a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3

Analysis

max time kernel
23s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 12:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
Size

357KB
MD5

a01ae943bc436190ae9571aa2a990d50
SHA1

337601af96ac8825cfb23cd66b5ac5842fcb30eb
SHA256

a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3
SHA512

61adee4eb86c1bd0998ff8d020992fdf94f6eea97241fe3fa31c30f5e010a85d3b242799f0658e0c33b450bf4f15d405f0a3f3da9a321791745f43192b81eafb
SSDEEP

6144:qTX4MGOUAqq3VAWdHm56SiwybqveHC3Z+Qh:qTudAqOm5yOvei3Dh

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1268	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.ogr

Loads dropped DLL 1 IoCs

pid	Process
1468	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Minesweeper\MineSweeper.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Mozilla Firefox\crashreporter.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Mahjong\Mahjong.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Solitaire\Solitaire.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Chess\Chess.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\Purble Place\PurblePlace.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Microsoft Office\Office14\MSOHTMED.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\7-Zip\Uninstall.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\javacpl.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\7-Zip\7zFM.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\7-Zip\7zG.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Java\jre7\bin\javaw.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\default-browser-agent.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\7-Zip\7zG.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\jp2launcher.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Java\jre7\bin\ssvagent.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Google\Chrome\Application\chrome_proxy.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files\Microsoft Games\Chess\Chess.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\firefox.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Mozilla Firefox\maintenanceservice.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File created	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
File opened for modification	\??\c:\Program Files\Google\Chrome\Application\chrome.ogr	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\oobb.exe	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1268	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.ogr

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 1268	1468	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe	28
PID 1468 wrote to memory of 1268	1468	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe	28
PID 1468 wrote to memory of 1268	1468	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe	28
PID 1468 wrote to memory of 1268	1468	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe	28
PID 1468 wrote to memory of 1268	1468	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe	28
PID 1468 wrote to memory of 1268	1468	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe	28
PID 1468 wrote to memory of 1268	1468	a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe	28

C:\Users\Admin\AppData\Local\Temp\a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe
"C:\Users\Admin\AppData\Local\Temp\a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1468
- C:\Users\Admin\AppData\Local\Temp\a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.ogr
  C:\Users\Admin\AppData\Local\Temp\a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.ogr
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.ogr

Filesize
297KB

MD5
3e77a952843df15aa83868227d2dc23f

SHA1
719625f13129c714bd3670621efa96c7109b6598

SHA256
ee1dd105f0bb9694b73235b012ebbe5480df2d62399b3c92b54897c3c6f0f588

SHA512
0abc74a2ec5a3bdb9951ca2b9f7c2540686c8e9979ef61503ed1d54d4847f56be14615a5185ddd0c4caf094bd31991c79ac61ac455a9ebe08da9d25a4d5d107d

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.ogr

Filesize
297KB

MD5
3e77a952843df15aa83868227d2dc23f

SHA1
719625f13129c714bd3670621efa96c7109b6598

SHA256
ee1dd105f0bb9694b73235b012ebbe5480df2d62399b3c92b54897c3c6f0f588

SHA512
0abc74a2ec5a3bdb9951ca2b9f7c2540686c8e9979ef61503ed1d54d4847f56be14615a5185ddd0c4caf094bd31991c79ac61ac455a9ebe08da9d25a4d5d107d

Download Submit
\Users\Admin\AppData\Local\Temp\a4f52b1dbb380730584795db81fcac12ffef3ae7e2144b63932e746f70af45c3.ogr

Filesize
297KB

MD5
3e77a952843df15aa83868227d2dc23f

SHA1
719625f13129c714bd3670621efa96c7109b6598

SHA256
ee1dd105f0bb9694b73235b012ebbe5480df2d62399b3c92b54897c3c6f0f588

SHA512
0abc74a2ec5a3bdb9951ca2b9f7c2540686c8e9979ef61503ed1d54d4847f56be14615a5185ddd0c4caf094bd31991c79ac61ac455a9ebe08da9d25a4d5d107d

Download Submit
memory/1268-58-0x0000000075211000-0x0000000075213000-memory.dmp

Filesize
8KB

Download
memory/1468-55-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1468-60-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download