580dd020234dc9e959f3a6a8fe25a98417851eb4d8a532b82d0f4356d98ed84f

Analysis

max time kernel
153s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
06/03/2024, 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7788a75fe4ae36b244060c2fb8483bf.exe
Size

1.4MB
MD5

b7788a75fe4ae36b244060c2fb8483bf
SHA1

595cdb92482659dfa603975787708139a22a08ca
SHA256

580dd020234dc9e959f3a6a8fe25a98417851eb4d8a532b82d0f4356d98ed84f
SHA512

e7541f4ed908d35b55c71cec20b0c0d55d00ef7017058226fe8abbbc136ae0f63fba511137922e12d026c410131eed2bd92c16b0c4f8f6ab2c2585ba77a1a610
SSDEEP

24576:KqT9+XaH8b7st1Gnt1JLaewsAjfWvWL0vbVH8b:f1isYhuljuA0vbV

Score

6^/10

persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe"	b7788a75fe4ae36b244060c2fb8483bf.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	b7788a75fe4ae36b244060c2fb8483bf.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Java\jre-1.8\bin\javaw.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe$	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Windows Media Player\wmprph.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe$	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe$	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\unpack200.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SDXHelperBgt.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Java\jre-1.8\bin\java.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Java\jre-1.8\bin\kinit.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\DW20.EXE	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe$	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe$	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\misc.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmclienticon.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\visicon.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe$	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe$	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\osmadminicon.exe$	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe$	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PDFREFLOW.EXE	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe$	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE$	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe$	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javac.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\outicon.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\NAMECONTROLSERVER.EXE	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX40.exe	b7788a75fe4ae36b244060c2fb8483bf.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	b7788a75fe4ae36b244060c2fb8483bf.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\:\autorun.inf	b7788a75fe4ae36b244060c2fb8483bf.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3564	b7788a75fe4ae36b244060c2fb8483bf.exe

C:\Users\Admin\AppData\Local\Temp\b7788a75fe4ae36b244060c2fb8483bf.exe
"C:\Users\Admin\AppData\Local\Temp\b7788a75fe4ae36b244060c2fb8483bf.exe"
1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in Program Files directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:3564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3940 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\905c0769f9a06c95a24ddf945\patcher.exe$

Filesize
1.4MB

MD5
b7788a75fe4ae36b244060c2fb8483bf

SHA1
595cdb92482659dfa603975787708139a22a08ca

SHA256
580dd020234dc9e959f3a6a8fe25a98417851eb4d8a532b82d0f4356d98ed84f

SHA512
e7541f4ed908d35b55c71cec20b0c0d55d00ef7017058226fe8abbbc136ae0f63fba511137922e12d026c410131eed2bd92c16b0c4f8f6ab2c2585ba77a1a610

Download Submit
memory/3564-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3564-1-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download
memory/3564-28-0x00000000005E0000-0x00000000005E2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads