Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
03-07-2022 18:48
Static task
static1
Behavioral task
behavioral1
Sample
3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
Resource
win10v2004-20220414-en
General
-
Target
3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
-
Size
2.8MB
-
MD5
7c510d74eca6e39aef20590eccf15ece
-
SHA1
7ab2c3d79ba22a1daab82033cb3f082fb5f7e135
-
SHA256
3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5
-
SHA512
ade5ac974f94d910e05525f41d0d905c31f79ff299d8effc1efbf12d148ce1f50c0582f7207c0b56259be045de0050a051ff76ab21b792fcd15eb05912bc12b2
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe -
Drops file in Program Files directory 64 IoCs
Processes:
3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Mozilla Firefox\updater.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeApp.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\servertool.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Java\jre1.8.0_66\bin\jabswitch.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.ShowHelp.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\rmic.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\sscicons.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Weather.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jaureg.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Windows Mail\wab.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\java.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Microsoft Office\root\Office16\msoasb.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\POWERPNT.EXE$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0409-1000-0000000FF1CE}\misc.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Windows Media Player\wmlaunch.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\unpack200.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File created C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe$ 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe -
NTFS ADS 1 IoCs
Processes:
3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exepid process 4028 3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe"C:\Users\Admin\AppData\Local\Temp\3acbcd385dcca5bef66a011ca1dc65f7945967fb244d7cb12f2ec363a48144b5.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx