9069e06079e1e69fe4462096859bbd6feb1fc7e2803c285bf7a3498382f93095

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-02-2024 18:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Patch.exe
Size

62KB
MD5

ce05447157c7ef90eba3fd8f964de822
SHA1

f034960560285c2b5d563a615263baa44b49d670
SHA256

9069e06079e1e69fe4462096859bbd6feb1fc7e2803c285bf7a3498382f93095
SHA512

60820fbdd9d8f726e15d33b71b6873779ac649401cd6854f5dc42c27d257dd467bc33dd224883a7c8e9e3801fe443f0dde98890f1468891cbc405a42b9e0e7b3
SSDEEP

768:c+t/ubBf3GmGicaRNGAirs5q75rE+69KrYU0Np8AQK9U/AGR8CF9GEhAVsYGK:19uhWjicw41h+KrYJ8pK9U4GHKOYGK

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3032	Patch.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 38 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_Classes\Local Settings	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	Patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Patch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000053585c94102054656d700000360008000400efbe8f57b26853585c942a000000ff010000000002000000000000000000000000000000540065006d007000000014000000	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Patch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Patch.exe
Key created	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c004346534616003100000000008f57b268122041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe8f57b2688f57b2682a000000eb0100000000020000000000000000000000000000004100700070004400610074006100000042000000	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000008f57ea6a10204c6f63616c00380008000400efbe8f57b2688f57ea6a2a000000fe0100000000020000000000000000000000000000004c006f00630061006c00000014000000	Patch.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	Patch.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2728	regedit.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2904	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	taskmgr.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe
2904	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3032	Patch.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2728	3032	Patch.exe	30
PID 3032 wrote to memory of 2728	3032	Patch.exe	30
PID 3032 wrote to memory of 2728	3032	Patch.exe	30
PID 3032 wrote to memory of 2728	3032	Patch.exe	30

C:\Users\Admin\AppData\Local\Temp\Patch.exe
"C:\Users\Admin\AppData\Local\Temp\Patch.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\regedit.exe
  "C:\Windows\System32\regedit.exe" /s "C:\Users\Admin\AppData\Local\Temp\\regpatch.reg"
  2⤵
  - Runs .reg file with regedit
  PID:2728

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2032

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\regpatch.reg

Filesize
145B

MD5
ab0aca0a5ec7e5e766429c82c6770d7b

SHA1
444ebfbda472e8c033210b0ad3b3f29789b9e6cc

SHA256
1a255ceaf295feb9997e800c55f5c9f8af62505d50d9bb804b870e896a9dbc10

SHA512
897e97440d751012f6e93532135e81fb4005f009a3b62d1597ff6baa09aea8baeb32e713114b0800b879575c23bbdedf7c25f905df754cf57213d4ae51e1f9db

Download Submit
\Users\Admin\AppData\Local\Temp\dup2patcher.dll

Filesize
56KB

MD5
34887489d2c8963dcb4ea6baf78f4254

SHA1
5821fcfe7ebafac3d569e6da18720fe0619ea162

SHA256
4ef87c43607bb2c8d9dd813e91a2c8867ad50f0166a12da853d16c2df913182b

SHA512
c0f1a3182cd9373a7bb0d12470d6668fdfc799436986172885aaf1040ee878878b7f799f8c4424e92fc610f21833f0022a858e123b29de7d669e21542c9b02dc

Download Submit
memory/2904-9-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2904-10-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/3032-3-0x00000000753C0000-0x00000000753E6000-memory.dmp

Filesize
152KB

Download
memory/3032-6-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/3032-7-0x0000000005080000-0x0000000005082000-memory.dmp

Filesize
8KB

Download