4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318

General

Target

4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe
Size

715KB
MD5

4f4b9e4c37c49ad16f3b118b7ff43bdc
SHA1

e0d1b35b3d61fa2835b034dd99446427ad903639
SHA256

4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318
SHA512

a1e0f19d791a0e7581ff5475ee9948a08fb0376fc15128179c1563486ae9862965bb18cdacd4224eb86dc80f45f877d3f5ede3696eb95efa2cd6910e7701b947
SSDEEP

12288:vaYxyeLWtSNrPi37NzHDA6Y1gbl5d7Ifoz4mrNNpRpzqwcQOs0F9FPuIT:vaYxyeLWtkrPi37NzHDA6Yg5dsfoTzhE

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2192	svchost.exe
4320	4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe
4396	svchost.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 2192	2176	4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe	80
PID 2176 wrote to memory of 2192	2176	4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe	80
PID 2176 wrote to memory of 2192	2176	4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe	80
PID 2192 wrote to memory of 4320	2192	svchost.exe	81
PID 2192 wrote to memory of 4320	2192	svchost.exe	81
PID 2192 wrote to memory of 4320	2192	svchost.exe	81

C:\Users\Admin\AppData\Local\Temp\4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe
"C:\Users\Admin\AppData\Local\Temp\4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe
    "C:\Users\Admin\AppData\Local\Temp\4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe"
    3⤵
    - Executes dropped EXE
    PID:4320

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4396

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe

Filesize
679KB

MD5
3910459f67f17a2e1a420895a0d0532a

SHA1
241480738e5477cca49f21a3e1e72fced5b68a18

SHA256
2bc5673cf8e8939015a7a964b96ffd780cba6cdd0b81795e18678921456fc0d5

SHA512
ac67a682873431a6a0d53c54941ddbfe44e223615a868ba211d5e95940b3a6eea83b0e5ea46dcf8f80bb1060a3d5e4cad15b0c1ce3c9551c28fd1dcfda523c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\4d7788b46f4f2764db50676e83d926fd78979a5d6a29a690c943c62b56326318.exe

Filesize
679KB

MD5
3910459f67f17a2e1a420895a0d0532a

SHA1
241480738e5477cca49f21a3e1e72fced5b68a18

SHA256
2bc5673cf8e8939015a7a964b96ffd780cba6cdd0b81795e18678921456fc0d5

SHA512
ac67a682873431a6a0d53c54941ddbfe44e223615a868ba211d5e95940b3a6eea83b0e5ea46dcf8f80bb1060a3d5e4cad15b0c1ce3c9551c28fd1dcfda523c82

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
80d44b4af22b51d176921c8f84eb9081

SHA1
47d74b6306da150a27f548f35d88095722cc55ec

SHA256
463da09a6d70720e3a8bebd00e69aa3148985ff23978adbeb7b3895b166e71ed

SHA512
91d34d471fcdc545c6dbc94a79e99e6f3ac6f8a05c4ddb7b92c652afdc4262a498a2dd93f181ced2f49a1323fb323691db2ce454c191a121445493ee90834084

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
80d44b4af22b51d176921c8f84eb9081

SHA1
47d74b6306da150a27f548f35d88095722cc55ec

SHA256
463da09a6d70720e3a8bebd00e69aa3148985ff23978adbeb7b3895b166e71ed

SHA512
91d34d471fcdc545c6dbc94a79e99e6f3ac6f8a05c4ddb7b92c652afdc4262a498a2dd93f181ced2f49a1323fb323691db2ce454c191a121445493ee90834084

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
80d44b4af22b51d176921c8f84eb9081

SHA1
47d74b6306da150a27f548f35d88095722cc55ec

SHA256
463da09a6d70720e3a8bebd00e69aa3148985ff23978adbeb7b3895b166e71ed

SHA512
91d34d471fcdc545c6dbc94a79e99e6f3ac6f8a05c4ddb7b92c652afdc4262a498a2dd93f181ced2f49a1323fb323691db2ce454c191a121445493ee90834084

Download Submit
memory/2176-132-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2176-135-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2192-133-0x0000000000000000-mapping.dmp

Download
memory/2192-139-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4320-137-0x0000000000000000-mapping.dmp

Download
memory/4396-142-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads