2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8

General

Target

2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8.exe
Size

267KB
MD5

5d94d1e1f7281dd6f2c25154bd98b6ac
SHA1

9b993083b0a3ae362524276bb7a9f1ee0be2e226
SHA256

2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8
SHA512

0f780da9aa775e38a74dc442fd912c3a720e74e986aa4edc78d37f98e29e27b88ab19d676e7feb733d1328d0e517acd1aa7b111085f3faa5e1d13dcfe5d78f1a
SSDEEP

6144:AyH7xOc6H5c6HcT66vlm6IKwiITppdnmKvFRukOAU4OuAhYU8QHp+o/a:Aa08yED8QHp+v

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4672	svchost.exe
4572	2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8.exe
4836	svchost.exe

Drops file in Program Files directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 4672	2636	2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8.exe	83
PID 2636 wrote to memory of 4672	2636	2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8.exe	83
PID 2636 wrote to memory of 4672	2636	2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8.exe	83
PID 4672 wrote to memory of 4572	4672	svchost.exe	84
PID 4672 wrote to memory of 4572	4672	svchost.exe	84
PID 4672 wrote to memory of 4572	4672	svchost.exe	84

C:\Users\Admin\AppData\Local\Temp\2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8.exe
"C:\Users\Admin\AppData\Local\Temp\2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8.exe
    "C:\Users\Admin\AppData\Local\Temp\2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8.exe"
    3⤵
    - Executes dropped EXE
    PID:4572

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4836

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2492a9ebfffa8af64ddd9325663c9b59acf4205c9fe033e2ef3452a620c2dba8.exe

Filesize
232KB

MD5
ae21dcfd01432deed25f01687cde5c2d

SHA1
cdb36227dc4c902ca4f56818a2e3b05c0d2583db

SHA256
d117a641a4cd0943a379ee4fdb8c82f2cab9dec8985876745fe2b3d43710e9f8

SHA512
89dd95dbc42661e6c9513c7fac22322b37942c4a90aa7d69d04618260bb235ab92a0632a5321ba2fac540c7876385ae36a6cdd61e6d2e980a9b9e4a1882e3ee8

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/4572-135-0x0000000000000000-mapping.dmp

Download
memory/4672-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads