ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110

General

Target

ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
Size

2.1MB
MD5

ad8dcda8253b4453c533484df10c4067
SHA1

a744f19e200d9faad8753086aff9f5b04258f961
SHA256

ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110
SHA512

06dec471502cf0907d8cea35feb3ab450bdef086009df92cb4df96e99b31a0f86442b06dfca03a936b0f5cc857faea26bb16170a0c5b1e610826794615666898
SSDEEP

24576:iiIilDPUiIilDPeww5fL0vXlBsbSAOidYrovp4Tp9aQCoGsXHRL:1MD0vXlBMO+YrovpU/9L

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe

Drops file in Program Files directory 40 IoCs

Processes:

ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe$	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File created	C:\Program Files\7-Zip\7zG.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File created	C:\Program Files\7-Zip\7z.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe$	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe$	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe$	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File created	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe$	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE$	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File created	C:\Program Files\7-Zip\Uninstall.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe$	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe$	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe$	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File created	C:\Program Files\7-Zip\7zFM.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE$	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe$	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe$	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe

NTFS ADS 1 IoCs

Processes:

ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe

pid process

4484 ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe

pid	process
4484	ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe

C:\Users\Admin\AppData\Local\Temp\ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe
"C:\Users\Admin\AppData\Local\Temp\ea6a6d5981a0525a7179cccbd9a49cf4a8e76a03d092ac61ff7892da7e822110.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:4484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4484-132-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4484-135-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads