e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20

General

Target

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
Size

1.5MB
MD5

3b7ad8b81c8bc01bce5456118f026703
SHA1

f19711c4eb758406744e7f0673c9aa8265c83328
SHA256

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20
SHA512

a9cebc8efa6873434b4ff597087a0b2b083171068958e67a7d1c1e42016956c7e278d86b8b587d6051b3665c03924e1c016e2cdab707503c9e5037062d19d13e

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

Drops file in Program Files directory 64 IoCs

Processes:

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jre7\bin\keytool.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{66AD6684-A854-4BD3-AB9E-15AF98443D4D}\chrome_installer.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jre7\bin\java-rmi.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jre7\bin\javaw.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\89.0.4389.114\chrome_installer.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\POWERPNT.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

Drops file in Windows directory 12 IoCs

Processes:

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

description	ioc	process
File created	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Windows\assembly\GAC_64\mcupdate\6.1.0.0__31bf3856ad364e35\mcupdate.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

NTFS ADS 1 IoCs

Processes:

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

pid process

1296 e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

pid	process
1296	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

C:\Users\Admin\AppData\Local\Temp\e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
"C:\Users\Admin\AppData\Local\Temp\e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1296

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1296-54-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1296-57-0x0000000074F21000-0x0000000074F23000-memory.dmp

Filesize
8KB

Download
memory/1296-58-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads