5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af

General

Target

5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
Size

30KB
MD5

e4c10fca8733b5e03025c3ebd265a9ae
SHA1

68a5abe32d67b337b0398a39960ce2f54ea29441
SHA256

5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af
SHA512

f1950d0474bba8e053996a1b7c43fac44d738ad3321f6b37dbd4c333b3b8c560625e2efe44a4f72d359fedb87973c10b487bc9b7f4572e51218989f7e07b41ac
SSDEEP

768:VpuBNtX5EUX7WuP3yCwYJ1wl+o9UGgis0YE6DAeYBzxuv:gDvyoMlpdiJAe8zW

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe\""	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe

Drops desktop.ini file(s) 3 IoCs

Processes:

5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe

description	ioc	process
File opened for modification	C:\Program Files\desktop.ini	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\desktop.ini	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe

Drops file in Program Files directory 64 IoCs

Processes:

5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\management.properties	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT+2	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.SF	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.properties	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.touchpoint.natives.nl_zh_4.4.0.v20140623020002.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-text_zh_CN.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Extensions\external_extensions.json	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\mojo_core.dll	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Internet Explorer\F12Tools.dll	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\include\jawt.h	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\NextMenuButtonIcon.png	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\hprof.dll	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\msvcr100.dll	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-templates.xml	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\SoftBlue.jpg	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\System\Ole DB\ja-JP\sqlxmlx.rll.mui	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\BabyBoyScenesBackground_PAL.wmv	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.jarprocessor.nl_zh_4.4.0.v20140623020002.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\EST5EDT	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\MANIFEST.MF	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-utilities_ja.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\pl-PL\tipresx.dll.mui	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Internet Explorer\en-US\F12.dll.mui	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fr-FR\TipBand.dll.mui	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Dubai	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-settings_ja.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.transport.ecf_1.1.0.v20140408-1354.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\journal.dll	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\St_Johns	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt.nl_zh_4.4.0.v20140623020002.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-charts_ja.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\IpsMigrationPlugin.dll.mui	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\colorcycle.png	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Rarotonga	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Blanc-Sablon	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\ECLIPSE_.RSA	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata_5.5.0.165303.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\smtp.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Tiki.gif	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\es-ES\msadcer.dll.mui	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Locales\es.pak	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Internet Explorer\perf_nt.dll	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santiago	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\jfluid-server_zh_CN.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-uisupport_ja.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-core-multitabs_zh_CN.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages_sv.properties	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\wab32res.dll.mui	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\msadcfr.dll	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Santa_Isabel	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification.ja_5.5.0.165303.jar	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\file_obj.gif	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe

description	pid	process	target process
PID 1500 wrote to memory of 1952	1500	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe	cmd.exe
PID 1500 wrote to memory of 1952	1500	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe	cmd.exe
PID 1500 wrote to memory of 1952	1500	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe	cmd.exe
PID 1500 wrote to memory of 1952	1500	5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
"C:\Users\Admin\AppData\Local\Temp\5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe
"C:\Users\Admin\AppData\Local\Temp\5235da476ce257081ccf375da5b9217025bfb151efd8b3522853719cac84d1af.exe" n1500
2⤵
PID:888

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:1952

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-3845472200-3839195424-595303356-1000\desktop.ini
Filesize
356B

MD5
3cb8ec43d9b88233993ea95ab072d693

SHA1
c1060dd79135f153590387af7bd7dbfdf11fc55b

SHA256
19fbcd53fbd396de35b80b65ee780e7795299519b7d75c5f57a14d1eaf2084e1

SHA512
547525b7c9fe1bfe160789492334d3e85b5c867105b443c0ea94c5cc3c8498e8c24ad1329da817064ff155fb34b8f108e6f2e0add409eefa3ea058c038ebb7b9

Download Submit
memory/1500-54-0x0000000076201000-0x0000000076203000-memory.dmp

Filesize
8KB

Download
memory/1952-56-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads