9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9

General

Target

9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
Size

21KB
MD5

ef8fe9e54b324a7b8c52dd55970c3eee
SHA1

08c2d71489f6e203d9281904e933a797d5822463
SHA256

9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9
SHA512

a0ed1ff57f275c58626de37a1709957d46e4199bd113e98b405026456d45af8bc658724d185a88614a6cd5fa3092e32ae89a9400de6ca6a4713cdbb90ea21132
SSDEEP

384:7rwgu4oJuTJj+XZ9Y9qkyUI07jn6qq9fUaIfqfxWkqxrF6ZlvH38R0V:HaJU+Je9Lwjn9fU7q55AQDHr

Score

8^/10

persistence upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/956-57-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/592-58-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/592-60-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe\""	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe

Drops desktop.ini file(s) 13 IoCs

Processes:

9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\desktop.ini	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Microsoft Games\SpiderSolitaire\desktop.ini	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\desktop.ini	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\desktop.ini	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Desktop.ini	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe

Drops file in Program Files directory 64 IoCs

Processes:

9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe

description	ioc	process
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\vistabg.png	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Internet Explorer\jsdbgui.dll	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\System.Data.Linq.Resources.dll	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\button_right_mousedown.png	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0215709.WMF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\javax.servlet_3.0.0.v201112011016.jar	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0212661.WMF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\Ole DB\en-US\oledb32r.dll.mui	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Common Files\System\wab32res.dll	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_F_COL.HXK	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\PassportMask.wmv	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Pacific\Chuuk	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Sitka	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\settings.html	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\icon.png	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Custom.propdesc	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\IN00233_.WMF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\en-US\correct.avi	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_image-frame-backglow.png	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT-9	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.osgi.services.nl_ja_4.4.0.v20140623020002.jar	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Windows Journal\fr-FR\jnwmon.dll.mui	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-modules-keyring-fallback_ja.jar	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\PROOF\MSLID.DLL	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\BG_ADOBE.GIF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\HEADER.GIF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0233512.WMF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL010.XML	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Novosibirsk	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.garbagecollector.nl_zh_4.4.0.v20140623020002.jar	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\libdummy_plugin.dll	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_moon-full_partly-cloudy.png	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\PREVIEW.GIF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0151045.WMF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\TAB_ON.GIF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS_K_COL.HXK	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\form_edit.js	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ja-JP\InkWatson.exe.mui	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\background.png	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\ECLIPSE_.RSA	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Thatch.dotx	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\VBAOWS10.CHM	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\NavigationRight_SelectionSubpicture.png	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ACWIZRC.DLL	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\MSART14.BDR	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CALHM.POC	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\CATALOG.XML	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jre7\bin\glib-lite.dll	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Dushanbe	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\BLENDS.ELM	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0296279.WMF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD10289_.GIF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\HandPrints.jpg	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0318810.WMF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA01852_.WMF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02066_.WMF	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Grid.thmx	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\Newsprint.dotx	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Wrinkled_Paper.gif	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\Pets_frame-border.png	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe

description	pid	process	target process
PID 956 wrote to memory of 276	956	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe	cmd.exe
PID 956 wrote to memory of 276	956	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe	cmd.exe
PID 956 wrote to memory of 276	956	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe	cmd.exe
PID 956 wrote to memory of 276	956	9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
"C:\Users\Admin\AppData\Local\Temp\9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:956

C:\Users\Admin\AppData\Local\Temp\9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe
"C:\Users\Admin\AppData\Local\Temp\9385c94181cda268839695c6b7adf6afd3218a44be5e31fa11eac8cee54f6db9.exe" n956
2⤵
PID:592

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
2⤵
PID:276

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-4063495947-34355257-727531523-1000\desktop.ini
Filesize
356B

MD5
b12f59d718e6f686a5650dc8c133728e

SHA1
acce377a68e38416d81f05cdb3fd730c3d31aa24

SHA256
7c7ad7c883a4fa18fcd379602c8cb20655da3cfdb957e63986de44f8c8ecebba

SHA512
8f0c7ba44b646f3a77135737cacf8aad3752809e3afc7a8c9ff3676c1a17f899efa68bee0682b22bebae133274a4b45c433dc6eb664ff9bd2d6512a51dca09e4

Download Submit
memory/276-55-0x0000000000000000-mapping.dmp

Download
memory/592-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/592-60-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/956-54-0x0000000076561000-0x0000000076563000-memory.dmp

Filesize
8KB

Download
memory/956-57-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads