04d1833103cef3f1b0a062edfcd3777bc9dfff4f228b5135bf62cea73fe96113

Analysis

max time kernel
120s
max time network
79s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66b1b87fb27cdc2bce4dd9162a40d170N.exe
Size

361KB
MD5

66b1b87fb27cdc2bce4dd9162a40d170
SHA1

fa9089fe5bda943bf86b6e61e8a953b25445a761
SHA256

04d1833103cef3f1b0a062edfcd3777bc9dfff4f228b5135bf62cea73fe96113
SHA512

dec3d5ebd86773dc51fb856c2c4d9811f5ca16beccc9c4b4a2cb2b055980ae35a79a24cfc7d1adbbe6858b9c66d55190eddc4f5c5432a63ec0fa31ccbf138629
SSDEEP

3072:Aog5Cck/aZhuDX4dCZFttttttxxFXXWt6n:AGckyhCXbFttttttxxFXXV

Score

7^/10

discovery persistence spyware stealer upx

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2236-0-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2236-1-0x0000000000230000-0x00000000002B2000-memory.dmp	upx
behavioral1/memory/1928-428-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2236-477-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2236-654-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2236-743-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2236-965-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2236-1022-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2236-1023-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2236-1024-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2236-1026-0x0000000000400000-0x0000000000482000-memory.dmp	upx
behavioral1/memory/2236-1034-0x0000000000400000-0x0000000000482000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Runonce = "C:\\Windows\\system32\\runouce.exe"	66b1b87fb27cdc2bce4dd9162a40d170N.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\P:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\S:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\Z:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\E:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\G:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\J:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\Q:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\T:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\W:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\H:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\K:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\L:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\V:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\X:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\I:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\M:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\O:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\R:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\U:	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened (read-only)	\??\Y:	66b1b87fb27cdc2bce4dd9162a40d170N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\runouce.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Windows\SysWOW64\runouce.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Bears.htm	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\Hearts.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\CURRENCY.HTM	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\readme.eml	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Stars.htm	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPrintTemplateRTL.html	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\epl-v10.html	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\preface.htm	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\README-JDK.html	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\readme.eml	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\readme.eml	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\Welcome.html	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\epl-v10.html	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\TECHTOOL.HTM	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\readme.eml	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\vlm.html	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\NAMECONTROLSERVER.EXE	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\db\readme.eml	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\license.html	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\readme.eml	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Hand Prints.htm	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaw.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\mobile.html	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\MCABOUT.HTM	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Roses.htm	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Peacock.htm	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	66b1b87fb27cdc2bce4dd9162a40d170N.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	66b1b87fb27cdc2bce4dd9162a40d170N.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66b1b87fb27cdc2bce4dd9162a40d170N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	66b1b87fb27cdc2bce4dd9162a40d170N.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 1928	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	28
PID 2236 wrote to memory of 1928	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	28
PID 2236 wrote to memory of 1928	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	28
PID 2236 wrote to memory of 1928	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	28
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21
PID 2236 wrote to memory of 1212	2236	66b1b87fb27cdc2bce4dd9162a40d170N.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\66b1b87fb27cdc2bce4dd9162a40d170N.exe
  "C:\Users\Admin\AppData\Local\Temp\66b1b87fb27cdc2bce4dd9162a40d170N.exe"
  2⤵
  - Adds Run key to start application
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Users\Admin\AppData\Local\Temp\66b1b87fb27cdc2bce4dd9162a40d170N.exe
    "C:\Users\Admin\AppData\Local\Temp\66b1b87fb27cdc2bce4dd9162a40d170N.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\readme.eml

Filesize
14KB

MD5
52c54fce080d830dbc2128718bc62f31

SHA1
c3f0a85af3eb702bad4345a41f4875fd2c27aa26

SHA256
63d7704a850681d83fd9daba03864bf42f6783607102806572a7a6214b2c4bbc

SHA512
74773cb179f98a0b6ba51ceeaccc435298f3ca562fa04b0ac0af02d99e84924e04b840a791599fd9f20bf9a6fb17a77d34c89122be7769a1cddb24f36a1fd856

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
8156706568e77846b7bfbcc091c6ffeb

SHA1
792aa0db64f517520ee8f745bee71152532fe4d2

SHA256
5e19cfbd6690649d3349e585472385186d99f56a94dc32d9073b83011cea85f8

SHA512
8760f26069296f0fe09532f1244d93a57db4cafa8d06aaa9dc981bcaed4bde05366ef21e6f0c1aadad4478382b59a4e43d26c04185cf2ed965901321d05604b8

Download Submit
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
7757fe48a0974cb625e89012c92cc995

SHA1
e4684021f14053c3f9526070dc687ff125251162

SHA256
c0a8aa811a50c9b592c8f7987c016e178c732d7ebfd11aa985a8f0480539fa03

SHA512
b3d4838b59f525078542e7ebbf77300d6f94e13b0bff1c9a2c5b44a66b89310a2593815703f9571565c18b0cdeb84e9e48432208aaa25dff9d2223722902d526

Download Submit
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\vcredist_x86.exe

Filesize
451KB

MD5
f118d3f99424b98063777998825ea37c

SHA1
d79cf4b00671090ba0296959f19d0de93d260551

SHA256
e340e0aef32c835a3d92801b781a9e500ae6d5d5308f03e8edd619a8ae29161c

SHA512
70c20a47b95ef2c0da5f388dd03b6be649426ca0c6c756aab31c89cde42757b441049f7f535a408d0914225cfdcf70ee3d8a4991b53e2182fb93e8808559afb7

Download Submit
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe

Filesize
640KB

MD5
6f201fce51f59a1f06ad6cc879ec3650

SHA1
39af340e848e076cdb58dd71dee1c2f28a450335

SHA256
1cc78eec0ddf8a50509b7d455dd9fdfefed36987efab6b8d3ea1a4047beee381

SHA512
ff5f894b59c76bb137d0d1babd63003416b99aab45c143309e235c3cabb5dd0e663f7c1867ec2766aae8eef9a610fde913f87e5efa31fb0da926084b23d4f53d

Download Submit
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe

Filesize
640KB

MD5
ca1728b56c7e6f2d77191a8e0912b2a0

SHA1
2b23c3f5a2c16c3186d5d1c44444dc5c6bd04332

SHA256
5ecfc561c93f404c261db9914d52bf5d9db325fb1c35b3cb50be02024cbd9b89

SHA512
fd34c805cea92b18b59acf7e49b7010fc6de01c06ca78841b66f776654d37bbd85e4ecdcda45369b9c2a37f8a34ebee0fd911720c68b43f31fa56c9bd30be3d9

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
461KB

MD5
51c9058bb05c2d31fb370692b9b70ce4

SHA1
cbee2759d0ce56b3fa8bd6f61cf73d7cfabb0a4b

SHA256
39662e0528e2a97e0dc14757a46dc2798cee6cd22445b28efc3297c6d32c12d5

SHA512
e748329147b27970acbaa6f17397c0e76071869e152e81fe71a3a2b4f9ccc0adfefed76b8f9bdd7d6f4d9d786caa79d416d4538c25b66f8d417baa94eed3e20a

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
451KB

MD5
19b6fa5f186c790ae970fed575e319ca

SHA1
2986b9b5fe8f24b5c5754774dee2f0189a14f5e0

SHA256
e83a542148440c644dab2e6e4fc50a4640b635e6f7b0a55c42f0b4eb48f077d3

SHA512
df3bffef1fb6dee5d8ef28c32de3da8f8badfb516155be759dba7cfb89b7603e6bc110dff1b5d07b8485a702cbc03fbed6b2dd945a4e52ac66690c5a4758bd2a

Download Submit
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe

Filesize
461KB

MD5
4965bd396142b6d5fd647e94c4299a53

SHA1
a72e888455da5cbf9a61492a8ad6e3860b254530

SHA256
5a33b58a1df4d7b3afc904f72141140c9ccd2835098b3a5907148687413134a7

SHA512
3ec1cef0d8a7b8a02f2362437434fd070052f69429937dfbb4211a5850b15391f8afa4e36ede538eb3062d3160c7c81faf68d26d79293e1462e16695cc399240

Download Submit
C:\Users\Admin\AppData\Local\Temp\ose00000.exe

Filesize
152KB

MD5
49e2dd49526d6524592430779935053b

SHA1
1fd8a9646c9f311150168702cf3dda3676356ffd

SHA256
20835dfefd9e78f24c8ecb12ab3cebb1a8f8f5ac6b3a5054d4cf530953a1eaef

SHA512
295bb258c62545ae02a2b2b3c91d1dd8bdba4a60905546401ad2fc0b14aca27e15ba1c24665eaaff8a0cf274353e31c0d54268eee5e3910f59f6595fefa83958

Download Submit
C:\Windows\SysWOW64\runouce.exe

Filesize
10KB

MD5
70cf3cd31050cdfc79109619b281c273

SHA1
2f229b5aa528809332f2a96edd6abdddf069ef29

SHA256
858944bfb3b2b25c07c0cec063d962281853d4af272cc9ae3f721a8bd287700f

SHA512
757fa81ad44def04514ae00c621e9e296de385da41028e3fcade28e6e31ce585f43fe17ad241ad8aa2cdd18af8edff00da1d482e947e76a8f23e7101acf780a2

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
7ae8af4606bb699ecaf2c2e6da79540e

SHA1
00362e2eb3515457b54e4896c1e05149f67a5af0

SHA256
e912f5b19b67dd6681ba7f9076aa6400c90755fb829b2cbb03a4d0e9eba0ea4b

SHA512
bc51ad11f18d356ea0add38d696c9d9f0a2b283835e01d12e6a94d5f351782cc4d4062e32113625035dd3f4e946ca9be4f5c6dc85d8fc9da9fde82edfec01552

Download Submit
memory/1212-3-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1212-4-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/1928-428-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-1-0x0000000000230000-0x00000000002B2000-memory.dmp

Filesize
520KB

Download
memory/2236-965-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-744-0x0000000000230000-0x00000000002B2000-memory.dmp

Filesize
520KB

Download
memory/2236-0-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-743-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-654-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-477-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-1022-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-1023-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-1024-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-1026-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2236-1034-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads