Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
26-03-2024 09:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
decdb0792dc19680eb2ae0b6c5a57f36.exe
Resource
win7-20240221-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
decdb0792dc19680eb2ae0b6c5a57f36.exe
Resource
win10v2004-20240319-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
decdb0792dc19680eb2ae0b6c5a57f36.exe
-
Size
571KB
-
MD5
decdb0792dc19680eb2ae0b6c5a57f36
-
SHA1
6a39fe6622fbc6647e8199038a42348b782db0ea
-
SHA256
b70101421d4e552f3641bea7257496edae2e5b27eed082fbdd37ab0747f2ecc6
-
SHA512
ac798e93eb002b4c9d7630aa3c63a7e30525e1e089e4e81d820d0b255375c02a9c9ffa092e8a541dc02f1d6144058b477348bf9403988a2a1c9a363f4ad09dc2
-
SSDEEP
12288:N880N2Ymmt0LDXoNIzfday0rUjk5ymOcB+pwPprnv:N8RwoSz1ay0rUKLOsDFnv
Score
7/10
Malware Config
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WinFirewall = "C:\\905c0769f9a06c95a24ddf945\\patcher.exe" decdb0792dc19680eb2ae0b6c5a57f36.exe -
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf decdb0792dc19680eb2ae0b6c5a57f36.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\wbem\WmiPrvSE.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\at.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\cmstp.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\expand.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\mcbuilder.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\osk.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPDSVR.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\migwiz\mighost.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\migwiz\MigSetup.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\autofmt.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\dnscacheugc.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\findstr.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\wbem\WMIADAP.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\fontview.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\com\MigRegDB.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\IMJPDCT.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\IME\IMEJP10\imjpuexc.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\fixmapi.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\mobsync.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\NAPSTAT.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\control.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\DeviceProperties.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\DWWIN.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\efsui.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\grpconv.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\ocsetup.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\ARP.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\cliconfg.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\dfrgui.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\ipconfig.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\iscsicli.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\msinfo32.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\notepad.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\ctfmon.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\esentutl.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\HOSTNAME.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\perfmon.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\dialer.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\msra.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\migwiz\migwiz.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\choice.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\dpapimig.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\icacls.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\logagent.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\Netplwiz.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\cscript.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\DpiScaling.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\eudcedit.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\LocationNotifications.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\netsh.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\openfiles.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\cmdl32.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\dpnsvr.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\Dism.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\IME\shared\IMEPADSV.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\migwiz\PostMig.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\calc.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\clip.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\comp.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\cttune.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\SysWOW64\cttunesvr.exe decdb0792dc19680eb2ae0b6c5a57f36.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\7-Zip\7zG.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\java.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroBroker.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{D9005A2B-BC2A-4153-8911-AE3B3F543790}\chrome_installer.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Java\jre7\bin\tnameserv.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE$ decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\7-Zip\7z.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files (x86)\Microsoft Office\Office14\INFOPATH.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jre7\bin\servertool.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jre7\bin\ssvagent.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Java\jre7\bin\rmiregistry.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Internet Explorer\iexplore.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jre7\bin\javaws.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeUpdaterInstallMgr.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\apt.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files (x86)\Microsoft Office\Office14\CNFNOT32.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PPTICO.EXE$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe decdb0792dc19680eb2ae0b6c5a57f36.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInUtil.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\WsatConfig\36ca2928b2191011831ab673861c6ac6\WsatConfig.ni.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\assembly\GAC_64\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\ehExtHost\ad37b6e3a1cb1081592f1c5797ae9dad\ehExtHost.ni.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.5\WFServicesReg.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\dfsvc\2c3e7fda8de40e45e7f5e004094dc7c9\dfsvc.ni.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\NETFXRepair.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_64\SMSvcHost\04d794428d635f6a82ac57dd3d6f3628\SMSvcHost.ni.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_64\WsatConfig\9683999d889dc0b8782c782e2fc1aee5\WsatConfig.ni.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Installer\{90140000-0011-0000-0000-0000000FF1CE}\cagicon.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\PresentationFontCac#\b3ade8d5c0d4bb5d4940bcafd3453642\PresentationFontCache.ni.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\ehome\ehtray.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\NETFXRepair.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.W71daf281#\df459c0a2762c33e0699703f186b1751\Microsoft.Workflow.Compiler.ni.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ComSvcConfig.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\AddInUtil.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\ehome\ehshell.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\assembly\GAC_MSIL\dfsvc\2.0.0.0__b03f5f7f11d50a3a\dfsvc.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\WsatConfig\96a8bdafba9f9d3e33cd974bfaa67e58\WsatConfig.ni.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\dfsvc\261c09179eae03d67c9b6f3e70b603bd\dfsvc.ni.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\assembly\NativeImages_v4.0.30319_32\WsatConfig\537950d9c71af966e1d8c9deb550f842\WsatConfig.ni.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\assembly\GAC_32\MSBuild\3.5.0.0__b03f5f7f11d50a3a\MSBuild.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\MSBuild\1a154709cdfe214029ea88c51ab2b579\MSBuild.ni.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\MSBuild\af28543d9b3e7d9f110448ecce53cd72\MSBuild.ni.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\Narrator\4cc02fad33053737088d4c18267ca0a0\Narrator.ni.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regbrowsers.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\assembly\GAC_MSIL\ehexthost\6.1.0.0__31bf3856ad364e35\ehexthost.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\WsatConfig.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe$ decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v3.5\EdmGen.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe decdb0792dc19680eb2ae0b6c5a57f36.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe decdb0792dc19680eb2ae0b6c5a57f36.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\:\autorun.inf decdb0792dc19680eb2ae0b6c5a57f36.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2980 decdb0792dc19680eb2ae0b6c5a57f36.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\decdb0792dc19680eb2ae0b6c5a57f36.exe"C:\Users\Admin\AppData\Local\Temp\decdb0792dc19680eb2ae0b6c5a57f36.exe"1⤵
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:2980
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD50381483dc66d35d5e3a3624833a0ea33
SHA1d822c94bdb4653c2a0ade2ace56d9452a5949af6
SHA2560b9a7fc5d09451eb365463262be8cd702a3839d3c2917f02c2a4ecfc0b4e1dc9
SHA51258912d8f4e06acb30acd421319495507d539f90d0fb56692a97a865a6c5343417d37adbfa40509ab33eb4ac56c82ff5e7f818ef7db62d35a208fc13cbb68245e