d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639

General

Target

d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe
Size

1.4MB
MD5

aa7a505e7cd588769739619ba2677a44
SHA1

61a081b405bd7d5e54be1cb5d71123527c145700
SHA256

d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639
SHA512

24935a392bf354c74b4d2d33ad3f4b41db7acd7219d55aa32c0040172fc56f8d98048abd89b657fae43edd72446cd045cb851ed4ea89271bb4d95c41042fe9d9
SSDEEP

24576:cLZpHi0JtVQ7BIbdBIycGJZLwgf56dOA/85RkV4la/ZS6JJKf0EoVr5DBeA:099rcGJOgf0OAUfkVya/ZS6JAjoFt

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4384	AD86.tmp

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\concrt140.dll	AD86.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\mfc140u.dll	AD86.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\msvcr120.dll	AD86.tmp
File opened for modification	C:\Program Files\7-Zip\7z.sfx	AD86.tmp
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	AD86.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll	AD86.tmp
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll	AD86.tmp
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	AD86.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4620	jp2launcher.exe
4620	jp2launcher.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3948	d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe
3948	d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
3948	d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe
3948	d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4620	jp2launcher.exe
3948	d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe
3948	d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 4384	3948	d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe	87
PID 3948 wrote to memory of 4384	3948	d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe	87
PID 3948 wrote to memory of 4384	3948	d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe	87
PID 3948 wrote to memory of 3620	3948	d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe	88
PID 3948 wrote to memory of 3620	3948	d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe	88
PID 3620 wrote to memory of 4620	3620	javaws.exe	89
PID 3620 wrote to memory of 4620	3620	javaws.exe	89

C:\Users\Admin\AppData\Local\Temp\d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe
"C:\Users\Admin\AppData\Local\Temp\d15c56de680da5139c7472e648216fe69270b4dd405d637f2777652a9a958639.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\AD86.tmp
  C:\Users\Admin\AppData\Local\Temp\AD86.tmp
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4384
- C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe" -J-Djdk.disableLastUsageTracking=true -SSVBaselineUpdate
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3620
- - C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe" -secure -javaws -jre "C:\Program Files\Java\jre1.8.0_66" -vma LWNsYXNzcGF0aABDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXIALURqYXZhLnNlY3VyaXR5LnBvbGljeT1maWxlOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcc2VjdXJpdHlcamF2YXdzLnBvbGljeQAtRHRydXN0UHJveHk9dHJ1ZQAtWHZlcmlmeTpyZW1vdGUALURqbmxweC5ob21lPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxiaW4ALURqYXZhLnNlY3VyaXR5Lm1hbmFnZXIALURzdW4uYXd0Lndhcm11cD10cnVlAC1YYm9vdGNsYXNzcGF0aC9hOkM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxsaWJcamF2YXdzLmphcjtDOlxQcm9ncmFtIEZpbGVzXEphdmFcanJlMS44LjBfNjZcbGliXGRlcGxveS5qYXI7QzpcUHJvZ3JhbSBGaWxlc1xKYXZhXGpyZTEuOC4wXzY2XGxpYlxwbHVnaW4uamFyAC1EamRrLmRpc2FibGVMYXN0VXNhZ2VUcmFja2luZz10cnVlAC1Eam5scHguanZtPUM6XFByb2dyYW0gRmlsZXNcSmF2YVxqcmUxLjguMF82NlxiaW5camF2YXcuZXhlAC1Eam5scHgudm1hcmdzPUxVUnFaR3N1WkdsellXSnNaVXhoYzNSVmMyRm5aVlJ5WVdOcmFXNW5QWFJ5ZFdVQQ== -ma LVNTVkJhc2VsaW5lVXBkYXRlAC1ub3RXZWJKYXZh
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\deployment.properties

Filesize
698B

MD5
a89e45c73f093e1cac10a62fb7fd3daf

SHA1
5fe1f5cf31f825f8fd167bf150bed7c857095387

SHA256
1e495c234786d0d9097b4e259dfbdbc47cd34fd93743f502e4cc5b5e412e1d78

SHA512
fdda7679c7f314d062b21834d7c17c0a119580d497fcf61c0e29e3fa1a067e990febfd05859e5831eb48f4eeac96acf2992edd370a0f9c61028031da7ffda3c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Sun\Java\Deployment\security\securitypack.jar

Filesize
12KB

MD5
47933033943e6337137aa28bf027a1a2

SHA1
c16d83e0c6bd2356bf3257fcedcccadfd05c3dbb

SHA256
3243018f8d3f21ea0699ecce258dde161c899fb3d248eb12312ee2d540ab3029

SHA512
97ea0697af504b98c14b1355df24f9e9f668cd59e9c44880f562dfe3cf183d92aadbbf07c9f2aa69161437c266631d638fc286b8d5b168a222b76e894cdca313

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD86.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\AD86.tmp

Filesize
145KB

MD5
c610e7ccd6859872c585b2a85d7dc992

SHA1
362b3d4b72e3add687c209c79b500b7c6a246d46

SHA256
14063fc61dc71b9881d75e93a587c27a6daf8779ff5255a24a042beace541041

SHA512
8570aad2ae8b5dcba00fc5ebf3dc0ea117e96cc88a83febd820c5811bf617a6431c1367b3eb88332f43f80b30ebe2c298c22dcc44860a075f7b41bf350236666

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
267KB

MD5
f3353d0cc050f4785b693b17db209ab2

SHA1
8e750f6fa60c45a0c4f99204305d010fe0e16be7

SHA256
d83ccd1431181bcccc80fd052ebb4faf7c5526c6ca6f76a29accc6336a06a777

SHA512
cc823aead6559fb87553bee6d2e61de099f4885ab6b3021dbfbe6e087bfe905fde7549a0de3194b721e847597f0fba0e23b1420747021212e94aafc99b5ede47

Download Submit
memory/3948-0-0x0000000002300000-0x000000000234E000-memory.dmp

Filesize
312KB

Download
memory/3948-1-0x0000000002300000-0x000000000234E000-memory.dmp

Filesize
312KB

Download
memory/4620-327-0x0000000005540000-0x0000000006540000-memory.dmp

Filesize
16.0MB

Download
memory/4620-353-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-289-0x0000000005540000-0x0000000006540000-memory.dmp

Filesize
16.0MB

Download
memory/4620-290-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-313-0x0000000005540000-0x0000000006540000-memory.dmp

Filesize
16.0MB

Download
memory/4620-79-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-332-0x0000000005540000-0x0000000006540000-memory.dmp

Filesize
16.0MB

Download
memory/4620-337-0x0000000005540000-0x0000000006540000-memory.dmp

Filesize
16.0MB

Download
memory/4620-339-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-281-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-354-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-356-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-357-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-359-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-361-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-51-0x0000000005540000-0x0000000006540000-memory.dmp

Filesize
16.0MB

Download
memory/4620-371-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-370-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-372-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/4620-375-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing