globeimposter | 965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a

Analysis

max time kernel
130s
max time network
48s
platform
windows7_x64
resource
win7-20220331-en
submitted
30-03-2022 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
Size

2.9MB
MD5

d4ddfd6ce54841bddce22d8ca819363b
SHA1

4148288be1d9250c29f5af83ef27b468787bcdbb
SHA256

965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a
SHA512

eafbc1c3d96b5720368b38e39237460ebd0a1c1d709336dc47c4af61e20c9d19b6dae437459aa4c86534754965f1fc66ba67cac132ba3072e4798e7f94085cc4

Score

10^/10

globeimposter persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UninstallWatch.crw => C:\Users\Admin\Pictures\UninstallWatch.crw.xls	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File renamed	C:\Users\Admin\Pictures\ConvertSearch.raw => C:\Users\Admin\Pictures\ConvertSearch.raw.xls	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File renamed	C:\Users\Admin\Pictures\DebugFormat.tif => C:\Users\Admin\Pictures\DebugFormat.tif.xls	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File renamed	C:\Users\Admin\Pictures\MoveStep.tif => C:\Users\Admin\Pictures\MoveStep.tif.xls	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File renamed	C:\Users\Admin\Pictures\SetComplete.tif => C:\Users\Admin\Pictures\SetComplete.tif.xls	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File renamed	C:\Users\Admin\Pictures\SuspendGrant.crw => C:\Users\Admin\Pictures\SuspendGrant.crw.xls	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-594401021-1341801952-2355885667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe"	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe

Drops desktop.ini file(s) 36 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Public\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Public\Music\Sample Music\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1536 set thread context of 888	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	29

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CharSetTable.chr	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\RSWOP.ICM	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSSP7ES.LEX	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\AMERITECH.NET.XML	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Lime\TAB_OFF.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD15156_.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WHIRL1.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Ho_Chi_Minh	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\SIDBAR98.POC	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\TAB_ON.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD10266_.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14581_.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MCPS.DLL	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD19988_.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107544.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195428.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\art\01_googleimage.luac	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Guam	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR46B.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14532_.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00049_.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE00542_.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File created	C:\Program Files\Microsoft Games\Solitaire\fr-FR\My_Files.txt	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Grand_Turk	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGBOXES.XML	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WEBEMAIL.POC	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0187893.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239967.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02356_.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\My_Files.txt	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Students.accdt	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL011.XML	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\TRANSMGR.DLL	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107490.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0188513.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\sound.properties	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\LABEL.DPV	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0158007.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01240_.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGACCBAR.XML	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14870_.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PARNT_02.MID	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02282_.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\ResumeSelect.M2TS	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OARTCONV.DLL	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\My_Files.txt	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\HEADER.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14794_.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00257_.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\WB01300_.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Kerguelen	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\Syowa	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBSPAPR\ZPDIR32F.GIF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0107742.WMF	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1852	1536	WerFault.exe	16

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1536 wrote to memory of 888	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	29
PID 1536 wrote to memory of 888	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	29
PID 1536 wrote to memory of 888	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	29
PID 1536 wrote to memory of 888	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	29
PID 1536 wrote to memory of 888	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	29
PID 1536 wrote to memory of 888	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	29
PID 1536 wrote to memory of 888	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	29
PID 1536 wrote to memory of 888	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	29
PID 1536 wrote to memory of 1852	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	28
PID 1536 wrote to memory of 1852	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	28
PID 1536 wrote to memory of 1852	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	28
PID 1536 wrote to memory of 1852	1536	965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe	28

C:\Users\Admin\AppData\Local\Temp\965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
"C:\Users\Admin\AppData\Local\Temp\965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1536
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 616
  2⤵
  - Program crash
  PID:1852
- C:\Users\Admin\AppData\Local\Temp\965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe
  "C:\Users\Admin\AppData\Local\Temp\965312dce88eabcf4089f8fa18642cf00d410e3b07c8647eb1f1775ddd8f529a.exe"
  2⤵
  - Modifies extensions of user files
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  PID:888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/888-64-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/888-63-0x0000000075A51000-0x0000000075A53000-memory.dmp

Filesize
8KB

Download
memory/888-60-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/888-59-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/888-57-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/888-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1536-54-0x0000000001240000-0x0000000001526000-memory.dmp

Filesize
2.9MB

Download
memory/1536-55-0x0000000000570000-0x00000000005C6000-memory.dmp

Filesize
344KB

Download