86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed

Analysis

max time kernel
146s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05/12/2022, 14:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe
Size

147KB
MD5

cadf029e3896480f047ba30f99e0954b
SHA1

149e5a3819cff56eeb0f80811ca4937af3479bba
SHA256

86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed
SHA512

c0fa32169bc307315c42dd0778c18ee42b45ca86db5eeb27f6b6da45385da595d7015b6e4e11a9a567174dc330b8503ecef381d57dd518a2ee0cb34f4de8d7c8
SSDEEP

3072:vyH99g4byc6H5c6HcT66vlmm+O2bb4ndujZGkfYvypE4oIdhsC6ipKE8Ba:vyH7xOc6H5c6HcT66vlma+jnsniv8Ba

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4304	svchost.exe
5028	86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe
856	svchost.exe

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5028	86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe
5028	86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 4304	3248	86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe	82
PID 3248 wrote to memory of 4304	3248	86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe	82
PID 3248 wrote to memory of 4304	3248	86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe	82
PID 4304 wrote to memory of 5028	4304	svchost.exe	83
PID 4304 wrote to memory of 5028	4304	svchost.exe	83
PID 4304 wrote to memory of 5028	4304	svchost.exe	83
PID 5028 wrote to memory of 4624	5028	86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe	86
PID 5028 wrote to memory of 4624	5028	86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe	86
PID 5028 wrote to memory of 4624	5028	86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe	86

C:\Users\Admin\AppData\Local\Temp\86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe
"C:\Users\Admin\AppData\Local\Temp\86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe
    "C:\Users\Admin\AppData\Local\Temp\86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe setupapi,InstallHinfSection DefaultUninstall 128 sisdiff.INF
      4⤵
      PID:4624

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\86b7e12b641d6acb59f6b387cfedbfb9f672e8a156fb989f894c4091a875c1ed.exe

Filesize
112KB

MD5
a67bd20936b060c29f9ae550c1a5011c

SHA1
15eed35ed01ecd1f12407c18442c8d5af29d4cee

SHA256
6f323b04cade4661c5a60e6183b97ae52c074589af4de781435815fb30985fb8

SHA512
19a3677c66db93be878a66f14761dd778e46589ed350cac602badffed6ad34ca2e5b3a0ab00f787a5e5548e57e8f689e39b8e327b54640e11f7f214c063d2199

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit