28746a13fb1554be4343381135a72e8fcc8d978bdbb3d7c4b434f68ce20a418c

Resubmissions

15-12-2021 16:03

211215-thfltaaaa4 7

24-11-2020 02:27

201124-axvpvjcp7e 8

Analysis

max time kernel
148s
max time network
159s
platform
windows7_x64
resource
win7v20201028
submitted
24-11-2020 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RubyMine-2020.2.3.exe
Size

307.9MB
MD5

7ddd8ecd1cb209bcc6b599126aad8e37
SHA1

4cf04b6e45d5dafe68aeb90ba34290a6e2ee2504
SHA256

28746a13fb1554be4343381135a72e8fcc8d978bdbb3d7c4b434f68ce20a418c
SHA512

d1356db63a342ffc2bd1ee89070b27870995af67fafa3d828a1d00dbc85ab3f89c268e1920de14f18a3c7516763192926b4abe4ba9599e75ac08ff4f3e1e9eda

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 15 IoCs

Processes:

RubyMine-2020.2.3.exe

pid	process
1956	RubyMine-2020.2.3.exe
1956	RubyMine-2020.2.3.exe
1956	RubyMine-2020.2.3.exe
1956	RubyMine-2020.2.3.exe
1956	RubyMine-2020.2.3.exe
1956	RubyMine-2020.2.3.exe
1956	RubyMine-2020.2.3.exe
1956	RubyMine-2020.2.3.exe
1956	RubyMine-2020.2.3.exe
1956	RubyMine-2020.2.3.exe
1956	RubyMine-2020.2.3.exe
1232
1232
1232
1232

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

Processes:

RubyMine-2020.2.3.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\nsxB58A.tmp\Desktop.ini	RubyMine-2020.2.3.exe
File created	C:\Users\Admin\AppData\Local\Temp\nsxB58A.tmp\Desktop.ini	RubyMine-2020.2.3.exe

Drops file in Program Files directory 3516 IoCs

Processes:

RubyMine-2020.2.3.exe

description	ioc	process
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs19\gc.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\legal\java.desktop\LICENSE	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\legal\java.xml\jcup.md	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs25\win32_ole_variant.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\textmate\lib\bundles\git\syntaxes\diff.tmLanguage.json	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\textmate\lib\bundles\fsharp\cgmanifest.json	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\lib\org.eclipse.lsp4j-0.7.1.jar	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs27\date_time.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\textmate\lib\bundles\lua\package.json	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\legal\jdk.internal.vm.compiler\ADDITIONAL_LICENSE_INFO	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\include\classfile_constants.h	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs19\complex.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\textmate\lib\bundles\hlsl\package.json	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\lib\psfontj2d.properties	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\bin\modular-sdk\modules\jcef\org\cef\handler\CefRequestHandler$TerminationStatus.class	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\JavaScriptLanguage\jsLanguageServicesImpl\external\lib.esnext.intl.d.ts	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\JavaScriptLanguage\jsLanguageServicesImpl\flow\streams.js	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\bin\modular-sdk\modules\jcef\org\cef\network\CefPostDataElement.class	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs25\index_error.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs25\float.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs25\eof_error.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs18\standard_error.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\textmate\lib\bundles\objective-c\package.nls.json	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\bin\locales\ja.pak	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\conf\sound.properties	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rb\stubsgen\gems\gems\rdoc-6.0.2\RI.rdoc	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs19\psych.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs19\symbol.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\JavaScriptLanguage\index\sdk-stubs.names	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs23\tk_callback_break.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs26\system_exit.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\textmate\lib\bundles\markdown-basics\language-configuration.json	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\bin\modular-sdk\modules\jcef\org\cef\browser\CefBrowserWr$3.class	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\textmate\lib\bundles\vb\syntaxes\asp-vb-net.tmlanguage.json	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\bin\modular-sdk\modules\jcef\org\cef\handler\CefResourceRequestHandlerAdapter.class	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs23\fcntl.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs21\file.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs24\float.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs27\fiber_error.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\license\kryo-license.txt	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs24\true_class.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\textmate\lib\bundles\docker\package.json	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\lib\batik-parser-1.12.0-8.jar	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs25\complex.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\textmate\lib\bundles\search-result\yarn.lock	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\bin\jrunscript.exe	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs19\struct.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs27\key_error.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs22\psych.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\legal\jdk.httpserver\ADDITIONAL_LICENSE_INFO	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\lib\javax.activation-1.2.0.jar	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs19\dbm_error.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs23\time.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\bin\modular-sdk\modules\jcef\org\cef\handler\CefFocusHandlerAdapter.class	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\JavaScriptLanguage\jsLanguageServicesImpl\external\lib.esnext.string.d.ts	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rb\gems\ruby-debug-base-0.10.5.jb2-x86-mswin32.gem	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rb\testing\patch\testunit\test\unit\ui\testrunnermediator.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs21\float.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs27\float_domain_error.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\jbr\bin\jawt.dll	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs22\fiddle.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs26\fcntl.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\ruby\rubystubs\rubystubs20\etc.rb	RubyMine-2020.2.3.exe
File created	C:\Program Files\JetBrains\RubyMine 2020.2.3\plugins\JavaScriptLanguage\jsLanguageServicesImpl\typescript\session\old\ts-project-service-1x.js	RubyMine-2020.2.3.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 39 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeEXCEL.EXEIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "312954043"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6906F521-2E06-11EB-95A4-EE401B9E63CB} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe

Modifies registry class 28 IoCs

Processes:

RubyMine-2020.2.3.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\RubyMine\ = "Open Folder as RubyMine Project"	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\Background\shell\RubyMine\command	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	RubyMine-2020.2.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelliJIdeaProjectFile\DefaultIcon\ = "C:\\Program Files\\JetBrains\\RubyMine 2020.2.3\\bin\\rubymine64.exe,0"	RubyMine-2020.2.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\rubymine64.exe\shell\open\FriendlyAppName = "RubyMine 2020.2.3"	RubyMine-2020.2.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\RubyMine\command\ = "\"C:\\Program Files\\JetBrains\\RubyMine 2020.2.3\\bin\\rubymine64.exe\" \"%V\""	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelliJIdeaProjectFile	RubyMine-2020.2.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelliJIdeaProjectFile\ = "IntelliJ IDEA Project File"	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\rubymine64.exe\shell	RubyMine-2020.2.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\RubyMine\ = "Open Folder as RubyMine Project"	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelliJIdeaProjectFile\shell\open	RubyMine-2020.2.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelliJIdeaProjectFile\shell\open\command\ = "\"C:\\Program Files\\JetBrains\\RubyMine 2020.2.3\\bin\\rubymine64.exe\" \"%1\""	RubyMine-2020.2.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shell\RubyMine\Icon = "C:\\Program Files\\JetBrains\\RubyMine 2020.2.3\\bin\\rubymine64.exe"	RubyMine-2020.2.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ipr\ = "IntelliJIdeaProjectFile"	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelliJIdeaProjectFile\shell	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\rubymine64.exe\shell\open\command	RubyMine-2020.2.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\RubyMine\Icon = "C:\\Program Files\\JetBrains\\RubyMine 2020.2.3\\bin\\rubymine64.exe"	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shell\RubyMine\command	RubyMine-2020.2.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\RubyMine\command\ = "\"C:\\Program Files\\JetBrains\\RubyMine 2020.2.3\\bin\\rubymine64.exe\" \"%1\""	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\rubymine64.exe\shell\open	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\Background\shell\RubyMine	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ipr	RubyMine-2020.2.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelliJIdeaProjectFile\shell\ = "open"	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\rubymine64.exe	RubyMine-2020.2.3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\rubymine64.exe\shell\open\command\ = "\"C:\\Program Files\\JetBrains\\RubyMine 2020.2.3\\bin\\rubymine64.exe\" \"%1\""	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Directory\shell\RubyMine	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelliJIdeaProjectFile\DefaultIcon	RubyMine-2020.2.3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IntelliJIdeaProjectFile\shell\open\command	RubyMine-2020.2.3.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1068 EXCEL.EXE
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

532 iexplore.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

iexplore.exeIEXPLORE.EXEEXCEL.EXE

pid process

532 iexplore.exe
532 iexplore.exe
1708 IEXPLORE.EXE
1708 IEXPLORE.EXE
1708 IEXPLORE.EXE
1708 IEXPLORE.EXE
1068 EXCEL.EXE
1068 EXCEL.EXE
1068 EXCEL.EXE

pid	process
1068	EXCEL.EXE

pid	process
532	iexplore.exe

pid	process
532	iexplore.exe
532	iexplore.exe
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1708	IEXPLORE.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE
1068	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 532 wrote to memory of 1708	532	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1708	532	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1708	532	iexplore.exe	IEXPLORE.EXE
PID 532 wrote to memory of 1708	532	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:532

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:532 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Users\Admin\AppData\Local\Temp\RubyMine-2020.2.3.exe
"C:\Users\Admin\AppData\Local\Temp\RubyMine-2020.2.3.exe"
1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
PID:1956

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1068

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\J6N6YHLY.txt
MD5
ef622a57ebb8979d53b18142630e3f8a

SHA1
0d2dff0afc78a6d4bb1a31433fa1aceaac69a440

SHA256
0f5e5828c875c9cd3fece16df7fda3472067dec8ee428c3426a43467c14c3030

SHA512
72307c4b3bad385f0de12494c79e2bc40c067fd1fb9aa95510f48a32709ec2ce3d7f3ceffe1193331082a55f8e95f913d1f18d80bdc76935d8f36fa6d7cca818

Download Submit
\Program Files\JetBrains\RubyMine 2020.2.3\bin\rubymine64.exe
MD5
8de2cfe6f9abbfba5a13a1435e49149d

SHA1
8b9c43186028c7be5dbbde635c0ccd78b7c4ae56

SHA256
17ba5701f91597dc6f6784332ff37e74f30c7d88c080a0c94f5ad32c924647e4

SHA512
7eacc632770dc80cb727c7805766774ef629aaa914e829f312bb1887fca84d274bb83901fc07a1465925a1d6d522fcfa5fc1b49440f7c2c4e557f7ddc274eebb

Download Submit
\Program Files\JetBrains\RubyMine 2020.2.3\bin\rubymine64.exe
MD5
8de2cfe6f9abbfba5a13a1435e49149d

SHA1
8b9c43186028c7be5dbbde635c0ccd78b7c4ae56

SHA256
17ba5701f91597dc6f6784332ff37e74f30c7d88c080a0c94f5ad32c924647e4

SHA512
7eacc632770dc80cb727c7805766774ef629aaa914e829f312bb1887fca84d274bb83901fc07a1465925a1d6d522fcfa5fc1b49440f7c2c4e557f7ddc274eebb

Download Submit
\Program Files\JetBrains\RubyMine 2020.2.3\bin\rubymine64.exe
MD5
8de2cfe6f9abbfba5a13a1435e49149d

SHA1
8b9c43186028c7be5dbbde635c0ccd78b7c4ae56

SHA256
17ba5701f91597dc6f6784332ff37e74f30c7d88c080a0c94f5ad32c924647e4

SHA512
7eacc632770dc80cb727c7805766774ef629aaa914e829f312bb1887fca84d274bb83901fc07a1465925a1d6d522fcfa5fc1b49440f7c2c4e557f7ddc274eebb

Download Submit
\Program Files\JetBrains\RubyMine 2020.2.3\bin\rubymine64.exe
MD5
8de2cfe6f9abbfba5a13a1435e49149d

SHA1
8b9c43186028c7be5dbbde635c0ccd78b7c4ae56

SHA256
17ba5701f91597dc6f6784332ff37e74f30c7d88c080a0c94f5ad32c924647e4

SHA512
7eacc632770dc80cb727c7805766774ef629aaa914e829f312bb1887fca84d274bb83901fc07a1465925a1d6d522fcfa5fc1b49440f7c2c4e557f7ddc274eebb

Download Submit
\Program Files\JetBrains\RubyMine 2020.2.3\bin\rubymine64.exe
MD5
8de2cfe6f9abbfba5a13a1435e49149d

SHA1
8b9c43186028c7be5dbbde635c0ccd78b7c4ae56

SHA256
17ba5701f91597dc6f6784332ff37e74f30c7d88c080a0c94f5ad32c924647e4

SHA512
7eacc632770dc80cb727c7805766774ef629aaa914e829f312bb1887fca84d274bb83901fc07a1465925a1d6d522fcfa5fc1b49440f7c2c4e557f7ddc274eebb

Download Submit
\Users\Admin\AppData\Local\Temp\nsxB58A.tmp\ExecDos.dll
MD5
774e3b33d151413dc826bf2421cd51e8

SHA1
ab2928dcf6fa54bb9eb16e5f64bfcffaaeee90fa

SHA256
91d5481f576382164703e4ac244052265769377838ac30233ad79c983ed9d454

SHA512
3cf955b13e81e4b6edb292df751ce7f64b0cf30979f57b1609f002859b4e68adc046b6674f76f7b7ce7144382316c344c11fed02d638e62fcc8464c32795a365

Download Submit
\Users\Admin\AppData\Local\Temp\nsxB58A.tmp\InstallOptions.dll
MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
\Users\Admin\AppData\Local\Temp\nsxB58A.tmp\InstallOptions.dll
MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
\Users\Admin\AppData\Local\Temp\nsxB58A.tmp\InstallOptions.dll
MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
\Users\Admin\AppData\Local\Temp\nsxB58A.tmp\InstallOptions.dll
MD5
720304c57dcfa17751ed455b3bb9c10a

SHA1
59a1c3a746de10b8875229ff29006f1fd36b1e41

SHA256
6486029d3939231bd9f10457fd9a5ab2e44f30315af443197a3347df4e18c4e9

SHA512
c64c161290f5c21d642ecf16cc6ad3ee4a31bf5bab41c65c74907a5c158eaca429ef99cd8d2b55dc2ecb8478bb0b85c1576402389a07568f36c871b2772ead04

Download Submit
\Users\Admin\AppData\Local\Temp\nsxB58A.tmp\ShellLink.dll
MD5
d62d3e349689811f838dd10fb216eba1

SHA1
edcafd517860cb6b4bd299e20b17ad74a6fa2a5d

SHA256
5d103419245e2a5f124a96cace25d6836b2398edc0aa3919829b0fd6ad8b5d6a

SHA512
fc7d5826cb9f85068ea702f007920bf7ae63758d13c48761e83cc9e8ac06b231f40e17a9f3340d60d874ad2cf6e0991eb98a52cf893ab785489e0cdbbf294f88

Download Submit
\Users\Admin\AppData\Local\Temp\nsxB58A.tmp\StartMenu.dll
MD5
8a8cf094137e9c56386d5cf84f936fd0

SHA1
60a0cc212e5a1ce303a028f8ddafe0989c202b8d

SHA256
2053d459f5ae1213eaba8ecae74671144c1af140660034b5af23c97818e2c789

SHA512
d938cdb8aabeaf22ce573c4817eed2e8c235c5b4d9d3fb7139db6e8d9ebc73957425cfaa0ec119cc506bcf9c3ecc6b6393fff9278b8d873564148557df5cd9ec

Download Submit
\Users\Admin\AppData\Local\Temp\nsxB58A.tmp\System.dll
MD5
17ed1c86bd67e78ade4712be48a7d2bd

SHA1
1cc9fe86d6d6030b4dae45ecddce5907991c01a0

SHA256
bd046e6497b304e4ea4ab102cab2b1f94ce09bde0eebba4c59942a732679e4eb

SHA512
0cbed521e7d6d1f85977b3f7d3ca7ac34e1b5495b69fd8c7bfa1a846baf53b0ecd06fe1ad02a3599082ffacaf8c71a3bb4e32dec05f8e24859d736b828092cd5

Download Submit
\Users\Admin\AppData\Local\Temp\nsxB58A.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
\Users\Admin\AppData\Local\Temp\nsxB58A.tmp\nsDialogs.dll
MD5
42b064366f780c1f298fa3cb3aeae260

SHA1
5b0349db73c43f35227b252b9aa6555f5ede9015

SHA256
c13104552b8b553159f50f6e2ca45114493397a6fa4bf2cbb960c4a2bbd349ab

SHA512
50d8f4f7a3ff45d5854741e7c4153fa13ee1093bafbe9c2adc60712ed2fb505c9688dd420d75aaea1b696da46b6beccc232e41388bc2a16b1f9eea1832df1cd7

Download Submit
memory/1068-19-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/1068-20-0x0000000001DA0000-0x0000000001DA1000-memory.dmp

Filesize
4KB

Download
memory/1708-1-0x0000000000000000-mapping.dmp

Download
memory/1956-18-0x0000000003B30000-0x0000000003C31000-memory.dmp

Filesize
1.0MB

Download
memory/1956-8-0x0000000003A30000-0x0000000003A31000-memory.dmp

Filesize
4KB

Download
memory/1984-0-0x000007FEF7040000-0x000007FEF72BA000-memory.dmp

Filesize
2.5MB

Download