774f38175a1491139e9e81f84633367b001e85c884b515b8dc15641964dbbd38

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 19:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ef8835c64eb52cc812c5d4b8630e7050N.exe
Size

361KB
MD5

ef8835c64eb52cc812c5d4b8630e7050
SHA1

1e686d9e22dc2eed8ce296665b4c1cdf725d71eb
SHA256

774f38175a1491139e9e81f84633367b001e85c884b515b8dc15641964dbbd38
SHA512

438fb6c562e354e845c56ea8fec089f17ac87ef6a1c6b17346f74e95a8f3617a06a9b9aee2c4731d6f338c1fc31d25b4f7e16244d7ec3fa5b757c8b2438fb590
SSDEEP

3072:yog5Cck/aZhuDX4dCZFttttttxxFXXWKnn:yGckyhCXbFttttttxxFXXD

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-0-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1704-1-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1704-428-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1700-471-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1700-784-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1700-785-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1700-959-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1700-1012-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1700-1013-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1700-1014-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1700-1016-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/1700-1026-0x0000000000400000-0x0000000000482000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	ef8835c64eb52cc812c5d4b8630e7050N.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\W:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\Z:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\E:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\J:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\N:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\L:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\X:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\Y:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\O:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\P:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\Q:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\U:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\H:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\K:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\M:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\T:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\V:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\G:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\I:	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened (read-only)	\??\R:	ef8835c64eb52cc812c5d4b8630e7050N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\readme.eml	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE	ef8835c64eb52cc812c5d4b8630e7050N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\readme.eml	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsBlankPage.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.HTM	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\RELEASE-NOTES.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\about.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\readme.eml	ef8835c64eb52cc812c5d4b8630e7050N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\html\readme.eml	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\view.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\readme.eml	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\about.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\epl-v10.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\README.HTM	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Orange Circles.htm	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\OFFISUPP.HTM	ef8835c64eb52cc812c5d4b8630e7050N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\PINELUMB.HTM	ef8835c64eb52cc812c5d4b8630e7050N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef8835c64eb52cc812c5d4b8630e7050N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ef8835c64eb52cc812c5d4b8630e7050N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1704	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	30
PID 1700 wrote to memory of 1704	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	30
PID 1700 wrote to memory of 1704	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	30
PID 1700 wrote to memory of 1704	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	30
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21
PID 1700 wrote to memory of 1204	1700	ef8835c64eb52cc812c5d4b8630e7050N.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\ef8835c64eb52cc812c5d4b8630e7050N.exe
  "C:\Users\Admin\AppData\Local\Temp\ef8835c64eb52cc812c5d4b8630e7050N.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Users\Admin\AppData\Local\Temp\ef8835c64eb52cc812c5d4b8630e7050N.exe
    "C:\Users\Admin\AppData\Local\Temp\ef8835c64eb52cc812c5d4b8630e7050N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

Filesize
14KB

MD5
21fa8d2831a40be403abc9813534cd81

SHA1
195070010ad5bb7720e5ff9d47072cc2b4c0fc35

SHA256
94a274db4d159ee9209481774f77ca503da3bccb375ca7061448b42e772126e1

SHA512
6ee24dbf6a639b06377a4f66ad3ffaa5ac60f8ebe76d205174df986485fa42df2a08d7b19916fde76d65533917f9b4892288ee385a6f315012c023f854719892

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8156706568e77846b7bfbcc091c6ffeb

SHA1
792aa0db64f517520ee8f745bee71152532fe4d2

SHA256
5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

SHA512
8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7757fe48a0974cb625e89012c92cc995

SHA1
e4684021f14053c3f9526070dc687ff125251162

SHA256
c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

SHA512
b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
451KB

MD5
6cd9052cec8f1731ba3d3ec43f4518c6

SHA1
11c64f2d68129ece6ffb1747a874c6b915b61231

SHA256
33bab55ec4a91e8cb77d885e329c240ff28a4ee2978099ce7f8493068aeac4fe

SHA512
7011a24e9727c94dcacebde1121d7c39c009b92ec686257c1b5d3e8076eafdc679d89c14428ab1ef774ccc44dbaae433edc7374a4c6d4867f13cad4b38f4e4ab

