3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5

General

Target

3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
Size

2.8MB
MD5

7c510d74eca6e39aef20590eccf15ece
SHA1

7ab2c3d79ba22a1daab82033cb3f082fb5f7e135
SHA256

3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5
SHA512

ade5ac974f94d910e05525f41d0d905c31f79ff299d8effc1efbf12d148ce1f50c0582f7207c0b56259be045de0050a051ff76ab21b792fcd15eb05912bc12b2

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe

Drops file in Program Files directory 64 IoCs

Processes:

3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdate.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\7-Zip\7zFM.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jinfo.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Java\jre7\bin\pack200.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleUpdateBroker.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.71\GoogleCrashHandler64.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Java\jre7\bin\rmid.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Java\jre7\bin\tnameserv.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-container.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe$	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe

NTFS ADS 1 IoCs

Processes:

3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe

pid process

1348 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe

pid	process
1348	3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe

C:\Users\Admin\AppData\Local\Temp\3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
"C:\Users\Admin\AppData\Local\Temp\3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:1348

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1348-56-0x0000000075951000-0x0000000075953000-memory.dmp

Filesize
8KB

Download
memory/1348-57-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads