Analysis
-
max time kernel
153s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 09:55
Static task
static1
Behavioral task
behavioral1
Sample
b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe
Resource
win10v2004-20220414-en
General
-
Target
b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe
-
Size
1.0MB
-
MD5
3bb4fd30c797f3a9352e7f79d10e7e34
-
SHA1
425890faf9d51152a9d78793287dd81261307f2b
-
SHA256
b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936
-
SHA512
b459bdca661544f9feadd77914ef88dee7af3b5288c27f160e28e3cdd05ce9ecb127a692b2ed1f529e7ccba8b4d0b64feb080093c9eb42c08b1333d7050f0f8f
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe -
Drops file in Program Files directory 64 IoCs
Processes:
b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exedescription ioc process File opened for modification C:\Program Files\Microsoft Office\root\Office16\msoev.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Microsoft Office\root\Office16\msoia.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\7-Zip\7zFM.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Mozilla Firefox\maintenanceservice.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.MicrosoftSolitaireCollection.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\java.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\7-Zip\7z.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DWTRIG20.EXE b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe$ b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe -
NTFS ADS 1 IoCs
Processes:
b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exepid process 2912 b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe"C:\Users\Admin\AppData\Local\Temp\b1bdb8a84e10f0c0a66327a1d5e8ea30f48b774869b2f8528f2dd55483d57936.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2912-132-0x0000000000400000-0x000000000040D000-memory.dmpFilesize
52KB