199418f2b9648e7f742f3223d7948bc298ebf8c2edf2618a.exe 27 PID 960 wrote to memory of 628 960 22ae5ed3dfaa5d3b199418f2b9648e7f742f3223d7948bc298ebf8c2edf2618a.exe 27 PID 960 wrote to memory of 628 960 22ae5ed3dfaa5d3b199418f2b9648e7f742f3223d7948bc298ebf8c2edf2618a.exe 27 PID 628 wrote to memory of 1624 628 611929c5.exe 30 PID 628 wrote to memory of 1624 628 611929c5.exe 30 PID 628 wrote to memory of 1624 628 611929c5.exe 30 PID 628 wrote to memory of 1624 628 611929c5.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\22ae5ed3dfaa5d3b199418f2b9648e7f742f3223d7948bc298ebf8c2edf2618a.exe"C:\Users\Admin\AppData\Local\Temp\22ae5ed3dfaa5d3b199418f2b9648e7f742f3223d7948bc298ebf8c2edf2618a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:960 -
C:\611929c5.exeC:\611929c5.exe2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7d9c52bf.bat" "3⤵PID:1624
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
15KB
MD5e351365b4bc9f244b8424288e2cdbcbd
SHA1f2d70670f8d230a59b453ae4cf4738e7675221a2
SHA256d511d476b6777335ed6d1bc3ce7efdf84a91bf04a6514c263c28caec186e09ee
SHA512263f3db3f4d4d7e4d8cfef8663ab9dbebfa3f6606c1eca0fe0fbcaa867e0980617972d1e15c888fd7c849b4d17e457e877991c55ea82c10e8033662e26520864
-
Filesize
15KB
MD5e351365b4bc9f244b8424288e2cdbcbd
SHA1f2d70670f8d230a59b453ae4cf4738e7675221a2
SHA256d511d476b6777335ed6d1bc3ce7efdf84a91bf04a6514c263c28caec186e09ee
SHA512263f3db3f4d4d7e4d8cfef8663ab9dbebfa3f6606c1eca0fe0fbcaa867e0980617972d1e15c888fd7c849b4d17e457e877991c55ea82c10e8033662e26520864
-
Filesize
129B
MD508fcf318a5ef5b8872f4809ffba0e40c
SHA17045be640a22adbd58f1652ce195263df9a60ebc
SHA2568b3ad7a98741e9c9682124f8f37c9c280e108b101dcd465bf7b5228a06a4b5cb
SHA512049f5bb44cf12e7a46305d00bd13132e0d1c7f76f8a85e5e1965685b6acc05e38a6c10938488634713a2178c73b7de4445c828f5f51e0f9ec4745085c3756fbc