1c113027f9021d0c019d96670f9a2b1e0029f7b366a65903004b5a26de8389ab

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
30-12-2023 04:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e5b965c6520414905586ca153e370eb.exe
Size

2.1MB
MD5

0e5b965c6520414905586ca153e370eb
SHA1

75bf60221ce889eab08a742a0ea0560ae5405eb9
SHA256

1c113027f9021d0c019d96670f9a2b1e0029f7b366a65903004b5a26de8389ab
SHA512

4b45a34e4783d3326bdcf1fcff1a12d996e2c372c9bcb835e5e59af8eb28625f9cfc02c8aade5c8b3527a53d15a2ff187cd5e728c0da380365519757f97b7df4
SSDEEP

49152:eu5TrRo3u5TrRo3u5TrRo3u5TrRop6/iv:dTrRoGTrRoGTrRoGTrRop6/

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	0e5b965c6520414905586ca153e370eb.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	0e5b965c6520414905586ca153e370eb.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSQRY32.EXE$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe$	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2launcher.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe$	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\orbd.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\GRAPH.EXE	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe$	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\MSOUC.EXE	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\XLICONS.EXE$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\ACCICONS.EXE$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe$	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files\Java\jre7\bin\kinit.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\vsta_ep32.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe$	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOICONS.EXE	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java-rmi.exe$	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files\Java\jre7\bin\unpack200.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\SmartTagInstall.exe$	0e5b965c6520414905586ca153e370eb.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe	0e5b965c6520414905586ca153e370eb.exe
File created	C:\Program Files (x86)\Google\Update\Install\{FC7689B6-53F5-40C8-A6C9-065A975C439E}\chrome_installer.exe	0e5b965c6520414905586ca153e370eb.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	0e5b965c6520414905586ca153e370eb.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2168	0e5b965c6520414905586ca153e370eb.exe

C:\Users\Admin\AppData\Local\Temp\0e5b965c6520414905586ca153e370eb.exe
"C:\Users\Admin\AppData\Local\Temp\0e5b965c6520414905586ca153e370eb.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\905c0769f9a06c95a24ddf945\patcher.exe$

Filesize
2.1MB

MD5
0e5b965c6520414905586ca153e370eb

SHA1
75bf60221ce889eab08a742a0ea0560ae5405eb9

SHA256
1c113027f9021d0c019d96670f9a2b1e0029f7b366a65903004b5a26de8389ab

SHA512
4b45a34e4783d3326bdcf1fcff1a12d996e2c372c9bcb835e5e59af8eb28625f9cfc02c8aade5c8b3527a53d15a2ff187cd5e728c0da380365519757f97b7df4

Download Submit
memory/2168-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads