396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386

General

Target

396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
Size

4.4MB
MD5

039135cc2d5e7cf78505d5495ab1426a
SHA1

31b07b61e482b4444015c47b2621a41af1ce56ed
SHA256

396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386
SHA512

1227d92b8dd1a258a808d13c731274833f9f5cb58da4c261595b9831b8c7562c1d3fdbc7ad342d5d0f219e99cd4382d59bd2f2a22b90656996ad6c811e165d28

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in Program Files directory 64 IoCs

Processes:

396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe

description	ioc	process
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe$	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe

NTFS ADS 1 IoCs

Processes:

396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe

pid process

1768 396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe

pid	process
1768	396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe

C:\Users\Admin\AppData\Local\Temp\396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe
"C:\Users\Admin\AppData\Local\Temp\396c06b2bc5b7d8259b25bb6a15851c89854626f58bb06896407ca46dc0f5386.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1768

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1768-57-0x00000000762C1000-0x00000000762C3000-memory.dmp

Filesize
8KB

Download
memory/1768-58-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads