26d575a4e5dfde186ac0fbf344c6e22dbd96ba2e9660ac6bf3db2dae082ed11f

General

Target

8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
Size

264KB
MD5

8e0b0d1fd892ea1bab2858bca49acbae
SHA1

072afa49a33c82af06973db1948757e59a7ce5aa
SHA256

26d575a4e5dfde186ac0fbf344c6e22dbd96ba2e9660ac6bf3db2dae082ed11f
SHA512

193f627922c9c1621212269edd4f4d971bd088848399f17f883dcd3da92143629387aa37fcaaad9b1ecdfc43cde093667e0184aeb2c61e9190c26fccd21bc308

Score

7^/10

persistence

Malware Config

Signatures

Adds Run entry to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1848298919-2336104428-4012071465-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe\""	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe

Drops desktop.ini file(s) 77 IoCs

Processes:

8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WQZJKO4S\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MV0POAJ0\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Public\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DZTNHC1N\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\149Z7I96\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-1848298919-2336104428-4012071465-1000\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CH201OQ7\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\4BOE1AJG\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe

Drops file in Program Files directory 10505 IoCs

Processes:

8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0278702.WMF	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\ONENOTE_COL.HXT	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\GKExcel.dll	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\COPYING.txt	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\ado\adojavas.inc	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Office Setup Controller\Proofing.en-us\Proofing.XML	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\SpecialOccasion\scenesscroll.png	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-sendopts_zh_CN.jar	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBWIZ\STORYBB.DPV	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\add_up.png	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Psychedelic.jpg	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\PUBBA\MSPUB3A.BDR	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\MSTORE_K_COL.HXK	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.dll	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\MET	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-autoupdate-cli.jar	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0296277.WMF	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00166_.WMF	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO00191_.WMF	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\WB01744_.GIF	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\CGMIMP32.HLP	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\16_9-frame-image-inset.png	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107042.WMF	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\BORDERS\MSART10.BDR	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\misc\libgnutls_plugin.dll	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\RTC.der	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSPTLS.DLL	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\prism-d3d.dll	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.services.nl_ja_4.4.0.v20140623020002.jar	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\SO02048_.WMF	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\TN01164_.WMF	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right.gif	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\can.hyp	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UCT	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0107188.WMF	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Nipigon	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\1033\MOR6INT.REST.IDX_DLL	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\passport_mask_right.png	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Tbilisi	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\rjmx.jar	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\ZoneInfoMappings	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0304875.WMF	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\msjet.xsl	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\System.ComponentModel.DataAnnotations.dll	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\zipfs.jar	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.attributeTransformation.exsd	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Tirane	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\networkinspection.dll.mui	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Colombo	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Java\jre7\bin\w2k_lsa_auth.dll	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\CLIPART\PUB60COR\J0099193.GIF	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
File opened for modification	C:\Program Files\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\validation.js	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe

Drops startup file 1 IoCs

Processes:

8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe

description	pid	process	target process
PID 1864 wrote to memory of 1896	1864	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe	cmd.exe
PID 1864 wrote to memory of 1896	1864	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe	cmd.exe
PID 1864 wrote to memory of 1896	1864	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe	cmd.exe
PID 1864 wrote to memory of 1896	1864	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe	cmd.exe
PID 1864 wrote to memory of 1116	1864	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe	NOTEPAD.EXE
PID 1864 wrote to memory of 1116	1864	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe	NOTEPAD.EXE
PID 1864 wrote to memory of 1116	1864	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe	NOTEPAD.EXE
PID 1864 wrote to memory of 1116	1864	8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe	NOTEPAD.EXE

C:\Users\Admin\AppData\Local\Temp\8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
"C:\Users\Admin\AppData\Local\Temp\8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe"
1⤵
- Adds Run entry to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1864

C:\Users\Admin\AppData\Local\Temp\8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
"C:\Users\Admin\AppData\Local\Temp\8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe" n1864
2⤵
PID:1888

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:1896

C:\Windows\SysWOW64\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme-warning.txt
2⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
"C:\Users\Admin\AppData\Local\Temp\8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe" n1864
2⤵
PID:108

C:\Users\Admin\AppData\Local\Temp\8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe
"C:\Users\Admin\AppData\Local\Temp\8E0B0D1FD892EA1BAB2858BCA49ACBAE.bin.exe" n1864
2⤵
PID:1084

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\Desktop\readme-warning.txt

Download Submit
\??\PIPE\wkssvc

Download Submit
memory/108-6-0x0000000005F20000-0x0000000005F31000-memory.dmp

Filesize
68KB

Download
memory/1084-7-0x000000000026B000-0x000000000026C000-memory.dmp

Filesize
4KB

Download
memory/1084-8-0x0000000005FF0000-0x0000000006001000-memory.dmp

Filesize
68KB

Download
memory/1864-0-0x000000000026B000-0x000000000026C000-memory.dmp

Filesize
4KB

Download
memory/1864-1-0x0000000006140000-0x0000000006151000-memory.dmp

Filesize
68KB

Download
memory/1888-2-0x00000000047EB000-0x00000000047EC000-memory.dmp

Filesize
4KB

Download
memory/1888-3-0x00000000061C0000-0x00000000061D1000-memory.dmp

Filesize
68KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads