681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad

General

Target

681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
Size

1.3MB
MD5

4587acebe88fb88576bc698788cfb541
SHA1

9dbaf26d5934fba8acffa597b2830a64ddd9f207
SHA256

681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad
SHA512

e91cb4869f5b2b521bddd2f20f35de3c248ea33ebdb7d26137ced4f3dd3616ec43fa25e9d11ea6f0caf09a06e50d772c05ecb1bf94dddd868430ac94a31669de

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe

Drops file in Program Files directory 64 IoCs

Processes:

681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe

description	ioc	process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSQRY32.EXE$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\GetHelp.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\rmid.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmiregistry.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\pack200.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\schemagen.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsimport.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\wordicon.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\kinit.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\jp2launcher.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\orbd.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\unpack200.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\policytool.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javacpl.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\accicons.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-040C-1000-0000000FF1CE}\misc.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOUC.EXE	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\unpack200.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\nbexec64.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Microsoft.WebMediaExtensions.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\jjs.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\orbd.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\javaws.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe$	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe

NTFS ADS 1 IoCs

Processes:

681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe

pid process

3148 681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe

pid	process
3148	681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe

C:\Users\Admin\AppData\Local\Temp\681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe
"C:\Users\Admin\AppData\Local\Temp\681503e3e93dbbb94c9e8b50b55a664e70c554677f29327501291736fedec9ad.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:3148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3148-132-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3148-133-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads