12e82969250c0c4a7dee7e6b2a2b18c9d058c04e1c9f4a5867a1823dd8d17e93

Analysis

max time kernel
150s
max time network
137s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-02-2024 21:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
Size

45KB
MD5

acf331ae0b4b60ea5112e6aa7aa4f6e0
SHA1

22b0ebf85f05a724097285931c6dd929d422a24f
SHA256

12e82969250c0c4a7dee7e6b2a2b18c9d058c04e1c9f4a5867a1823dd8d17e93
SHA512

5cf636baabc92b01ebe448bd1e27a16397746f5c146ef4603ee19343b1154952053887ee392a370bbb59f959b6127ee38a446fa10926941403dac4ed4fbbfc16
SSDEEP

768:Y2fKyI7RZQsPbJ7I375f3Jh9DJZnBh6pXZYQCXfUfCwhWisKl4qR:Y2fKyI9J2LJ3Jh991P6pX+QCXfUfCwhR

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\T:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\V:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\X:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\Z:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\E:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\I:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\L:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\Q:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\W:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\Y:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\J:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\K:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\M:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\P:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\R:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\S:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\G:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\N:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\O:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened (read-only)	\??\U:	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\license.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File created	C:\Program Files\Java\jre7\readme.eml	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\epl-v10.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\readme.eml	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.eml	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\license.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\readme.eml	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm_export.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\license.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jre7\bin\orbd.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\SendStep.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\about.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\readme.eml	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\readme.eml	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2476	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 2476	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	28
PID 1500 wrote to memory of 2476	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	28
PID 1500 wrote to memory of 2476	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	28
PID 1500 wrote to memory of 2476	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	28
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17
PID 1500 wrote to memory of 1284	1500	acf331ae0b4b60ea5112e6aa7aa4f6e0.exe	17

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1284
- C:\Users\Admin\AppData\Local\Temp\acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
  "C:\Users\Admin\AppData\Local\Temp\acf331ae0b4b60ea5112e6aa7aa4f6e0.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\acf331ae0b4b60ea5112e6aa7aa4f6e0.exe
    "C:\Users\Admin\AppData\Local\Temp\acf331ae0b4b60ea5112e6aa7aa4f6e0.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

Filesize
14KB

MD5
ad4a8faa993f9e26bb4af0701958dae8

SHA1
af6f6b24d219ce98b11ab71eed6ccf294ebf3b6e

SHA256
11ce6e694a32bbf33da600fd00e978bcfc166b1046c26c78466fa46912706c79

SHA512
aa573fe8068c52356f7d650c52fb5765d6329f3634679932affb0728b1035f9bd9fa7fb6e473b5dfc9caf91baf14d2da3ccb0c354e2f45c8f071ff36ab960165

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8156706568e77846b7bfbcc091c6ffeb

SHA1
792aa0db64f517520ee8f745bee71152532fe4d2

SHA256
5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

SHA512
8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7757fe48a0974cb625e89012c92cc995

SHA1
e4684021f14053c3f9526070dc687ff125251162

SHA256
c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

SHA512
b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
451KB

MD5
eb7fbdb146a31389d9b5fcff19412082

SHA1
92b133e36b04334e712a5f6b94ec8a857c344dfe

SHA256
1febda2dacea9fe8c5ffd51d822b0717d4081ec96f11477811cd7e6aba2cd3ae

SHA512
012b6095721dd41c8d19c29d0dfb1abd6c58a52d29b2465d29540ac7f5e24d229e75a2a657870e0cff4c3106d3e855b8c4bf0c7f608792fe4e8b48cc55ece41f

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
640KB

MD5
ff0f24008d9536e2018ea0d97d2bc81a

SHA1
fc4a564ab2742092d630637f380f0e4faf9633fe

SHA256
ea0b6254ade8045979825b7a4d26534825f86c5cde614db1e52e962f3cfc1154

SHA512
fad27fe8cd0348afd4dd1b080b37a6927654d6f7fd3cd7ee4851bedd29cf05a345e717a6b4330e383603127d0e004a9f9d8aea1225c3385d67cfc14d46280610

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
640KB

MD5
98927856e35be4e4227dfedb719b8d61

SHA1
a202fcdd0be9f245b98f1d8d8fc412b716f0ed17

SHA256
9a690248aa871a3be8c416bf2a80c69663243f4e494c856bb5f0c37604937952

SHA512
cd42e5fe1699540dc4a840ccf403fe246e10dc9ce9666a1c33c5160a776cf6ffc071c6bded5f0020f6a36a193695e957dd6aa2c7d3226459a2376f04af4c5b3a

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
461KB

MD5
262f5fecaa4e8cd5d3d7758875ac65af

SHA1
bf39900a73193b5155b055b9b1a4e58a87a4a15d

SHA256
686b7e731d0f71a3615eb8619bbb0a846fe47f6bfc3d786ad5a8084379683b42

SHA512
a3222e065687dc8e680b3f267a94444c3536a72ca5af7677469d20f1d25560d1906a3a9abb181131b11ea25868b0ac1f6d3aa2ac23636c65b4f66128e0209c1d

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
451KB

MD5
34508e628434b9e3ae8af7690c084432

SHA1
227a90bc970067b00b9901d3f044292fb4ca6545

SHA256
cc4152de957f0e8c74d0b9391ee63584b38bb2977e607830cc25e65897a7f0e0

SHA512
23f14b674743c04e45e1aeb1f1d07e8038315ba10bb92a1913a653dfea4074aedd401e81a725905e7a1097669699052c26e463d014bdbc04c2ed4d8f51fbcd7e

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
461KB

MD5
61913e8a77809078339587b247a50342

SHA1
f1467ba1f1636a337c3f751616f55fa48ba97cd0

SHA256
36077ee49cb6b6d66c67fb16491648b9e6b6a77b97481864ae12264ec0363574

SHA512
ac3ea0ea1a7467ab72cc67dc6a013ae4408408280592f75caf69003ccb985d2351cc85f5b3aa4c845b5a14e9d60ecc33d2ff4fcfc1317527c02d4d9c171187f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
152KB

MD5
6c5539caa022efeb93716001713d12d9

SHA1
cf00acc78821f74611dcef8cb1bb742d89c63b64

SHA256
9b21631c97acea57d0d88fa725b67222c7b56e4d4aa56f63be48a3714e65fd89

SHA512
96c759f216540bc88b9122c9fce8966b011954f370c1048ba818f44b8bd9bdcea9a553a792019e26a31b88f4ad41c401496911f329051cfb3610c1a92600189e

Download Submit
C:\Windows\SysWOW64\runouce.exe

Filesize
10KB

MD5
7c7ef93c451d3d289bbb88b6204f6443

SHA1
b9b29a21b4c36abdb53bad8811dcf1ab90e8c47b

SHA256
67418d99beb93317c0565e7d5024af0863f8b6dadfd639ecc517329a68885bc9

SHA512
295981c6e321b9d9416a258e844366145f5a9c9b5219092de2a5e615ce6a63f70e354869e65efef8e2c887b6133fc8e360698d8b27011fb58ebe45b67790137e

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
5ff48b840106c89dbb26d759660daaf2

SHA1
77f5162a4f1a76354e579447f91ad4b6fd5a3878

SHA256
f97e4620387385acc10c8a87256f6284fd09ff52e97b183b57af787220d7da3c

SHA512
15ec6dc2cef26e2ae77c39ef9995e4d7848c4f32aca0fa7fcc20e8c32b0104faa56f8d891b7d575ac1b35064dbfca2e8aa85bbc37f66323a895f2264ecee0b51

Download Submit
memory/1284-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1284-4-0x00000000025D0000-0x00000000025D1000-memory.dmp

Filesize
4KB

Download
memory/1500-613-0x0000000001000000-0x000000000100E000-memory.dmp

Filesize
56KB

Download
memory/1500-614-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/1500-0-0x0000000001000000-0x000000000100E000-memory.dmp

Filesize
56KB

Download
memory/1500-1-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/2476-6-0x0000000001000000-0x000000000100E000-memory.dmp

Filesize
56KB

Download
memory/2476-2-0x0000000001000000-0x000000000100E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads