Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
14-12-2020 16:42
Static task
static1
Behavioral task
behavioral1
Sample
d39ad5a55253710f0869adc9e33b604e.exe
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
d39ad5a55253710f0869adc9e33b604e.exe
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
d39ad5a55253710f0869adc9e33b604e.exe
-
Size
7.6MB
-
MD5
d39ad5a55253710f0869adc9e33b604e
-
SHA1
958068a419f4f7a936fee8cb74f8573822600e7d
-
SHA256
65d3591d7b9e812861bfc619c867b60793f704cd99a4681d1c2a8c1ca2c11e3a
-
SHA512
e4d9a18e23306978a3f329b2ac1e7bf574a60f6ba85f588a589969a64111cc53360f015dc33b5436311b70633b683ee0ee981b47de54080b04fe672b997ab228
Score
6/10
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d39ad5a55253710f0869adc9e33b604e.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run d39ad5a55253710f0869adc9e33b604e.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" d39ad5a55253710f0869adc9e33b604e.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 675 IoCs
Processes:
d39ad5a55253710f0869adc9e33b604e.exedescription ioc process File created C:\Program Files\Mozilla Firefox\default-browser-agent.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\chrmstp.exe$ d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe$ d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE$ d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe$ d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe$ d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Microsoft Office\root\Office16\msotd.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe$ d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\7-Zip\7z.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe$ d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\misc.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE$ d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\VideoLAN\VLC\uninstall.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe$ d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe$ d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe$ d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE$ d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Google\Chrome\Application\86.0.4240.111\Installer\setup.exe$ d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe$ d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe d39ad5a55253710f0869adc9e33b604e.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe$ d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Java\jre1.8.0_66\bin\java-rmi.exe d39ad5a55253710f0869adc9e33b604e.exe File created C:\Program Files\Microsoft Office\root\Client\AppVLP.exe d39ad5a55253710f0869adc9e33b604e.exe -
NTFS ADS 1 IoCs
Processes:
d39ad5a55253710f0869adc9e33b604e.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf d39ad5a55253710f0869adc9e33b604e.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
d39ad5a55253710f0869adc9e33b604e.exepid process 1924 d39ad5a55253710f0869adc9e33b604e.exe