8fdd4b8a3ea22c650a0b83273db6155d3e5016e8d425c4df032b9deeb367fa55

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 22:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0519ff34bb7dcaa2ee9573044007b9d3.exe
Size

1.6MB
MD5

0519ff34bb7dcaa2ee9573044007b9d3
SHA1

814ac48ef3713644020286dbaa3f8c1fde9eefd0
SHA256

8fdd4b8a3ea22c650a0b83273db6155d3e5016e8d425c4df032b9deeb367fa55
SHA512

d810396099683e0a282779365b72aaed4cc53ff7c69f63b4eaf830cf89e8cf8c21aab87a71bdebe6d9f5e5f98dced0ce8eb2554c4c6f58af5da3c32597cd0f91
SSDEEP

12288:NX9XK3Y4GxrPX+pd167QhE0s7+jM+M6ugRfMMkIM7ovX+pd167QhE0u7+Bb:NX9XUqE6Ehg7mM+M6RkMkIM7gE6Eh67Y

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	0519ff34bb7dcaa2ee9573044007b9d3.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	0519ff34bb7dcaa2ee9573044007b9d3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstack.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\keytool.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jre7\bin\policytool.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\A3DUtility.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\Wkconv.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GROOVEMN.EXE	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSOHTMED.EXE	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpshare.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\excelcnv.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\misc.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Mozilla Firefox\pingsender.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Mozilla Firefox\updater.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe$	0519ff34bb7dcaa2ee9573044007b9d3.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	0519ff34bb7dcaa2ee9573044007b9d3.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	0519ff34bb7dcaa2ee9573044007b9d3.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2232	0519ff34bb7dcaa2ee9573044007b9d3.exe

C:\Users\Admin\AppData\Local\Temp\0519ff34bb7dcaa2ee9573044007b9d3.exe
"C:\Users\Admin\AppData\Local\Temp\0519ff34bb7dcaa2ee9573044007b9d3.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\905c0769f9a06c95a24ddf945\patcher.exe$

Filesize
1.6MB

MD5
0519ff34bb7dcaa2ee9573044007b9d3

SHA1
814ac48ef3713644020286dbaa3f8c1fde9eefd0

SHA256
8fdd4b8a3ea22c650a0b83273db6155d3e5016e8d425c4df032b9deeb367fa55

SHA512
d810396099683e0a282779365b72aaed4cc53ff7c69f63b4eaf830cf89e8cf8c21aab87a71bdebe6d9f5e5f98dced0ce8eb2554c4c6f58af5da3c32597cd0f91

Download Submit
memory/2232-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2232-1-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download
memory/2232-686-0x00000000001B0000-0x00000000001B3000-memory.dmp

Filesize
12KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads