648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0

General

Target

648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
Size

4.5MB
MD5

018d1b0dca83db0ba677fc3271f1c783
SHA1

5811bce8e13934072837b917543c8074e07d3678
SHA256

648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0
SHA512

fc4674748651ddf40626d76dc247db99a3aabed85570624d7f05de1b52d5479e5846633e02a3da17ccd3127daf0e3b656f39bde58088424dd86f460d1812e4ea

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 64 IoCs

Processes:

648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe

description	ioc	process
File created	C:\Program Files\7-Zip\7zG.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\7-Zip\7z.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe$	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe

NTFS ADS 1 IoCs

Processes:

648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe

pid process

1396 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe

pid	process
1396	648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe

C:\Users\Admin\AppData\Local\Temp\648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
"C:\Users\Admin\AppData\Local\Temp\648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1396

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1396-57-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

Filesize
8KB

Download
memory/1396-58-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads