2303fcba85210755e560e027e3a9c958f2dbd62a1fb2112d2f4d642237221134

Analysis

max time kernel
196s
max time network
157s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25/12/2023, 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3665449cc4aab55aef2904e69f5df371.exe
Size

579KB
MD5

3665449cc4aab55aef2904e69f5df371
SHA1

b96ddd1e196f66e7c6c263da2ec1f888b555a4ce
SHA256

2303fcba85210755e560e027e3a9c958f2dbd62a1fb2112d2f4d642237221134
SHA512

011f76db17ab2fa2953c32683fc880382f8bc72c1c0dc2da92efa16eedf341f6fa12135871a957e1d0a2069f8dd3a8adffca79adafc28375cb344d88129bc0ea
SSDEEP

12288:dSZDU5qQkyP+EWkH9L2JnT8DMhHTOpR6iWyrj:dSZsRkop/HR2JISHTOLtWi

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	3665449cc4aab55aef2904e69f5df371.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	3665449cc4aab55aef2904e69f5df371.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Green Bubbles.htm	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\readme.eml	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\epl-v10.html	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	3665449cc4aab55aef2904e69f5df371.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\readme.eml	3665449cc4aab55aef2904e69f5df371.exe
File created	C:\Program Files\Java\jdk1.7.0_80\readme.eml	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jre7\Welcome.html	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\README.html	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\readme.eml	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	3665449cc4aab55aef2904e69f5df371.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml	3665449cc4aab55aef2904e69f5df371.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\readme.eml	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	3665449cc4aab55aef2904e69f5df371.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\readme.eml	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\readme.eml	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Roses.htm	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\epl-v10.html	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\about.html	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\license.html	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Stars.htm	3665449cc4aab55aef2904e69f5df371.exe
File created	C:\Program Files\Java\jre7\readme.eml	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh001.htm	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	3665449cc4aab55aef2904e69f5df371.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\readme.eml	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	3665449cc4aab55aef2904e69f5df371.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.eml	3665449cc4aab55aef2904e69f5df371.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2868	980	WerFault.exe	28

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 980	2076	3665449cc4aab55aef2904e69f5df371.exe	28
PID 2076 wrote to memory of 980	2076	3665449cc4aab55aef2904e69f5df371.exe	28
PID 2076 wrote to memory of 980	2076	3665449cc4aab55aef2904e69f5df371.exe	28
PID 2076 wrote to memory of 980	2076	3665449cc4aab55aef2904e69f5df371.exe	28
PID 980 wrote to memory of 2868	980	3665449cc4aab55aef2904e69f5df371.exe	29
PID 980 wrote to memory of 2868	980	3665449cc4aab55aef2904e69f5df371.exe	29
PID 980 wrote to memory of 2868	980	3665449cc4aab55aef2904e69f5df371.exe	29
PID 980 wrote to memory of 2868	980	3665449cc4aab55aef2904e69f5df371.exe	29
PID 2076 wrote to memory of 2868	2076	3665449cc4aab55aef2904e69f5df371.exe	29
PID 2076 wrote to memory of 2868	2076	3665449cc4aab55aef2904e69f5df371.exe	29

C:\Users\Admin\AppData\Local\Temp\3665449cc4aab55aef2904e69f5df371.exe
"C:\Users\Admin\AppData\Local\Temp\3665449cc4aab55aef2904e69f5df371.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\3665449cc4aab55aef2904e69f5df371.exe
  "C:\Users\Admin\AppData\Local\Temp\3665449cc4aab55aef2904e69f5df371.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:980
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 980 -s 124
    3⤵
    - Program crash
    PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

Filesize
14KB

MD5
0005608d1d7f20a99820d975c274423e

SHA1
21b443de0b2e04922069ec65debeef9d7ceb45eb

SHA256
6b55e82b2508c93b2097b62996ff1f708af487f190d50505ce8dc5b068a38d1d

SHA512
d91181b3b9a46ffbb67989a20a9292564bc0cffa754edf4cbcc27c739d4fac292d54fb25881b9f80878876dccfb0326baf0b06bba54561f7e01ac55f51e4714e

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8156706568e77846b7bfbcc091c6ffeb

SHA1
792aa0db64f517520ee8f745bee71152532fe4d2

SHA256
5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

SHA512
8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7757fe48a0974cb625e89012c92cc995

SHA1
e4684021f14053c3f9526070dc687ff125251162

SHA256
c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

SHA512
b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

Download Submit
C:\Windows\SysWOW64\runouce.exe

Filesize
10KB

MD5
e1beaaa9e4b3267b7787667f7a04bc47

SHA1
bad50c9da70bcaa74ced845b486ac6f0414682de

SHA256
0fbb61573d9b8b1792a352fbcb227042f32c9f035012c9f203dce0be4f8f5288

SHA512
da58fcca7e640b8026bc9071c4cd13958ec8dc0cf5ca38644573e2266edc8b43f2d49cb3e3d444388af75b46ec9bb63910b4cc01f50aceb697cdbe5aa9bbade9

Download Submit
memory/980-2-0x0000000000FF0000-0x0000000001085000-memory.dmp

Filesize
596KB

Download
memory/2076-0-0x0000000000FF0000-0x0000000001085000-memory.dmp

Filesize
596KB

Download
memory/2076-1-0x0000000000FF0000-0x0000000001085000-memory.dmp

Filesize
596KB

Download
memory/2868-4-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2868-5-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download
memory/2868-6-0x0000000000730000-0x0000000000731000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads