e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20

General

Target

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
Size

1.5MB
MD5

3b7ad8b81c8bc01bce5456118f026703
SHA1

f19711c4eb758406744e7f0673c9aa8265c83328
SHA256

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20
SHA512

a9cebc8efa6873434b4ff597087a0b2b083171068958e67a7d1c1e42016956c7e278d86b8b587d6051b3665c03924e1c016e2cdab707503c9e5037062d19d13e

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

Drops file in Program Files directory 64 IoCs

Processes:

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Microsoft.Notes.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\GRAPH.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javacpl.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\ktab.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.157.61\MicrosoftEdgeUpdateBroker.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Mozilla Firefox\updater.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\pwahelper.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.157.61\MicrosoftEdgeUpdateComRegisterShell64.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\ssvagent.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\java.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe$	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

NTFS ADS 1 IoCs

Processes:

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

pid process

2160 e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

pid	process
2160	e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe

C:\Users\Admin\AppData\Local\Temp\e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe
"C:\Users\Admin\AppData\Local\Temp\e49e14672de3a468cc660fd18ec801bea97f0d862279ca37a08956519e005e20.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2160

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2160-130-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2160-133-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads