06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12

General

Target

06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12.exe
Size

527KB
MD5

0ab1282908b88245cd942610cdc4e406
SHA1

ea63c5d71b773acfd973662d6527e47c409c5c2e
SHA256

06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12
SHA512

b67badedd61ad09b7820e8443a621b10ce736c07e899fe3809902a8e41b6291530c0384a3b6534baca0582a9e0d15b3a99b76567ca286a119f251cf2c1c01462
SSDEEP

6144:2yH7xOc6H5c6HcT66vlmkO/PJcxWi+V5BkaDxb+U9mmdWK0oZURRJkU0f3ekGa:2a8/PJyWi+V5BRxXndWK0oZURRJJbK

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4764	svchost.exe
4852	06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12.exe
3336	svchost.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\RedoStart.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4872 wrote to memory of 4764	4872	06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12.exe	85
PID 4872 wrote to memory of 4764	4872	06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12.exe	85
PID 4872 wrote to memory of 4764	4872	06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12.exe	85
PID 4764 wrote to memory of 4852	4764	svchost.exe	86
PID 4764 wrote to memory of 4852	4764	svchost.exe	86
PID 4764 wrote to memory of 4852	4764	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12.exe
"C:\Users\Admin\AppData\Local\Temp\06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4872
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4764
- - C:\Users\Admin\AppData\Local\Temp\06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12.exe
    "C:\Users\Admin\AppData\Local\Temp\06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12.exe"
    3⤵
    - Executes dropped EXE
    PID:4852

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\06854b1791a34db58a90d540987db3e2cfafdffb9ef0d1c10fbee7ba4244bc12.exe

Filesize
491KB

MD5
0c51c90feae33974458b33d93d7ccc18

SHA1
1ec8108b871bfe3b64032321087cd21d62d33c64

SHA256
d6fa0be51a74459e4d4d57cb516e2276e85cee6818cca723c39a21e43ed399c6

SHA512
5d8bd77c437a662cce75fcf9d18002bf0ef5d0771086c3d23d6e1c2321c4b675867397093b956f11d75fa2da43897a30e8daefe200081a72859b54d814ca4a47

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads