15261e0cd7fbecb70f12b8e5791c5e99555e3287ee7369f72a4880d364bf6d49

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a251ec4dd07c0f4fcf4662e51348f71.exe
Size

560KB
MD5

2a251ec4dd07c0f4fcf4662e51348f71
SHA1

6b0ffdb7774c6c4ccc0b803e5d783ef560f862c0
SHA256

15261e0cd7fbecb70f12b8e5791c5e99555e3287ee7369f72a4880d364bf6d49
SHA512

eaaed28c23a47815b91df1a241b43aacdbd7f2520c03a7a1e9992a5e7691812e2360f1cbf3ed06f2b0cb69804c1ebbe43e9bd8a703e17488ccd0b5b6cdb0ac62
SSDEEP

12288:iXhKmrtWV2pP3rlPdqoCx4dc3+p+LGAfpNnj3UgTsxtUceqM:iQ3kkxF3+dABNnjkgTMtUc

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	2a251ec4dd07c0f4fcf4662e51348f71.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	2a251ec4dd07c0f4fcf4662e51348f71.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\license.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Peacock.htm	2a251ec4dd07c0f4fcf4662e51348f71.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\index.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplate.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmiregistry.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Hand Prints.htm	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\SendRemove.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm	2a251ec4dd07c0f4fcf4662e51348f71.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile_view.html	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Java\jre7\bin\pack200.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	2a251ec4dd07c0f4fcf4662e51348f71.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	2a251ec4dd07c0f4fcf4662e51348f71.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\readme.eml	2a251ec4dd07c0f4fcf4662e51348f71.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2228 wrote to memory of 2180	2228	2a251ec4dd07c0f4fcf4662e51348f71.exe	18
PID 2228 wrote to memory of 2180	2228	2a251ec4dd07c0f4fcf4662e51348f71.exe	18
PID 2228 wrote to memory of 2180	2228	2a251ec4dd07c0f4fcf4662e51348f71.exe	18
PID 2228 wrote to memory of 2180	2228	2a251ec4dd07c0f4fcf4662e51348f71.exe	18
PID 2228 wrote to memory of 2180	2228	2a251ec4dd07c0f4fcf4662e51348f71.exe	18
PID 2228 wrote to memory of 2180	2228	2a251ec4dd07c0f4fcf4662e51348f71.exe	18
PID 2228 wrote to memory of 2180	2228	2a251ec4dd07c0f4fcf4662e51348f71.exe	18
PID 2228 wrote to memory of 1264	2228	2a251ec4dd07c0f4fcf4662e51348f71.exe	13
PID 2228 wrote to memory of 1264	2228	2a251ec4dd07c0f4fcf4662e51348f71.exe	13

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1264
- C:\Users\Admin\AppData\Local\Temp\2a251ec4dd07c0f4fcf4662e51348f71.exe
  "C:\Users\Admin\AppData\Local\Temp\2a251ec4dd07c0f4fcf4662e51348f71.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Users\Admin\AppData\Local\Temp\2a251ec4dd07c0f4fcf4662e51348f71.exe
    "C:\Users\Admin\AppData\Local\Temp\2a251ec4dd07c0f4fcf4662e51348f71.exe"
    3⤵
    PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

Filesize
14KB

MD5
e997a0cf4bf4a2bac76faa47566d1041

SHA1
6c680361949886522f086cd96addc23e4a2fabab

SHA256
fe000b3c8aec12cebcda8f4d810a921177159b2b7de6cd2bdd58f190e25504ff

SHA512
c7a69fa10b5d405fa72b251581c6341ba6f31d3ca676736f82736009ec6dd129227f56e49c190459ab1e316632efa23d8c5daccc62fd6472f10af50f034f805c

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8156706568e77846b7bfbcc091c6ffeb

SHA1
792aa0db64f517520ee8f745bee71152532fe4d2

SHA256
5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

SHA512
8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7757fe48a0974cb625e89012c92cc995

SHA1
e4684021f14053c3f9526070dc687ff125251162

SHA256
c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

SHA512
b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
152KB

MD5
d335ffbc76456001302c4c4e6da698eb

SHA1
384f0a3ee44f00ca5a987ddb26f471a9267fe1f2

SHA256
8e717ba7b8c3feb4c407c3f716e95819f54a9380df91a333a627af841939ab31

SHA512
6b2f087a8a91cf42c5a9873a79b3ab0a691c4939a77a7fcefb5df10d98e7f7bd09a0ee19d6d3a47a695566aaae5fadb5782966537e961dbbff6819a697bdc560

Download Submit
C:\Windows\SysWOW64\runouce.exe

Filesize
10KB

MD5
eb74463b9d0d4b8320d40d87c729577e

SHA1
166c19017a694d7a19ed10d85ec939cb23a32d12

SHA256
facf02c37ba359fe5dfa45a51b9bafef5670664403a48b000290cc414326bf88

SHA512
3320cdc319fa1cfb3b10afbe584b3ae4da7b9b1739d5317a1fe73dfcfd0d9578bfcc5e4546ae1b7f824ce98b88dd1c38e34f0a83f9f85b5f60d7e50b02198de9

Download Submit
memory/1264-8-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/1264-7-0x00000000026C0000-0x00000000026C1000-memory.dmp

Filesize
4KB

Download
memory/2180-2-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2180-5-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2228-0-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download
memory/2228-1-0x0000000000330000-0x00000000003CD000-memory.dmp

Filesize
628KB

Download
memory/2228-201-0x0000000000400000-0x000000000049D000-memory.dmp

Filesize
628KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads