Analysis
-
max time kernel
155s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
17-02-2022 00:38
Behavioral task
behavioral1
Sample
648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
Resource
win10v2004-en-20220113
General
-
Target
648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
-
Size
4.5MB
-
MD5
018d1b0dca83db0ba677fc3271f1c783
-
SHA1
5811bce8e13934072837b917543c8074e07d3678
-
SHA256
648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0
-
SHA512
fc4674748651ddf40626d76dc247db99a3aabed85570624d7f05de1b52d5479e5846633e02a3da17ccd3127daf0e3b656f39bde58088424dd86f460d1812e4ea
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe -
Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.
-
Drops file in Program Files directory 49 IoCs
Processes:
648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exedescription ioc process File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\7-Zip\7zG.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\7-Zip\7zG.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\7-Zip\7z.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\7-Zip\Uninstall.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\7-Zip\7z.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\7-Zip\7zFM.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\7-Zip\7z.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\7-Zip\7zG.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE$ 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe -
Drops file in Windows directory 6 IoCs
Processes:
svchost.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe -
NTFS ADS 1 IoCs
Processes:
648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
svchost.exedescription pid process Token: SeShutdownPrivilege 3880 svchost.exe Token: SeCreatePagefilePrivilege 3880 svchost.exe Token: SeShutdownPrivilege 3880 svchost.exe Token: SeCreatePagefilePrivilege 3880 svchost.exe Token: SeShutdownPrivilege 3880 svchost.exe Token: SeCreatePagefilePrivilege 3880 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exepid process 4656 648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe"C:\Users\Admin\AppData\Local\Temp\648986fa909cc12cf12c7a9f7a9382fc2d4120fb5bac89cc416148b37b3e33b0.exe"1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:4656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3880
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3880-132-0x000002295B220000-0x000002295B230000-memory.dmpFilesize
64KB
-
memory/3880-133-0x000002295B280000-0x000002295B290000-memory.dmpFilesize
64KB
-
memory/3880-134-0x000002295D950000-0x000002295D954000-memory.dmpFilesize
16KB
-
memory/4656-135-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB