5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963

General

Target

5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe
Size

1.3MB
MD5

4f3e63ea821166af038f8e318df52c8b
SHA1

634e04d7f88a5f85d3013e01c1e0a22b60cbb95b
SHA256

5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963
SHA512

cc02e42b9f9ed69703a12e98b357575583503e5ba9bc13f7a49107a587e6a5367e2091d846e6f6fcd751848b40917ad863639cbe6fa75413ff322d98d421630b
SSDEEP

24576:vaq8NexQy005uHKy4j59z+SnF4p7H8RJn0Es3b4iffsL2mfXw+rB:6NexQI5uH14jPBnF4pmmEo4iffODN

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

svchost.exe5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exesvchost.exeis-DL9C6.tmp

pid process

2824 svchost.exe
4100 5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe
2308 svchost.exe
4932 is-DL9C6.tmp

pid	process
2824	svchost.exe
4100	5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe
2308	svchost.exe
4932	is-DL9C6.tmp

Drops file in Program Files directory 64 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\policytool.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	svchost.exe

Drops file in Windows directory 1 IoCs

Processes:

5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe

description ioc process

File created C:\Windows\svchost.exe 5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\svchost.exe	5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exesvchost.exe5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe

description	pid	process	target process
PID 1092 wrote to memory of 2824	1092	5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe	svchost.exe
PID 1092 wrote to memory of 2824	1092	5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe	svchost.exe
PID 1092 wrote to memory of 2824	1092	5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe	svchost.exe
PID 2824 wrote to memory of 4100	2824	svchost.exe	5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe
PID 2824 wrote to memory of 4100	2824	svchost.exe	5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe
PID 2824 wrote to memory of 4100	2824	svchost.exe	5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe
PID 4100 wrote to memory of 4932	4100	5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe	is-DL9C6.tmp
PID 4100 wrote to memory of 4932	4100	5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe	is-DL9C6.tmp
PID 4100 wrote to memory of 4932	4100	5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe	is-DL9C6.tmp

C:\Users\Admin\AppData\Local\Temp\5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe
"C:\Users\Admin\AppData\Local\Temp\5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\svchost.exe
"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Temp\5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe
"C:\Users\Admin\AppData\Local\Temp\5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4100

C:\Users\Admin\AppData\Local\Temp\is-B0GE6.tmp\is-DL9C6.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B0GE6.tmp\is-DL9C6.tmp" /SL4 $A0040 "C:\Users\Admin\AppData\Local\Temp\5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe" 1079415 52224
4⤵
- Executes dropped EXE
PID:4932

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:2308

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe

Filesize
1.3MB

MD5
c6c10fff80f36ed1121fc79cefc28aa2

SHA1
719a95955625a15f7e6712b5830d3c1a64418b26

SHA256
a8fc345a3c79382edf750ab6ca2321baaf5a8ee6a67d50889b6c5b123ecce65a

SHA512
e26e2776b75d8f5b5898842d7a312ee82f1fdb5bd610db7a718f2916062660305a5f65cd16b7144d97789cae20939e6d4bec55a6b4ad372008add1a92933e910

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ad7755aa97aebc6b988bc654e2063a83c7aacea6eb9f0fa33e04065e7081963.exe

Filesize
1.3MB

MD5
c6c10fff80f36ed1121fc79cefc28aa2

SHA1
719a95955625a15f7e6712b5830d3c1a64418b26

SHA256
a8fc345a3c79382edf750ab6ca2321baaf5a8ee6a67d50889b6c5b123ecce65a

SHA512
e26e2776b75d8f5b5898842d7a312ee82f1fdb5bd610db7a718f2916062660305a5f65cd16b7144d97789cae20939e6d4bec55a6b4ad372008add1a92933e910

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B0GE6.tmp\is-DL9C6.tmp

Filesize
648KB

MD5
0360b1d1195775766b2e78a7b463f658

SHA1
8e4b2b1b6d1e4446c979b0cea7db6db7eee21610

SHA256
bee86b674d51b4e21822e44f9408a69d60e282e39f5897888df334c74d840aa4

SHA512
23103b4457952091848f171f5c20351dd55ce1bce209da21c1b6792d6e0b13476a104698c31ad744df2df39408110d73f84b61e627bbb6d1d2a461db4370597d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B0GE6.tmp\is-DL9C6.tmp

Filesize
648KB

MD5
0360b1d1195775766b2e78a7b463f658

SHA1
8e4b2b1b6d1e4446c979b0cea7db6db7eee21610

SHA256
bee86b674d51b4e21822e44f9408a69d60e282e39f5897888df334c74d840aa4

SHA512
23103b4457952091848f171f5c20351dd55ce1bce209da21c1b6792d6e0b13476a104698c31ad744df2df39408110d73f84b61e627bbb6d1d2a461db4370597d

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/2824-132-0x0000000000000000-mapping.dmp

Download
memory/4100-135-0x0000000000000000-mapping.dmp

Download
memory/4100-138-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4100-144-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/4932-141-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing