3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82

General

Target

3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
Size

2.0MB
MD5

a12859823d43c0f050fac42ff3ca6850
SHA1

5cf9f15203a41120e4e92ebd1681088c22a100dc
SHA256

3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82
SHA512

bb6be1663d506e9892a493690abe9e7c636b941f88b42d5bec0584ccf8b98970096f18d20520913abef0683738e25a9ba27d20848cc6a94bcd349475e068b8fa

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe

Drops file in Program Files directory 64 IoCs

Processes:

3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe

description	ioc	process
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\pack200.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmiregistry.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\tnameserv.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java-rmi.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\ktab.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\kinit.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jabswitch.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\extcheck.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\xjc.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe$	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe

NTFS ADS 1 IoCs

Processes:

3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe

pid process

1260 3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe

pid	process
1260	3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe

C:\Users\Admin\AppData\Local\Temp\3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe
"C:\Users\Admin\AppData\Local\Temp\3b14867db4b8692f481d5a9475fa3331656af41de2995a887a04240261aa0e82.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1260