Analysis
-
max time kernel
149s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-03-2023 03:00
Static task
static1
Behavioral task
behavioral1
Sample
41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe
Resource
win10v2004-20230220-en
General
-
Target
41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe
-
Size
44KB
-
MD5
7136931e5fb1f3b5759a77b32dd522fe
-
SHA1
503cad17e04bbd2833837103aece2ec1a2ee416d
-
SHA256
41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4
-
SHA512
e4ee92d1cdf589685b3f63f0f4086e005eef8e862049a5fe98a2b2a0fb8930c888bcd87ee76c6b7b80a91ab78dc47c451b1e325a15c66a9013309f7443f12e24
-
SSDEEP
768:hfXKTHyY+h6ovFQGPL4vzZq2o9W7GsxBbPr:pX2SCoviGCq2iW7z
Malware Config
Signatures
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\yvEAMj.exe aspack_v212_v242 C:\Users\Admin\AppData\Local\Temp\yvEAMj.exe aspack_v212_v242 -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
yvEAMj.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation yvEAMj.exe -
Executes dropped EXE 1 IoCs
Processes:
yvEAMj.exepid process 2212 yvEAMj.exe -
Drops file in Program Files directory 64 IoCs
Processes:
yvEAMj.exedescription ioc process File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe yvEAMj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe yvEAMj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe yvEAMj.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe yvEAMj.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe yvEAMj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe yvEAMj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe yvEAMj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe yvEAMj.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe yvEAMj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe yvEAMj.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe yvEAMj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe yvEAMj.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe yvEAMj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE yvEAMj.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe yvEAMj.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe yvEAMj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe yvEAMj.exe File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe yvEAMj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\CLVIEW.EXE yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe yvEAMj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe yvEAMj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe yvEAMj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe yvEAMj.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\WinStore.App.exe yvEAMj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE yvEAMj.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe yvEAMj.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe yvEAMj.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE yvEAMj.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe yvEAMj.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exeyvEAMj.exedescription pid process target process PID 5092 wrote to memory of 2212 5092 41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe yvEAMj.exe PID 5092 wrote to memory of 2212 5092 41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe yvEAMj.exe PID 5092 wrote to memory of 2212 5092 41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe yvEAMj.exe PID 2212 wrote to memory of 4460 2212 yvEAMj.exe cmd.exe PID 2212 wrote to memory of 4460 2212 yvEAMj.exe cmd.exe PID 2212 wrote to memory of 4460 2212 yvEAMj.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe"C:\Users\Admin\AppData\Local\Temp\41c2ef41b8c2289bb3a8af4e257ccbdf24dda88ed5ae3066ec66793244fb92b4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\yvEAMj.exeC:\Users\Admin\AppData\Local\Temp\yvEAMj.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\380328b0.bat" "3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\380328b0.batFilesize
187B
MD52441ef95688be0e62e7cab75be6c7b43
SHA150b60791c9db2bb06378dc97f17c156e06fb3124
SHA256d01b8a20f615d1068434f6f58aa385c0d2e2cff4426ab3d9b58c1e7218e2af2b
SHA512102c063faf5ce0277372b3edcb80453e4f4c1a9dc08bbe940b965a05940374847757e699b6b9be83b7d50a423854ac1d695cde4de7355276674ed0e08daf0c6f
-
C:\Users\Admin\AppData\Local\Temp\674D6926.exeFilesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
C:\Users\Admin\AppData\Local\Temp\674D6926.exeFilesize
4B
MD520879c987e2f9a916e578386d499f629
SHA1c7b33ddcc42361fdb847036fc07e880b81935d5d
SHA2569f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31
SHA512bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f
-
C:\Users\Admin\AppData\Local\Temp\yvEAMj.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
C:\Users\Admin\AppData\Local\Temp\yvEAMj.exeFilesize
15KB
MD556b2c3810dba2e939a8bb9fa36d3cf96
SHA199ee31cd4b0d6a4b62779da36e0eeecdd80589fc
SHA2564354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07
SHA51227812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e
-
memory/2212-139-0x0000000000270000-0x0000000000279000-memory.dmpFilesize
36KB
-
memory/2212-180-0x0000000000270000-0x0000000000279000-memory.dmpFilesize
36KB
-
memory/5092-137-0x0000000000400000-0x000000000040B000-memory.dmpFilesize
44KB