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
640KB

MD5
175c91493cb17146336478586f4bf995

SHA1
cf2c17b8e96a1e32a25275be1f2868fe6995d92d

SHA256
b3d7db31f80b2e52e81270a9b537d91b2bb273887787570722f43e390814ee0e

SHA512
87acaef99bad42e193dfcf167a589338f5dc70e07d1752e539500cc363afdbcca93aa28954d5f0a6da0ca656b726c4128d36dde0c61dc53c1e4999f0045b3e7e

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
640KB

MD5
67664a55cdd485533eba67d2d6d67324

SHA1
de57fd5cfd9226864f1d4247d6a06ad40d2b5d48

SHA256
3e749f727d57628dff58c9a970f960f81713d61c85feea01f37ec5ecd9e73ba3

SHA512
01c4aa549b36179e5b8c93f8324d0b999ccd29c95c1669d2aa80f2aa9a241d62f33d359e7ecd5b78016f5ea771e7756a619b2d125f8d3b89a04e40c684811677

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
461KB

MD5
0681b8155e685a865b89420c79a3a114

SHA1
e74bf06f208977bbde4ea3be87ce003340a21ee2

SHA256
31e1575d257b8138546930f09354b7e5ca4fabcdffb1f6c4d0d21d52cd7c1335

SHA512
e44fbc4fadbe58e1f87d94519e779035e8abf9c9c6d84e68b42d9fe0e56359585c8631204f2e2e69244793a0f9a78b29cc1e72d7f5c2a741fce8f00d7cb017f6

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
451KB

MD5
9619f5ca614daf4327567fd60b7c190b

SHA1
6322a5aafab863a7358ae6a1efb71e0fb062976c

SHA256
0b5d51d0a3b9d23f6ae7bf56b833aab9da77de2154d763cf96e8ef1f61a4f9d3

SHA512
f42aa5a64797f94fcb8789304a77987791dc3f17b1b12c0c7818882fabfc01b9f803ab229caf18c082495b759b51f81132dafaf527734ddcf015e4e907af5472

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
461KB

MD5
ae265608d44067d66aa5ba1d8dba0cc1

SHA1
74a4c9eee0fee0d52805a8b39af2c48a67568d98

SHA256
d995f2ad04c134633978fff2b2f3c798b30e4ae213442ab9a1d958263f39592e

SHA512
4f1545927c96f0112f851dbd78a85a7c52c9a11c48155f88642d4f02cf5d4f4969c4449a70755ae42a77793f4fcbbb7a5d4eb1e52ccae1c5838ac59abe49e2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
152KB

MD5
34b0095fdc1b9f703c8d9d9546a4a550

SHA1
698da698ee51efd298dcb14aebddba8691202d84

SHA256
9bcae4da57afe7644ed613efb17799c8d2005c0f979507c5fcbb96687f805d21

SHA512
51666995c9cf2ddcb071445bc280e07db9304ef5ada68aecb583a92433aa8ef863b1dcaae7476080756ea5721d22a1f264baa3a7918ede5f5a5f0b94cac397ae

Download Submit
C:\Windows\SysWOW64\runouce.exe

Filesize
10KB

MD5
70cf3cd31050cdfc79109619b281c273

SHA1
2f229b5aa528809332f2a96edd6abdddf069ef29

SHA256
858944bfb3b2b25c07c0cec063d962281853d4af272cc9ae3f721a8bd287700f

SHA512
757fa81ad44def04514ae00c621e9e296de385da41028e3fcade28e6e31ce585f43fe17ad241ad8aa2cdd18af8edff00da1d482e947e76a8f23e7101acf780a2

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
f1efd834ea0e04572dce9148fb93f9f4

SHA1
387dfc78ed6a2f5c19babbcace5891024eb2a733

SHA256
74c2908d0b59aa5a1499b2d27e6df3de8d634fd993a539794af29807fabc20d0

SHA512
8fb5e9cbd81e8547566ff455e460cd83cb60729c9e4426617fbb7f4e9fe2edcf5a78e4b8ff910fc0d4b3751e416f5fd1f34634b0d5140966fe2b52b37525cdc6

Download Submit
memory/1204-4-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/1204-3-0x0000000002DB0000-0x0000000002DB1000-memory.dmp

Filesize
4KB

Download
memory/1700-1012-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1700-959-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1700-884-0x0000000000260000-0x00000000002E2000-memory.dmp

Filesize
520KB

Download
memory/1700-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1700-785-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1700-784-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1700-471-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1700-1013-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1700-1014-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1700-1016-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1700-1026-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1704-1-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1704-428-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads