7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438

General

Target

7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
Size

3.8MB
MD5

aaefc0480def364bddc8b77efd1e9298
SHA1

985c945b1959453084e4f5e8eedf1cce03cd6b43
SHA256

7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438
SHA512

197d81e5a47e845048bbb7a358fa7842df85542dddba82266bd91448aebb196a32081537c47885311c3f30b00b2028ae812b2e1c878a040ac65e654fa8bcee88

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe

description	ioc	process
File created	C:\windows\SysWOW64\drivers\spo0lve.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\windows\SysWOW64\drivers\spo0lve.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\spron = "C:\\Users\\Admin\\AppData\\Local\\Temp/7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe"	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe

Drops file in Program Files directory 64 IoCs

Processes:

7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe

description	ioc	process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\heart_glass_Thumbnail.bmp	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Windows Media Player\wmpnscfg.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\booklist.gif	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Windows Defender\MSASCui.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\bookicon.gif	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\conticon.gif	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\larrow.gif	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jre7\bin\klist.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\favicon.ico	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Windows Media Player\Network Sharing\wmpnss_bw48.bmp	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\splash.gif	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\uarrow.gif	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\new-trigger-wiz.gif	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jre7\lib\images\cursors\win32_LinkDrop32x32.gif	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Windows Journal\Journal.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\scene_button_style_default_Thumbnail.bmp	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\win32_LinkDrop32x32.gif	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\feedbck2.gif	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Windows Media Player\wmplayer.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_highlights_Thumbnail.bmp	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Windows Mail\wab.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_glass_Thumbnail.bmp	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\toc.gif	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Windows Mail\wabmig.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_scrapbook_Thumbnail.bmp	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_travel_Thumbnail.bmp	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe

pid	process
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe

pid	process
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
1048	7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe

C:\Users\Admin\AppData\Local\Temp\7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe
"C:\Users\Admin\AppData\Local\Temp\7e3293e07c706d9d02e34682537a566dd5aed3464fd186af6eefd7a73b8e8438.exe"
1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1048

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1048-59-0x0000000075721000-0x0000000075723000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads