51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9

General

Target

51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
Size

628KB
MD5

83129980db240243cd9355c433819b50
SHA1

b4005272b50696e72e2ad24d1f4d151e60ebfa1e
SHA256

51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9
SHA512

57bf4779d4b42d95616d19f6635cb58c3bdff246daaddd579769b6c30ace514442e1957538b6da32c1903e6fa0c24836664277bd75d499f57a884253a9addc78
SSDEEP

12288:jfPi1dJU0L/vI9mOxPEUKRknYYJ2tHhyXxAeUgrSACI7XHgZQKhJgeCmAQL:jfPi1dJU43I98U7nYYJ2tHhADSANLHgd

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe

Drops file in Program Files directory 26 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Orange Circles.htm	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Shades of Blue.htm	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Soft Blue.htm	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\DVD Maker\DVDMaker.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1944 wrote to memory of 1196	1944	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe	27
PID 1944 wrote to memory of 1196	1944	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe	27
PID 1944 wrote to memory of 1196	1944	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe	27
PID 1944 wrote to memory of 1196	1944	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe	27
PID 1944 wrote to memory of 1288	1944	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe	14
PID 1944 wrote to memory of 1288	1944	51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe	14

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1288
- C:\Users\Admin\AppData\Local\Temp\51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
  "C:\Users\Admin\AppData\Local\Temp\51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe
    "C:\Users\Admin\AppData\Local\Temp\51e30460b4ad162b05b67f41d2353d36a769746a3084cdf02c625eca323459a9.exe"
    3⤵
    PID:1196

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-58-0x0000000030000000-0x00000000300C6000-memory.dmp

Filesize
792KB

Download
memory/1288-59-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1944-54-0x0000000075CF1000-0x0000000075CF3000-memory.dmp

Filesize
8KB

Download
memory/1944-56-0x0000000030000000-0x00000000300C6000-memory.dmp

Filesize
792KB

Download
memory/1944-61-0x0000000030000000-0x00000000300C6000-memory.dmp

Filesize
792KB

Download

Analysis

Sharing