204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed

General

Target

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
Size

3.9MB
MD5

bca6b95784be22950d3c68f7c021418b
SHA1

a80dbf95d96ab9402e644eb1e271a9431bbc7b53
SHA256

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed
SHA512

00db30ff69cb35c301b4a4d52778414e4e176ef183da1da587df63069706cfa0c62d72fa4e010c05241bc25e182c6e5183a40d7e61a2e15924d875068e533f08

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 64 IoCs

Processes:

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateComRegisterShell64.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\msotd.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaw.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\89.0.4389.114_chrome_installer.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files (x86)\Google\Update\1.3.35.452\GoogleUpdateCore.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Microsoft Office\root\Office16\excelcnv.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\AppSharingHookController.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe$	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

NTFS ADS 1 IoCs

Processes:

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

pid process

1852 204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

pid	process
1852	204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe

C:\Users\Admin\AppData\Local\Temp\204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe
"C:\Users\Admin\AppData\Local\Temp\204308e00ecfd13d39503dc525fccc5393483948e4c8640a1b21d616e1c4ebed.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1852