f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e

General

Target

f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
Size

3.9MB
MD5

20eee122c6a5cf8537f5488d8bb3b37e
SHA1

0e0bf8188e7e143a15fcf95771b98502804198cb
SHA256

f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e
SHA512

5ac78f1460f171eaf445261cc48b8f60546b90f7e69d3c4b4606013e57168124944ce74c3e866d1a98550063f5e6ddf1e2a7de130e5f62ab4d44b71ae05e816d
SSDEEP

49152:hnY727fnDFEnDjY/4hONVn0yrTja9UC6qOLu0D+02UlcCxB6q93Fy01Lb4aKrSPb:5Y76D4YjprGmu0DcCLnpw2

Score

4^/10

Malware Config

Signatures

Drops file in Program Files directory 64 IoCs

Processes:

f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\vi.pak.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\rsod\excelmui.msi.16.en-us.tree.dat	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\ECLIPSE.ELM	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\vlc.mo	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\ext\locale\HOW TO RESTORE YOUR FILES.TXT	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_Trial-ppd.xrm-ms.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\EduWorks Data Streamer Add-In\MicrosoftDataStreamerforExcel.vsto	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription5-ul-oob.xrm-ms	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\de\HOW TO RESTORE YOUR FILES.TXT	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\triggerEvaluators.exsd	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Subscription1-ul-oob.xrm-ms.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp5-ul-oob.xrm-ms.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSIPC\sk\msipc.dll.mui.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\vlc.mo.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\MANIFEST.MF.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Retail-pl.xrm-ms.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_Retail-ul-phn.xrm-ms.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\MSOUC_F_COL.HXK.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\StoreLogo.png.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\HOW TO RESTORE YOUR FILES.TXT	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.observable_1.4.1.v20140210-1835.jar	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Standard2019R_Grace-ppd.xrm-ms	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\VisioStdCO365R_SubTest-ul-oob.xrm-ms	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\OpenSSL64.DllA\HOW TO RESTORE YOUR FILES.TXT	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusMSDNR_Retail-ppd.xrm-ms.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White.png	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496926556.profile.gz.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\HOW TO RESTORE YOUR FILES.TXT	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\org-openide-loaders.xml.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\HOW TO RESTORE YOUR FILES.TXT	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTest2-ppd.xrm-ms.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\FA000000006	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\HOW TO RESTORE YOUR FILES.TXT	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\HOW TO RESTORE YOUR FILES.TXT	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ppd.xrm-ms.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSZIP.DIC	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProfessionalPipcR_OEM_Perp-pl.xrm-ms	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Library\Analysis\PROCDB.XLAM.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings.nl_zh_4.4.0.v20140623020002.jar.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessR_SubTrial-ul-oob.xrm-ms.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp3-ul-oob.xrm-ms.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\Word2019R_Trial-ul-oob.xrm-ms	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\BlockUse.xps.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-ui_zh_CN.jar	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_OEM_Perp2-ul-phn.xrm-ms.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\MondoR_OEM_Perp-ul-phn.xrm-ms.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\THMBNAIL.PNG	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\youtube.luac.gqlmcwnhh	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

3060 sc.exe

pid	process
3060	sc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.execmd.exe

description	pid	process	target process
PID 2084 wrote to memory of 4628	2084	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe	cmd.exe
PID 2084 wrote to memory of 4628	2084	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe	cmd.exe
PID 2084 wrote to memory of 4628	2084	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe	cmd.exe
PID 4628 wrote to memory of 3060	4628	cmd.exe	sc.exe
PID 4628 wrote to memory of 3060	4628	cmd.exe	sc.exe
PID 4628 wrote to memory of 3060	4628	cmd.exe	sc.exe
PID 4628 wrote to memory of 444	4628	cmd.exe	findstr.exe
PID 4628 wrote to memory of 444	4628	cmd.exe	findstr.exe
PID 4628 wrote to memory of 444	4628	cmd.exe	findstr.exe
PID 2084 wrote to memory of 2432	2084	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe	cmd.exe
PID 2084 wrote to memory of 2432	2084	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe	cmd.exe
PID 2084 wrote to memory of 2432	2084	f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe
"C:\Users\Admin\AppData\Local\Temp\f64a2924fa0f6690dae0982fe69c327d5063c77a5b4bcd3a4fc58ffb1a2fe72e.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oleykotbfiwyrftd.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4628
- - C:\Windows\SysWOW64\sc.exe
    SC QUERY
    3⤵
    - Launches sc.exe
    PID:3060
- - C:\Windows\SysWOW64\findstr.exe
    FINDSTR SERVICE_NAME
    3⤵
    PID:444
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xwscjiunifiateon.bat
  2⤵
  PID:2432

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\oleykotbfiwyrftd.bat

Filesize
43B

MD5
55310bb774fff38cca265dbc70ad6705

SHA1
cb8d76e9fd38a0b253056e5f204dab5441fe932b

SHA256
1fbdb97893d09d59575c3ef95df3c929fe6b6ddf1b273283e4efadf94cdc802d

SHA512
40e5a5e8454ca3eaac36d732550e2c5d869a235e3bbc4d31c4afa038fe4e06f782fa0885e876ad8119be766477fdcc12c1d5d04d53cf6b324e366b5351fc7cd4

Download Submit
memory/444-135-0x0000000000000000-mapping.dmp

Download
memory/2432-136-0x0000000000000000-mapping.dmp

Download
memory/3060-134-0x0000000000000000-mapping.dmp

Download
memory/4628-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing