49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178

Analysis

max time kernel
139s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe
Size

655KB
MD5

0e37709d6a2e4d0ebe78aabe0bb7d720
SHA1

9ce0009add5e6f9c831b314e1207e745927f819c
SHA256

49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178
SHA512

69c2177be73c7d8e78c8d2a7e7fb4d86f2ff12bb514e0cb349b85eccc16793ee7e942940ce38cc1c0fc31ce4ac1f7efb1774d775b5d06a6742d5a85968802c7a
SSDEEP

12288:2am8n4/PwF2fexgA/WaeGZYCfKrFwUVjeiVwUeTeMRNZVpWJ+:2amF/oF2fegsWaee/sh+UeTnRN2+

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4744	svchost.exe
1360	49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe
2076	svchost.exe

Drops file in Program Files directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\2.7.0.52	49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\2.7.0.52\InstStub.exe	49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe
File created	C:\Program Files (x86)\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\2.7.0.52\fallback.dat	49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File created	C:\Program Files (x86)\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\NSS\LicenseType\2.7.0.52\InstStub.exe	49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files (x86)\NortonInstaller\{397E31AA-0D78-4649-A01C-339D73A2ED35}\_lck\_{397E31AA-0D78-4649-A01C-339D73A2ED35}G	49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1556 wrote to memory of 4744	1556	49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe	80
PID 1556 wrote to memory of 4744	1556	49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe	80
PID 1556 wrote to memory of 4744	1556	49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe	80
PID 4744 wrote to memory of 1360	4744	svchost.exe	81
PID 4744 wrote to memory of 1360	4744	svchost.exe	81
PID 4744 wrote to memory of 1360	4744	svchost.exe	81

C:\Users\Admin\AppData\Local\Temp\49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe
"C:\Users\Admin\AppData\Local\Temp\49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1556
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Users\Admin\AppData\Local\Temp\49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe
    "C:\Users\Admin\AppData\Local\Temp\49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:1360

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe

Filesize
619KB

MD5
545ef1999559cb93552943c7bf4e2e10

SHA1
1720849438fc24820c456d9048346e369a96910b

SHA256
48b1fa00d4c011c92e89b403d9e3b56b4acf398e2afb9364877fcb7e6ebc0579

SHA512
f6c85c31043ff7dd9d4b8aec53aae3c899acb95a2bdcc60f5772439d83ebb39bea71162e93add2c4b4a32f6375dfafb4183227c95f0481b99335ffd909ece2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\49d8b027c9d095bb835f45b187fa86313b2a68b30478dc37ad9f84544db0b178.exe

Filesize
619KB

MD5
545ef1999559cb93552943c7bf4e2e10

SHA1
1720849438fc24820c456d9048346e369a96910b

SHA256
48b1fa00d4c011c92e89b403d9e3b56b4acf398e2afb9364877fcb7e6ebc0579

SHA512
f6c85c31043ff7dd9d4b8aec53aae3c899acb95a2bdcc60f5772439d83ebb39bea71162e93add2c4b4a32f6375dfafb4183227c95f0481b99335ffd909ece2bc

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
d9388c699c90425c544fafbd3e76d050

SHA1
259c77c0c962d3ed5e5c8cdb45136bcb7b0d6c85

SHA256
789927116a7af35162ae6e438536a90ad996a20ffbe060d615881ae62897e2c9

SHA512
3cc2632ec5933adcc8c17d7c5a5216a7ad7a09c7210cc6508901d0352f812ff48220bf928fb5804397c80ea2c443622df525f68dbc8f6667e30043913c2c9cd4

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
d9388c699c90425c544fafbd3e76d050

SHA1
259c77c0c962d3ed5e5c8cdb45136bcb7b0d6c85

SHA256
789927116a7af35162ae6e438536a90ad996a20ffbe060d615881ae62897e2c9

SHA512
3cc2632ec5933adcc8c17d7c5a5216a7ad7a09c7210cc6508901d0352f812ff48220bf928fb5804397c80ea2c443622df525f68dbc8f6667e30043913c2c9cd4

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
d9388c699c90425c544fafbd3e76d050

SHA1
259c77c0c962d3ed5e5c8cdb45136bcb7b0d6c85

SHA256
789927116a7af35162ae6e438536a90ad996a20ffbe060d615881ae62897e2c9

SHA512
3cc2632ec5933adcc8c17d7c5a5216a7ad7a09c7210cc6508901d0352f812ff48220bf928fb5804397c80ea2c443622df525f68dbc8f6667e30043913c2c9cd4

Download Submit
memory/1360-135-0x0000000000000000-mapping.dmp

Download
memory/4744-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads