Analysis
-
max time kernel
151s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 17:38
Static task
static1
Behavioral task
behavioral1
Sample
3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe
Resource
win10v2004-20220414-en
General
-
Target
3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe
-
Size
1.9MB
-
MD5
45b95cc7c7fb61b7f647f57bd29c9d28
-
SHA1
cbaddeb48d84dee074cb7fde40213edc085108a9
-
SHA256
3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71
-
SHA512
6752746811f99707b7123bff3dd98dbdf93434e6721cdceeaa105c082dcf7d139604be63afb4a713e92795856f419370172db89c6b188fe4b7d8c28880ca7980
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe -
Drops file in Program Files directory 64 IoCs
Processes:
3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exedescription ioc process File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Mozilla Firefox\maintenanceservice.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmid.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\grv_icons.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Mozilla Firefox\firefox.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\onenoteshare.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SDXHelper.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pubs.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\keytool.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PPTICO.EXE 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Mozilla Firefox\pingsender.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Windows Media Player\wmprph.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Microsoft Office\root\Integration\Integrator.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.Brokered.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\native2ascii.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\joticon.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$ 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe -
NTFS ADS 1 IoCs
Processes:
3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exepid process 4256 3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe"C:\Users\Admin\AppData\Local\Temp\3b1ea47c3532e6e4f8fe72474fd92deaa684edb43731b6551b9d8521fd6dde71.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx