e9b99706a9b48b09974dd18c1af8a0e402ccddcaa0c91edf43fdd838128a7408

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Size

1.6MB
MD5

16d202aac28076f3c4c1bec60f356f7b
SHA1

4d9592f4b3f4ea12b245c531b93082ccfd6fd292
SHA256

0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc
SHA512

9f70ed2f374a82fb03d58a22cceb33f1ee8eef7bc8d97bca67c5240aa6b60d201d88415cc2501b635ff53be7fde1f0a08b036a2ffc8d29c5f71b4c0db52deaf4
SSDEEP

24576:EFwvcMczi2I0CHpQlDOk0Uig4dMwbQ4Mf7Pgw433naEtl1:EqXczupQbZ4Z8v7PgwwnaE1

Score

10^/10

discovery spyware stealer upx

Malware Config

Extracted

Credentials

Protocol: ftp
Host:
ftp.free3v.net
Port:
21
Username:
money8
Password:
12345678

Signatures

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops file in System32 directory 64 IoCs

Processes:

0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\certutil.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\hdwwiz.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\msinfo32.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\where.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\mtstocom.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\ntprint.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\tcmsetup.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\eudcedit.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\gpresult.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\tasklist.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\Robocopy.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\ROUTE.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\tracerpt.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\userinit.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\regedit.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\ComputerDefaults.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\dvdupgrd.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\MuiUnattend.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\wextract.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcmf.inf_amd64_neutral_67b5984f8e8ff717\BrmfRsmg.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\migwiz\migwiz.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\msfeedssync.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\PresentationHost.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\waitfor.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\IME\IMEJP10\imjppdmg.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\driverquery.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\getmac.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\isoburn.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\upnpcont.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\forfiles.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\TsWpfWrp.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\wiaacmgr.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\xcopy.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\divacx64.inf_amd64_neutral_fa0f82f024789743\xlog.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\wbem\WMIC.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\msiexec.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\sc.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\user.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\wimserv.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\cipher.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\RMActivate.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\Utilman.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\brmfcwia.inf_amd64_neutral_817b8835aed3d6b7\BrmfRsmg.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\calc.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\migwiz\PostMig.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\notepad.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\SystemPropertiesRemote.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\TapiUnattend.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\com\comrepl.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\ddodiag.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\lodctr.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\Magnify.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\mmc.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\verifier.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\ntkrnlpa.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\pcaui.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\verclsid.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\choice.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\cmstp.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\diantz.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\logagent.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\dxdiag.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\PATHPING.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\SysWOW64\regedt32.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral9/memory/2516-8-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-7-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-60-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-59-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-58-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-57-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-54-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-52-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-49-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-47-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-44-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-42-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-40-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-37-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-35-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-33-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-28-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-29-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-26-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-24-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-21-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-19-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-17-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-14-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-12-0x0000000010000000-0x000000001003F000-memory.dmp	upx
behavioral9/memory/2516-9-0x0000000010000000-0x000000001003F000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

Processes:

0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Program Files\Windows Media Player\wmpconfig.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Program Files\Windows Media Player\WMPDMC.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Microsoft Games\Chess\Chess.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ktab.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSACCESS.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Program Files (x86)\Windows Media Player\WMPDMC.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Program Files\Internet Explorer\iexplore.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Program Files (x86)\Windows Media Player\wmpenc.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\mip.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Program Files (x86)\Windows Media Player\wmprph.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe

Drops file in Windows directory 64 IoCs

Processes:

0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe

description	ioc	process
File created	C:\Windows\winsxs\x86_microsoft-windows-driververifier_31bf3856ad364e35_6.1.7600.16385_none_ba42313afe0efbbb\verifier.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ping-utilities_31bf3856ad364e35_6.1.7600.16385_none_052696aea98bcefc\PATHPING.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-registry-editor_31bf3856ad364e35_6.1.7600.16385_none_5023a70bf589ad3e\regedt32.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ddodiag_31bf3856ad364e35_6.1.7600.16385_none_362ce835fe42421b\ddodiag.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-robocopy_31bf3856ad364e35_6.1.7601.17514_none_252d34f00303c6fa\Robocopy.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-efs-ui_31bf3856ad364e35_6.1.7600.16385_none_f64b1e25e8ea1172\efsui.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-ie-iexpress_31bf3856ad364e35_8.0.7600.16385_none_7f0c7a3c17077fce\wextract.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\ServiceModelReg.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-i..xing-service-server_31bf3856ad364e35_6.1.7601.17514_none_0db5e5844ed6ffe9\CISVC.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_6.1.7601.17514_none_b6cddd21f1df8715\mighost.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-newdev_31bf3856ad364e35_6.1.7600.16385_none_6d6b3cfb6a5a1e5a\ndadmin.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_subsystem-for-unix-based-applications_31bf3856ad364e35_6.1.7601.17514_none_d20e5d35068f261a\psxss.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-coreusermodepnp_31bf3856ad364e35_6.1.7601.17514_none_df7c5af777ec4541\drvinst.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-s..opertiesperformance_31bf3856ad364e35_6.1.7600.16385_none_5aad0353642dd29f\SystemPropertiesPerformance.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..ncetoolscommandline_31bf3856ad364e35_6.1.7601.17514_none_bf4980401574a899\typeperf.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-r..eak-diagnostic-core_31bf3856ad364e35_6.1.7600.16385_none_b70694aa97134f37\rdrleakdiag.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Windows\winsxs\amd64_microsoft-windows-s..boxgames-backgammon_31bf3856ad364e35_6.1.7600.16385_none_668d031845881638\bckgzm.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-vssservice_31bf3856ad364e35_6.1.7601.17514_none_b8f2d3e62e76fe08\VSSVC.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.1.7601.17514_none_79642285ffd2a388\iisreset.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-systray_31bf3856ad364e35_6.1.7600.16385_none_f327d2f6575da8ce\systray.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Workflow.Compiler.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-calc_31bf3856ad364e35_6.1.7600.16385_none_05b2f2e2346cfea4\calc.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_wpf-presentationfontcache_31bf3856ad364e35_6.1.7601.17514_none_63bf9c3e28cd9bfb\PresentationFontCache.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-defrag-adminui_31bf3856ad364e35_6.1.7601.17514_none_f73c142da6e47daa\dfrgui.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-feedsbs_31bf3856ad364e35_8.0.7601.17514_none_752e3bb068638683\msfeedssync.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-speech-userexperience_31bf3856ad364e35_6.1.7601.17514_none_7a2ff57a626c29fd\SpeechUXTutorial.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-systray_31bf3856ad364e35_6.1.7600.16385_none_4f466e7a0fbb1a04\systray.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-grpconv_31bf3856ad364e35_6.1.7600.16385_none_fe7d1685575edfa6\grpconv.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-security-tools-nltest_31bf3856ad364e35_6.1.7601.17514_none_f8852afc12f84e8e\nltest.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-tcpip-utility_31bf3856ad364e35_6.1.7601.17514_none_34ce5d95ad203bbe\MRINFO.EXE	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_netfx35linq-csharp_31bf3856ad364e35_6.1.7601.17514_none_193318f5726bf1d7\csc.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-p..installerandprintui_31bf3856ad364e35_6.1.7601.17514_none_347a450f0c8bd52d\printui.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_wcf-icardagt_exe_31bf3856ad364e35_6.1.7600.16385_none_8dcc9c6f8b58a5eb\icardagt.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.1.7601.17514_none_04846decebf43c4c\resmon.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-cttune_31bf3856ad364e35_6.1.7600.16385_none_b35ae2951fd8adbc\cttune.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-msconfig-exe_31bf3856ad364e35_6.1.7601.17514_none_38a043f2b45f9ad2\msconfig.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\Backup\x86_microsoft-windows-wininit_31bf3856ad364e35_6.1.7600.16385_none_30c90ef265a43c13_wininit.exe_7a527f28	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-extrac32_31bf3856ad364e35_6.1.7600.16385_none_371e8c461d966a55\extrac32.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-ie-internetexplorer_31bf3856ad364e35_11.2.9600.16428_none_11b913172f0cb26f\ieUnatt.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-m..-odbc-administrator_31bf3856ad364e35_6.1.7600.16385_none_a044d905576812d4\odbcad32.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-net1-command-line-tool_31bf3856ad364e35_6.1.7601.17514_none_88e35d5cb2d54359\net1.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-sethc_31bf3856ad364e35_6.1.7601.17514_none_64c7a8e4d35d675c\sethc.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_netfx35linq-vb_compiler_orcas_31bf3856ad364e35_6.1.7601.17514_none_9809be824da2c173\vbc.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\ehome\McxTask.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-nfs-clientcmdtools_31bf3856ad364e35_6.1.7600.16385_none_ad5854ca0a23343d\umount.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..estartup-fverecover_31bf3856ad364e35_6.1.7600.16385_none_ab0552bceeca5a61\BdeUnlockWizard.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\Backup\amd64_microsoft-windows-b..vironment-os-loader_31bf3856ad364e35_6.1.7601.17514_none_b94cbfa183466a89_winresume.exe_85cd1215	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.1.7601.17514_none_678566b7ddea04a5\PkgMgr.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-m..ommandlineutilities_31bf3856ad364e35_6.1.7600.16385_none_7cf343cac8a829ec\find.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-where_31bf3856ad364e35_6.1.7600.16385_none_5da98f433f7e2878\where.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-cttunesvr_31bf3856ad364e35_6.1.7600.16385_none_4befc8eb38093bb1\cttunesvr.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-d..ing-management-core_31bf3856ad364e35_6.1.7601.17514_none_895a2b74415ea575\DismHost.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-s..up-drivepreparation_31bf3856ad364e35_6.1.7601.17514_none_ff178cca7f9d03eb\BdeHdCfg.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ilasm.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\Microsoft.NET\Framework64\v3.5\AddInProcess32.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-fsutil_31bf3856ad364e35_6.1.7600.16385_none_28590620099da2d8\fsutil.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
File created	C:\Windows\winsxs\wow64_microsoft-windows-m..onwizardapplication_31bf3856ad364e35_6.1.7601.17514_none_22f5c6aadf559287\MigSetup.exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 6 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2636 taskkill.exe
2976 taskkill.exe
2912 taskkill.exe
2616 taskkill.exe
1712 taskkill.exe
2828 taskkill.exe

pid	process
2636	taskkill.exe
2976	taskkill.exe
2912	taskkill.exe
2616	taskkill.exe
1712	taskkill.exe
2828	taskkill.exe

Modifies registry class 16 IoCs

Processes:

0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ec\DefaultIcon	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\E.Document	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\E.Document\DefaultIcon\ = "C:\\WINDOWS\\ME\\ÃÎ÷ÊÔ´Âë.ico,0"	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\DefaultIcon	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ec\DefaultIcon\ = "C:\\WINDOWS\\ME\\ÃÎ÷ÊÄ£¿é.ico,0"	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\Shell\Open	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\Shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe\" \"%1\""	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.exe\ = "exe"	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ec	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\E.Document\DefaultIcon	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exe	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\Shell\Open\Command	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe,0"	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\EditFlags = "2"	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exe\Shell	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	2912	taskkill.exe
Token: SeDebugPrivilege	2616	taskkill.exe
Token: SeDebugPrivilege	2636	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	2828	taskkill.exe
Token: SeDebugPrivilege	1712	taskkill.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe

pid	process
2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe

description	pid	process	target process
PID 2516 wrote to memory of 2616	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2616	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2616	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2616	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2912	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2912	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2912	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2912	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2976	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2976	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2976	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2976	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 1712	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 1712	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 1712	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 1712	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2636	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2636	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2636	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2636	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2828	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2828	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2828	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe
PID 2516 wrote to memory of 2828	2516	0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe	taskkill.exe

C:\Users\Admin\AppData\Local\Temp\0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe
"C:\Users\Admin\AppData\Local\Temp\0cd7440ca94d31212e21867439f38f0828823b76c94d566e81f5dfaf71574ebc.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im kavsvc.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2616
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im KVXP.kxp
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Rav.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Ravmon.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Mcshield.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2636
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im VsTskMgr.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2516-0-0x0000000000400000-0x00000000005CF000-memory.dmp

Filesize
1.8MB

Download
memory/2516-8-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-7-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-60-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-59-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-58-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-57-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-54-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-52-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-49-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-47-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-44-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-42-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-40-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-37-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-35-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-33-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-28-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-29-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-26-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-24-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-21-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-19-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-17-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-14-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-12-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download
memory/2516-9-0x0000000010000000-0x000000001003F000-memory.dmp

Filesize
252KB

Download